sorry, you're right, I wasn't too clear on the issue :-)
The thing is, I can't get rid of the problem at the source, because I don't own the computers on the LAN, I am merely the ISP. The computers belong to the users, and I can't really go about installing spybot adaware, etc. on all of them (about ~250), as this would involve barging into hundreds of apartments.
The other issue is that I can't pinpoint which computers are scanning the network, because all the packets come with false IP addresses and false MAC addresses. Both of these usually match the IP and MAC of perfectly innocent users on my LAN. What I do on my router is I have a file called /etc/ethers, where I enter each IP on my network alongside its correct MAC address. Then I run
That way, only computers with correct IP/MAC pairs will get their packets routed.
Now, when I need to disconnect a user, I substitute his MAC for the number "0" in /etc/ethers. I cannot do so with users who are pumping blaster or sasser, since this would only disconnect innocent users and the villians would still be sending packets.
I wouldn't mind their sending packets, (they're dropped by my firewall anyway) if it weren't for the fact that this fills up my /proc/net/ip_conntrack . After a while, I get the error message:
Code:
ip_conntrack: table full, dropping packet
This starts slowly, but after a couple of hours or days, the connections generated by the trojans take precendence, and the router starts dropping packets from legitimate users.
Hence my question:
a) is there any way that I can pinpoint who is generating the packets? (the IP and MAC are false, so no luck there)
or if that is not possible
b) is there any way that I can keep the bogus connections generated by the worms from filling up my ip_conntrack? (eg. by having the kernel clear the ip_conntrack once in a while without having to restart the router?)
thanks, hope it's clear this time :-)
arthur