LinuxQuestions.org
Support LQ: Use code LQ3 and save $3 on Domain Registration
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices



Reply
 
Search this Thread
Old 04-26-2005, 02:23 PM   #1
saurabh_sahni
LQ Newbie
 
Registered: Apr 2005
Location: Indore, India
Distribution: Mandrake 10.0
Posts: 7

Rep: Reputation: 0
Proxy server flodded by requests on port 53 & port 25


hello there.

we have a proxy server Mandrake 10.0 connecting about 1200 windows clients. Some virus is spread in network which is flooding proxy server on port 53 & port 25. The firewall is dropping these packets which i can see in shorewall's log.

The proxy server do not hang but its the switches in the network which get hanged... n the switches have to be restarted...

Sometimes we also get an error: "Neighbour Table Overflow..."

Please tell what can be the solution? how can traffic requests be stopped.... which may prevent switches from being hanged up...

Thanx
Saurabh Sahni
 
Old 04-26-2005, 02:39 PM   #2
tangle
Senior Member
 
Registered: Apr 2002
Location: Smithville, TN
Distribution: Slackware
Posts: 1,745

Rep: Reputation: 71
If you know which PCs are infected, I would remove them from the network and clean them and make sure all anti-virus software is up to date.

If you do not know which ones are infected, unplug your networks internet connection. Then unplug all the PCs and scan each one for viruses. Clean the ones that are infected, then make sure all the PCs anit-virus software is up to date.

If you are an ISP, I am not sure if this is legal. But, I would cut the connection to all the infected PCs. Then contact the customers and explain the problem. There are free anti-virus software out there. I would suggest to them to use one.

Also do not double post, it is against the rules.
 
Old 04-26-2005, 02:45 PM   #3
saurabh_sahni
LQ Newbie
 
Registered: Apr 2005
Location: Indore, India
Distribution: Mandrake 10.0
Posts: 7

Original Poster
Rep: Reputation: 0
We have been doing the same thing.. But the problem is network has 1200 nodes, scanning each of them will take lot of time..
n not single nodes can be disconnected... But we need to disconnect a group of nodes around 100 at a time... even if 1 of them is infected...

Cant something be done at proxy servers end... some configuration change in firewall or some where else????


P.S. sorry for double post.. it was first post by me..
 
Old 04-26-2005, 04:28 PM   #4
masand
Guru
 
Registered: May 2003
Location: INDIA
Distribution: Ubuntu, Solaris,CentOS
Posts: 5,522

Rep: Reputation: 58
well , i am the thread starter's friend and from the same university

this setup is at our university

what i was thinking was that ,maybe we can block some networks
like we have the whole network divided in small networks so we can block networks and on analysing the logs we can identify which network is causing problem and eliminate that whole network untill that infected network is scanned

regards
 
Old 04-26-2005, 05:55 PM   #5
tangle
Senior Member
 
Registered: Apr 2002
Location: Smithville, TN
Distribution: Slackware
Posts: 1,745

Rep: Reputation: 71
I do not have any experience with managed switches. But, I believe SNMP allows you to diagnose and control the traffic going through them. You should be able to find which machines are causing the traffic and isolate them.

When the Code Red virus came out, our company was one of the first ones to get infected. We have 500 + nodes on the LAN. We pulled the plug and checked each machine before we hooked the internet back up.
 
Old 04-26-2005, 11:35 PM   #6
masand
Guru
 
Registered: May 2003
Location: INDIA
Distribution: Ubuntu, Solaris,CentOS
Posts: 5,522

Rep: Reputation: 58
yes our system admin had a Network management system in place but the Adminstration later removed that machine and now they are facing this problem

well i think,we need to study the logs ,i do not have any experiece for SNMP

regards
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
how can I force port 80 to a proxy server using iptables scheney Linux - Security 1 10-21-2005 02:25 PM
Proxy server flodded by requests on port 53 & port 25 saurabh_sahni Linux - Networking 1 04-26-2005 04:01 PM
How to open ports 25 and port 110 on proxy server SQUID? fdavid Linux - Newbie 1 03-17-2005 12:31 AM
uunable to connect http other then port 80 using proxy server askjha Linux - Networking 1 06-03-2004 02:38 PM
HTTP port and Proxy port problem AZIMBD03 Linux - Networking 3 04-15-2004 10:20 PM


All times are GMT -5. The time now is 01:00 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration