First :
Thanks for the back-pat...
Anyway.. As Tinkster says, UDP is connectionless. And slammer uses this to great effect. What you're seeing below is definately slammer, although the traffic quoted in your other thread is not.
I'll write here about the questions asked in this thread.
10.<anything> is a private network address. In a similar manner to the more common 192.168.xxx.xxx. As such it's not *supposed* to be floating around on the internet. In fact, internet routers, if set up properly, should be set to drop private IP packets if they see them. However, a large number don't, and this is how you end up with spoofed addresses being used in Denial of Service attacks.
That said, AT&T are probably using 10.x addresses for the cable modems (which you should never see, but more on that later). So, it wouldn't be altogether suprising to see a 10.x address on the network. Due to it's 'shared' nature, you *will* get packets sent to you but not specifically destined for you, and there's nothing you, personally, can do about it.
What you *can* do is to block anything from a 10.x address when it hits your network card. You shouldn't be recieving anything in that subnet anyway...
You can do that with a line like the following in your iptables rules :
$IPTABLES -A INPUT -i $EXTIF -s 10.0.0.0/8 -j DROP
where $IPTABLES = /sbin/iptables
$EXTIF is your external interface
$INTIF is your internal interface
I would suggest also blocking all the *other* private ip addresses (which again, shouldn't be hitting your internet interface)
$IPTABLES -A INPUT -i $EXTIF -s 172.16.0.0/12 -j DROP # RFC1918 Private
$IPTABLES -A INPUT -i $EXTIF -s 0.0.0.0/8 -j DROP # Broadcast
$IPTABLES -A INPUT -i $EXTIF -s 127.0.0.0/8 -j DROP # Loopback
$IPTABLES -A INPUT -i $EXTIF -s 192.168.0.0/16 -j DROP #
$IPTABLES -A INPUT -i $EXTIF -s 192.0.2.0/24 -j DROP # TEST-NET
$IPTABLES -A INPUT -i $EXTIF -s 169.254.0.0/16 -j DROP # Unconfigured DHCP
$IPTABLES -A INPUT -i $EXTIF -s 224.0.0.0/4 -j DROP # Class D / Multicast
$IPTABLES -A INPUT -i $EXTIF -s 240.0.0.0/5 -j DROP # Class E / Reserved
$IPTABLES -A INPUT -i $EXTIF -s 255.255.255.255 -j DROP # Broadcast
Note on the above though - you may have some issues with traceroute if you block 10.x addresses and one of the hops replies from a 10.x address. It's rather a large blanket rule which can have unforseen side-effects.
That rule should stop your machine from becoming unresponsive, as packets don't have to traverse your firewall rules (put the above rules at the *top* of your list) to figure out if it should accept/drop the packet 3000 times a second. It can hit the first DROP and you're done with it.
Quote:
Is there any way to prevent this traffic? How could it possibly be legitimate? Should I call AT&T, and if so, what could they do?
|
Prevention - see above.
It's not legitimate - your neighbour has a 'misconfigured machine'. It could be intentional, it could be viral, or it could be user error..
I really doubt you'll get a positive response from AT&T. In my experience, if you start talking about packet-level stuff to a level 1 tech they'll simply go 'huh?'
You might have better luck if you press your case and get to (eventually) a tier 3 support person who generally knows what a UDP packet is, that you shouldn't be seeing 10.x traffic, and why.
I've had *dismal* experiences with my customer support though (comcast), and don't hold out any more hope for yours...
As for what they could do - they can cut off the link to your errant neighbour, either until (s)he fixes it, or depending on how malicious the intent, altogether.
Last :
Quote:
FYI , For some reason, IPTraf was not seeing these packets. It could be because they were RESET, and therefore no connection was established, but I don't know.
|
The reason for that is that IPTraf doesn't put your network card into promiscuous mode by default, and tcpdump does.
Promiscuous mode means that a network card will listen to *everything* that so much as waves in it's direction. Any traffic not meant for you which gets sent to it (by nature of the shared line you enjoy with your neighbours) it'll show. Ordinarily network cards only listen to things sent specifically to them (by MAC address) and nothing more (Okay.. broadcast stuff too, for the finicky). Obviously, if it's not for you, then you don't *want* to be listening to it - it's just more work for your card / computer to do.
You can tell IPTraf to 'go promiscious' in one of the menus
--> configure --> Force Promiscuous mode.
It'll then show you all the stuff that's not destined for your machine (your 10.x stuff) aswell as stuff that is.
*pant*
Slick.