Hello,
Im new here, well i'm new with linux also but i'm willing to learn.
I'm running a Gentoo distribution for htb and routing, and a freeBSD as a nameserver and for webmail.
I have a network of about 350 users and i have a very big problem... for some time now i've been experiencing lots of floods on ports 135, 137, 138, 139 and 445 but especially on 135, 139 and 445. These ports are filtered from my firewall (rc.firewall) but the problem remains... How to get rid of it?!?
When i run tcpdump -nnvv -i ethx port ... (where x is the interface that goes to my clients and the ports are the ones that i mentioned) this is what I get:
00:52:31.713708 IP (tos 0x0, ttl 128, id 44214, offset 0, flags [DF], proto: TCP (6), length: 48) 89.32.***.***.3366 > 89.32.154.246.139: S, cksum 0x64bf (correct), 3880917648:3880917648(0) win 64240 <mss 1460,nop,nop,sackOK>
00:52:31.713943 IP (tos 0x0, ttl 128, id 44215, offset 0, flags [DF], proto: TCP (6), length: 48) 89.32.***.***.3367 > 89.32.47.165.139: S, cksum 0x2f60 (correct), 3880958783:3880958783(0) win 64240 <mss 1460,nop,nop,sackOK>
00:52:31.714201 IP (tos 0x0, ttl 128, id 44216, offset 0, flags [DF], proto: TCP (6), length: 48) 89.32.***.***.3368 > 89.32.76.78.139: S, cksum 0x4a7b (correct), 3881010041:3881010041(0) win 64240 <mss 1460,nop,nop,sackOK>
00:52:31.717589 IP (tos 0x0, ttl 128, id 48885, offset 0, flags [DF], proto: TCP (6), length: 48) 89.32.***.***.1903 > 89.32.164.151.139: S, cksum 0xc610 (correct), 1570914014:1570914014(0) win 64240 <mss 1460,nop,nop,sackOK>
00:52:31.729528 IP (tos 0x0, ttl 128, id 44217, offset 0, flags [DF], proto: TCP (6), length: 48) 89.32.***.***.3369 > 89.32.240.145.139: S, cksum 0xde18 (correct), 3881061270:3881061270(0) win 64240 <mss 1460,nop,nop,sackOK>
00:52:31.744406 IP (tos 0x0, ttl 128, id 44218, offset 0, flags [DF], proto: TCP (6), length: 48) 89.32.***.***.3275 > 89.32.168.102.139: S, cksum 0x85e8 (correct), 3875728545:3875728545(0) win 64240 <mss 1460,nop,nop,sackOK>
00:52:31.747869 IP (tos 0x0, ttl 128, id 48890, offset 0, flags [DF], proto: TCP (6), length: 48) 89.32.***.***.1904 > 89.32.247.139.139: S, cksum 0xcc08 (correct), 1570956784:1570956784(0) win 64240 <mss 1460,nop,nop,sackOK>
00:52:31.760333 IP (tos 0x0, ttl 128, id 44219, offset 0, flags [DF], proto: TCP (6), length: 48) 89.32.***.***.3370 > 89.32.191.111.139: S, cksum 0xc94b (correct), 3881144707:3881144707(0) win 64240 <mss 1460,nop,nop,sackOK>
00:52:31.779141 IP (tos 0x0, ttl 128, id 48895, offset 0, flags [DF], proto: TCP (6), length: 48) 89.32.***.***.1905 > 89.32.122.61.139: S, cksum 0x8a15 (correct), 1571005744:1571005744(0) win 64240 <mss 1460,nop,nop,sackOK>
00:52:31.794217 IP (tos 0x0, ttl 128, id 48898, offset 0, flags [DF], proto: TCP (6), length: 48) 89.32.***.***.1811 > 89.32.252.154.139: S, cksum 0x8a3e (correct), 1565598554:1565598554(0) win 64240 <mss 1460,nop,nop,sackOK>
00:52:31.794255 IP (tos 0x0, ttl 128, id 48899, offset 0, flags [DF], proto: TCP (6), length: 48) 89.32.***.***.1812 > 89.32.216.25.139: S, cksum 0x0d5d (correct), 1565639738:1565639738(0) win 64240 <mss 1460,nop,nop,sackOK>
00:52:31.794283 IP (tos 0x0, ttl 128, id 48900, offset 0, flags [DF], proto: TCP (6), length: 48) 89.32.***.***.1813 > 89.32.143.40.139: S, cksum 0xc448 (correct), 1565677247:1565677247(0) win 64240 <mss 1460,nop,nop,sackOK>
00:52:31.794309 IP (tos 0x0, ttl 128, id 48901, offset 0, flags [DF], proto: TCP (6), length: 48) 89.32.***.***.1814 > 89.32.34.53.139: S, cksum 0x65e5 (correct), 1565729300:1565729300(0) win 64240 <mss 1460,nop,nop,sackOK>
00:52:31.794338 IP (tos 0x0, ttl 128, id 48902, offset 0, flags [DF], proto: TCP (6), length: 48) 89.32.***.***.1815 > 89.32.153.77.139: S, cksum 0xf0e8 (correct), 1565794294:1565794294(0) win 64240 <mss 1460,nop,nop,sackOK>
I also must say that i personally went to the computers that have this sort of activity and all of them are running Windows filesistem. I installed Zone Alarm firewall and blocked the problem ports inbound and outbound. This way i stop the flood for about 1 week tops then again but the firewall is useless...
WHAT TO DO!?!
PS: I forgot to say what happens .... well about 100.000 packets/second
( and that kinda' messes up my server as well as my providers router...