On Tue, 07 Dec 2004 00:54:08 +0800, ro0ot <ro0ot@xxxxxxxxxxxx> wrote: > Hi, > > I get lots of tcp port 445 traffic when I do a tcpdump -n port 445, > could it be an attack? Many viruses hammer TCP port 445 attempting to exploit MS Windows vulnerabilities. They attempt to establish TCP sessions on dport 445 to a massive amount of P addresses.. this can fill up /proc/net/ip_conntrack in no time, amongst other things. > > I check on the syslog files at /var/log/syslog, it shows this as below: - > > Dec 7 00:36:40 fw01 kernel: Neighbour table overflow. > Dec 7 00:36:46 fw01 kernel: NET: 32 messages suppressed. > Dec 7 00:36:46 fw01 kernel: Neighbour table overflow. > Dec 7 00:36:51 fw01 kernel: NET: 27 messages suppressed. > Dec 7 00:36:51 fw01 kernel: Neighbour table overflow. > Dec 7 00:38:14 fw01 kernel: NET: 6 messages suppressed. > Dec 7 00:38:14 fw01 kernel: Neighbour table overflow. > > When I try to ping my router IP address, I get this message below: - > > connect: No buffer space available > > I did tried running the below command and it seems not helping much: - > > iptables -I cus2jarwan -p tcp --dport 445 -j REJECT --reject-with tcp-reset > > or > > iptables -I cus2jarwan -p tcp --dport 445 -j DROP > You definately don't want to use -J REJECT - this will do more harm than good, as it will be generating an ICMP unreachable message for each port 445 packet. > How can I stop this tcp port 445 traffic? Or how can I prevent it? Use the drop rule you mentioned. Apply it to INPUT and also FORWARD. If possible; - remove the viruses - disable the infected computer(s) switch port(s) until cleaned - unplug the infected computer(s) from the network until cleaned Regards, Paul > > Regards, > ro0ot > >
