PDA

Click to See Complete Forum and Search --> : How to block this UDP virus request

Net_Spy
05-10-2007, 07:16 AM
Greetings....

I want to block this virus udp request in my network by iptables.

I run the following commands to block this request, but its fail.

iptables -I INPUT -p udp -s 10.100.38.145 -j DROP
iptables -I FORWARD -p udp -s 10.100.38.145 -j DROP

I also try mangle table to block this request.
Code:

iptables -t mangle -I INPUT -p udp -s 10.100.38.145 -j DROP
iptables -t mangle -I FORWARD -p udp -s 10.100.38.145 -j DROP

localhost@root> tcpdump -i eth1 src 10.100.38.145 -vv

18:01:37.782553 IP (tos 0x0, ttl 48, id 63842, offset 0, flags [+], proto: UDP (17), length: 1500) 10.100.38.145.trustestablish > 77.64.87.82.tcpmux: UDP, length 65491
18:01:37.783060 IP (tos 0x0, ttl 48, id 63842, offset 1480, flags [+], proto: UDP (17), length: 1500) 10.100.38.145 > 77.64.87.82: udp
18:01:37.783078 IP (tos 0x0, ttl 48, id 63842, offset 2960, flags [+], proto: UDP (17), length: 1500) 10.100.38.145 > 77.64.87.82: udp
18:01:37.783081 IP (tos 0x0, ttl 48, id 63842, offset 4440, flags [+], proto: UDP (17), length: 1500) 10.100.38.145 > 77.64.87.82: udp
18:01:37.783094 IP (tos 0x0, ttl 48, id 63842, offset 5920, flags [+], proto: UDP (17), length: 1500) 10.100.38.145 > 77.64.87.82: udp
18:01:37.783340 IP (tos 0x0, ttl 48, id 63842, offset 7400, flags [+], proto: UDP (17), length: 1500) 10.100.38.145 > 77.64.87.82: udp
18:01:37.783359 IP (tos 0x0, ttl 48, id 63842, offset 8880, flags [+], proto: UDP (17), length: 1500) 10.100.38.145 > 77.64.87.82: udp
18:01:37.783464 IP (tos 0x0, ttl 48, id 63842, offset 10360, flags [+], proto: UDP (17), length: 1500) 10.100.38.145 > 77.64.87.82: udp
18:01:37.783971 IP (tos 0x0, ttl 48, id 63842, offset 11840, flags [+], proto: UDP (17), length: 1500) 10.100.38.145 > 77.64.87.82: udp
18:01:37.784128 IP (tos 0x0, ttl 48, id 63842, offset 13320, flags [+], proto: UDP (17), length: 1500) 10.100.38.145 > 77.64.87.82: udp
18:01:37.784144 IP (tos 0x0, ttl 48, id 63842, offset 14800, flags [+], proto: UDP (17), length: 1500) 10.100.38.145 > 77.64.87.82: udp
18:01:37.784148 IP (tos 0x0, ttl 48, id 63842, offset 16280, flags [+], proto: UDP (17), length: 1500) 10.100.38.145 > 77.64.87.82: udp
18:01:37.784161 IP (tos 0x0, ttl 48, id 63842, offset 17760, flags [+], proto: UDP (17), length: 1500) 10.100.38.145 > 77.64.87.82: udp
18:01:37.784477 IP (tos 0x0, ttl 48, id 63842, offset 19240, flags [+], proto: UDP (17), length: 1500) 10.100.38.145 > 77.64.87.82: udp
18:01:37.784496 IP (tos 0x0, ttl 48, id 63842, offset 20720, flags [+], proto: UDP (17), length: 1500) 10.100.38.145 > 77.64.87.82: udp
18:01:37.784501 IP (tos 0x0, ttl 48, id 63842, offset 22200, flags [+], proto: UDP (17), length: 1500) 10.100.38.145 > 77.64.87.82: udp
18:01:37.784981 IP (tos 0x0, ttl 48, id 63842, offset 23680, flags [+], proto: UDP (17), length: 1500) 10.100.38.145 > 77.64.87.82: udp
18:01:37.784986 IP (tos 0x0, ttl 48, id 63842, offset 25160, flags [+], proto: UDP (17), length: 1500) 10.100.38.145 > 77.64.87.82: udp
18:01:37.784990 IP (tos 0x0, ttl 48, id 63842, offset 26640, flags [+], proto: UDP (17), length: 1500) 10.100.38.145 > 77.64.87.82: udp
18:01:37.785007 IP (tos 0x0, ttl 48, id 63842, offset 28120, flags [+], proto: UDP (17), length: 1500) 10.100.38.145 > 77.64.87.82: udp
18:01:37.785374 IP (tos 0x0, ttl 48, id 63842, offset 29600, flags [+], proto: UDP (17), length: 1500) 10.100.38.145 > 77.64.87.82: udp
18:01:37.785530 IP (tos 0x0, ttl 48, id 63842, offset 31080, flags [+], proto: UDP (17), length: 1500) 10.100.38.145 > 77.64.87.82: udp
18:01:37.785534 IP (tos 0x0, ttl 48, id 63842, offset 32560, flags [+], proto: UDP (17), length: 1500) 10.100.38.145 > 77.64.87.82: udp
18:01:37.785608 IP (tos 0x0, ttl 48, id 63842, offset 34040, flags [+], proto: UDP (17), length: 1500) 10.100.38.145 > 77.64.87.82: udp
18:01:37.785633 IP (tos 0x0, ttl 48, id 63842, offset 35520, flags [+], proto: UDP (17), length: 1500) 10.100.38.145 > 77.64.87.82: udp
18:01:37.786166 IP (tos 0x0, ttl 48, id 63842, offset 37000, flags [+], proto: UDP (17), length: 1500) 10.100.38.145 > 77.64.87.82: udp
18:01:37.786171 IP (tos 0x0, ttl 48, id 63842, offset 38480, flags [+], proto: UDP (17), length: 1500) 10.100.38.145 > 77.64.87.82: udp
18:01:37.786189 IP (tos 0x0, ttl 48, id 63842, offset 39960, flags [+], proto: UDP (17), length: 1500) 10.100.38.145 > 77.64.87.82: udp
18:01:37.786193 IP (tos 0x0, ttl 48, id 63842, offset 41440, flags [+], proto: UDP (17), length: 1500) 10.100.38.145 > 77.64.87.82: udp
18:01:37.786542 IP (tos 0x0, ttl 48, id 63842, offset 42920, flags [+], proto: UDP (17), length: 1500) 10.100.38.145 > 77.64.87.82: udp
18:01:37.786548 IP (tos 0x0, ttl 48, id 63842, offset 44400, flags [+], proto: UDP (17), length: 1500) 10.100.38.145 > 77.64.87.82: udp
18:01:37.786610 IP (tos 0x0, ttl 48, id 63842, offset 45880, flags [+], proto: UDP (17), length: 1500) 10.100.38.145 > 77.64.87.82: udp
18:01:37.787164 IP (tos 0x0, ttl 48, id 63842, offset 47360, flags [+], proto: UDP (17), length: 1500) 10.100.38.145 > 77.64.87.82: udp
18:01:37.787170 IP (tos 0x0, ttl 48, id 63842, offset 48840, flags [+], proto: UDP (17), length: 1500) 10.100.38.145 > 77.64.87.82: udp
18:01:37.787174 IP (tos 0x0, ttl 48, id 63842, offset 50320, flags [+], proto: UDP (17), length: 1500) 10.100.38.145 > 77.64.87.82: udp
18:01:37.787190 IP (tos 0x0, ttl 48, id 63842, offset 53280, flags [+], proto: UDP (17), length: 1500) 10.100.38.145 > 77.64.87.82: udp
18:01:37.787195 IP (tos 0x0, ttl 48, id 63842, offset 54760, flags [+], proto: UDP (17), length: 1500) 10.100.38.145 > 77.64.87.82: udp
18:01:37.787671 IP (tos 0x0, ttl 48, id 63842, offset 56240, flags [+], proto: UDP (17), length: 1500) 10.100.38.145 > 77.64.87.82: udp
18:01:37.787724 IP (tos 0x0, ttl 48, id 63842, offset 57720, flags [+], proto: UDP (17), length: 1500) 10.100.38.145 > 77.64.87.82: udp
18:01:37.787772 IP (tos 0x0, ttl 48, id 63842, offset 59200, flags [+], proto: UDP (17), length: 1500) 10.100.38.145 > 77.64.87.82: udp
18:01:37.787776 IP (tos 0x0, ttl 48, id 63842, offset 60680, flags [+], proto: UDP (17), length: 1500) 10.100.38.145 > 77.64.87.82: udp
18:01:37.787819 IP (tos 0x0, ttl 48, id 63842, offset 62160, flags [+], proto: UDP (17), length: 1500) 10.100.38.145 > 77.64.87.82: udp
18:01:37.787978 IP (tos 0x0, ttl 48, id 63842, offset 63640, flags [+], proto: UDP (17), length: 1500) 10.100.38.145 > 77.64.87.82: udp
18:01:37.787983 IP (tos 0x0, ttl 48, id 63842, offset 65120, flags [none], proto: UDP (17), length: 399) 10.100.38.145 > 77.64.87.82: udp
18:01:37.793047 IP (tos 0x0, ttl 48, id 63843, offset 0, flags [+], proto: UDP (17), length: 1500) 10.100.38.145.trustestablish > 77.64.87.82.tcpmux: UDP, length 65497
18:01:37.793058 IP (tos 0x0, ttl 48, id 63843, offset 1480, flags [+], proto: UDP (17), length: 1500) 10.100.38.145 > 77.64.87.82: udp
18:01:37.793062 IP (tos 0x0, ttl 48, id 63843, offset 2960, flags [+], proto: UDP (17), length: 1500) 10.100.38.145 > 77.64.87.82: udp
18:01:37.793092 IP (tos 0x0, ttl 48, id 63843, offset 4440, flags [+], proto: UDP (17), length: 1500) 10.100.38.145 > 77.64.87.82: udp
18:01:37.793096 IP (tos 0x0, ttl 48, id 63843, offset 5920, flags [+], proto: UDP (17), length: 1500) 10.100.38.145 > 77.64.87.82: udp
18:01:37.793357 IP (tos 0x0, ttl 48, id 63843, offset 7400, flags [+], proto: UDP (17), length: 1500) 10.100.38.145 > 77.64.87.82: udp
18:01:37.793361 IP (tos 0x0, ttl 48, id 63843, offset 8880, flags [+], proto: UDP (17), length: 1500) 10.100.38.145 > 77.64.87.82: udp
18:01:37.793849 IP (tos 0x0, ttl 48, id 63843, offset 10360, flags [+], proto: UDP (17), length: 1500) 10.100.38.145 > 77.64.87.82: udp
18:01:37.793854 IP (tos 0x0, ttl 48, id 63843, offset 11840, flags [+], proto: UDP (17), length: 1500) 10.100.38.145 > 77.64.87.82: udp
18:01:37.793892 IP (tos 0x0, ttl 48, id 63843, offset 13320, flags [+], proto: UDP (17), length: 1500) 10.100.38.145 > 77.64.87.82: udp
18:01:37.793926 IP (tos 0x0, ttl 48, id 63843, offset 14800, flags [+], proto: UDP (17), length: 1500) 10.100.38.145 > 77.64.87.82: udp
18:01:37.794469 IP (tos 0x0, ttl 48, id 63843, offset 16280, flags [+], proto: UDP (17), length: 1500) 10.100.38.145 > 77.64.87.82: udp
18:01:37.794475 IP (tos 0x0, ttl 48, id 63843, offset 17760, flags [+], proto: UDP (17), length: 1500) 10.100.38.145 > 77.64.87.82: udp
18:01:37.794478 IP (tos 0x0, ttl 48, id 63843, offset 19240, flags [+], proto: UDP (17), length: 1500) 10.100.38.145 > 77.64.87.82: udp
18:01:37.794521 IP (tos 0x0, ttl 48, id 63843, offset 20720, flags [+], proto: UDP (17), length: 1500) 10.100.38.145 > 77.64.87.82: udp
18:01:37.794525 IP (tos 0x0, ttl 48, id 63843, offset 22200, flags [+], proto: UDP (17), length: 1500) 10.100.38.145 > 77.64.87.82: udp
18:01:37.794974 IP (tos 0x0, ttl 48, id 63843, offset 23680, flags [+], proto: UDP (17), length: 1500) 10.100.38.145 > 77.64.87.82: udp
18:01:37.794980 IP (tos 0x0, ttl 48, id 63843, offset 25160, flags [+], proto: UDP (17), length: 1500) 10.100.38.145 > 77.64.87.82: udp
18:01:37.795017 IP (tos 0x0, ttl 48, id 63843, offset 26640, flags [+], proto: UDP (17), length: 1500) 10.100.38.145 > 77.64.87.82: udp
18:01:37.795020 IP (tos 0x0, ttl 48, id 63843, offset 28120, flags [+], proto: UDP (17), length: 1500) 10.100.38.145 > 77.64.87.82: udp
18:01:37.795542 IP (tos 0x0, ttl 48, id 63843, offset 29600, flags [+], proto: UDP (17), length: 1500) 10.100.38.145 > 77.64.87.82: udp
18:01:37.795548 IP (tos 0x0, ttl 48, id 63843, offset 31080, flags [+], proto: UDP (17), length: 1500) 10.100.38.145 > 77.64.87.82: udp
18:01:37.795589 IP (tos 0x0, ttl 48, id 63843, offset 35520, flags [+], proto: UDP (17), length: 1500) 10.100.38.145 > 77.64.87.82: udp
18:01:37.796050 IP (tos 0x0, ttl 48, id 63843, offset 37000, flags [+], proto: UDP (17), length: 1500) 10.100.38.145 > 77.64.87.82: udp
18:01:37.796056 IP (tos 0x0, ttl 48, id 63843, offset 38480, flags [+], proto: UDP (17), length: 1500) 10.100.38.145 > 77.64.87.82: udp
18:01:37.796071 IP (tos 0x0, ttl 48, id 63843, offset 39960, flags [+], proto: UDP (17), length: 1500) 10.100.38.145 > 77.64.87.82: udp
18:01:37.796076 IP (tos 0x0, ttl 48, id 63843, offset 41440, flags [+], proto: UDP (17), length: 1500) 10.100.38.145 > 77.64.87.82: udp
18:01:37.796240 IP (tos 0x0, ttl 48, id 63843, offset 42920, flags [+], proto: UDP (17), length: 1500) 10.100.38.145 > 77.64.87.82: udp
18:01:37.796555 IP (tos 0x0, ttl 48, id 63843, offset 44400, flags [+], proto: UDP (17), length: 1500) 10.100.38.145 > 77.64.87.82: udp
18:01:37.796575 IP (tos 0x0, ttl 48, id 63843, offset 45880, flags [+], proto: UDP (17), length: 1500) 10.100.38.145 > 77.64.87.82: udp
18:01:37.796580 IP (tos 0x0, ttl 48, id 63843, offset 47360, flags [+], proto: UDP (17), length: 1500) 10.100.38.145 > 77.64.87.82: udp
18:01:37.796951 IP (tos 0x0, ttl 48, id 63843, offset 48840, flags [+], proto: UDP (17), length: 1500) 10.100.38.145 > 77.64.87.82: udp
18:01:37.796963 IP (tos 0x0, ttl 48, id 63843, offset 50320, flags [+], proto: UDP (17), length: 1500) 10.100.38.145 > 77.64.87.82: udp
18:01:37.796980 IP (tos 0x0, ttl 48, id 63843, offset 51800, flags [+], proto: UDP (17), length: 1500) 10.100.38.145 > 77.64.87.82: udp
18:01:37.797455 IP (tos 0x0, ttl 48, id 63843, offset 53280, flags [+], proto: UDP (17), length: 1500) 10.100.38.145 > 77.64.87.82: udp
18:01:37.797476 IP (tos 0x0, ttl 48, id 63843, offset 54760, flags [+], proto: UDP (17), length: 1500) 10.100.38.145 > 77.64.87.82: udp
18:01:37.797480 IP (tos 0x0, ttl 48, id 63843, offset 56240, flags [+], proto: UDP (17), length: 1500) 10.100.38.145 > 77.64.87.82: udp
18:01:37.797495 IP (tos 0x0, ttl 48, id 63843, offset 57720, flags [+], proto: UDP (17), length: 1500) 10.100.38.145 > 77.64.87.82: udp
18:01:37.797967 IP (tos 0x0, ttl 48, id 63843, offset 59200, flags [+], proto: UDP (17), length: 1500) 10.100.38.145 > 77.64.87.82: udp
18:01:37.797987 IP (tos 0x0, ttl 48, id 63843, offset 60680, flags [+], proto: UDP (17), length: 1500) 10.100.38.145 > 77.64.87.82: udp
18:01:37.797991 IP (tos 0x0, ttl 48, id 63843, offset 62160, flags [+], proto: UDP (17), length: 1500) 10.100.38.145 > 77.64.87.82: udp
18:01:37.798005 IP (tos 0x0, ttl 48, id 63843, offset 63640, flags [+], proto: UDP (17), length: 1500) 10.100.38.145 > 77.64.87.82: udp
18:01:37.798009 IP (tos 0x0, ttl 48, id 63843, offset 65120, flags [none], proto: UDP (17), length: 405) 10.100.38.145 > 77.64.87.82: udp
18:01:37.803348 IP (tos 0x0, ttl 48, id 63844, offset 0, flags [+], proto: UDP (17), length: 1500) 10.100.38.145.trustestablish > 77.64.87.82.tcpmux: UDP, length 65496
18:01:37.803511 IP (tos 0x0, ttl 48, id 63844, offset 1480, flags [+], proto: UDP (17), length: 1500) 10.100.38.145 > 77.64.87.82: udp
18:01:37.804047 IP (tos 0x0, ttl 48, id 63844, offset 2960, flags [+], proto: UDP (17), length: 1500) 10.100.38.145 > 77.64.87.82: udp
18:01:37.804052 IP (tos 0x0, ttl 48, id 63844, offset 4440, flags [+], proto: UDP (17), length: 1500) 10.100.38.145 > 77.64.87.82: udp
18:01:37.804055 IP (tos 0x0, ttl 48, id 63844, offset 5920, flags [+], proto: UDP (17), length: 1500) 10.100.38.145 > 77.64.87.82: udp
18:01:37.804059 IP (tos 0x0, ttl 48, id 63844, offset 7400, flags [+], proto: UDP (17), length: 1500) 10.100.38.145 > 77.64.87.82: udp
18:01:37.804063 IP (tos 0x0, ttl 48, id 63844, offset 8880, flags [+], proto: UDP (17), length: 1500) 10.100.38.145 > 77.64.87.82: udp
18:01:37.804651 IP (tos 0x0, ttl 48, id 63844, offset 10360, flags [+], proto: UDP (17), length: 1500) 10.100.38.145 > 77.64.87.82: udp
18:01:37.804732 IP (tos 0x0, ttl 48, id 63844, offset 11840, flags [+], proto: UDP (17), length: 1500) 10.100.38.145 > 77.64.87.82: udp
18:01:37.804735 IP (tos 0x0, ttl 48, id 63844, offset 13320, flags [+], proto: UDP (17), length: 1500) 10.100.38.145 > 77.64.87.82: udp
18:01:37.804772 IP (tos 0x0, ttl 48, id 63844, offset 14800, flags [+], proto: UDP (17), length: 1500) 10.100.38.145 > 77.64.87.82: udp
18:01:37.805387 IP (tos 0x0, ttl 48, id 63844, offset 19240, flags [+], proto: UDP (17), length: 1500) 10.100.38.145 > 77.64.87.82: udp
18:01:37.805392 IP (tos 0x0, ttl 48, id 63844, offset 20720, flags [+], proto: UDP (17), length: 1500) 10.100.38.145 > 77.64.87.82: udp
18:01:37.805396 IP (tos 0x0, ttl 48, id 63844, offset 22200, flags [+], proto: UDP (17), length: 1500) 10.100.38.145 > 77.64.87.82: udp
18:01:37.805400 IP (tos 0x0, ttl 48, id 63844, offset 23680, flags [+], proto: UDP (17), length: 1500) 10.100.38.145 > 77.64.87.82: udp
18:01:37.805403 IP (tos 0x0, ttl 48, id 63844, offset 25160, flags [+], proto: UDP (17), length: 1500) 10.100.38.145 > 77.64.87.82: udp
18:01:37.805893 IP (tos 0x0, ttl 48, id 63844, offset 26640, flags [+], proto: UDP (17), length: 1500) 10.100.38.145 > 77.64.87.82: udp
18:01:37.805898 IP (tos 0x0, ttl 48, id 63844, offset 28120, flags [+], proto: UDP (17), length: 1500) 10.100.38.145 > 77.64.87.82: udp
18:01:37.805954 IP (tos 0x0, ttl 48, id 63844, offset 29600, flags [+], proto: UDP (17), length: 1500) 10.100.38.145 > 77.64.87.82: udp
18:01:37.805958 IP (tos 0x0, ttl 48, id 63844, offset 31080, flags [+], proto: UDP (17), length: 1500) 10.100.38.145 > 77.64.87.82: udp
18:01:37.806401 IP (tos 0x0, ttl 48, id 63844, offset 32560, flags [+], proto: UDP (17), length: 1500) 10.100.38.145 > 77.64.87.82: udp
18:01:37.806406 IP (tos 0x0, ttl 48, id 63844, offset 34040, flags [+], proto: UDP (17), length: 1500) 10.100.38.145 > 77.64.87.82: udp
18:01:37.806431 IP (tos 0x0, ttl 48, id 63844, offset 35520, flags [+], proto: UDP (17), length: 1500) 10.100.38.145 > 77.64.87.82: udp
18:01:37.806507 IP (tos 0x0, ttl 48, id 63844, offset 37000, flags [+], proto: UDP (17), length: 1500) 10.100.38.145 > 77.64.87.82: udp
18:01:37.806531 IP (tos 0x0, ttl 48, id 63844, offset 38480, flags [+], proto: UDP (17), length: 1500) 10.100.38.145 > 77.64.87.82: udp
18:01:37.806718 IP (tos 0x0, ttl 48, id 63844, offset 39960, flags [+], proto: UDP (17), length: 1500) 10.100.38.145 > 77.64.87.82: udp

is there any other way to block this sort of request.looking foward for your kind response.

Regards
NetSpy
je_fro
05-10-2007, 08:32 AM
It looks to me that rather than block individual addresses, you should set the default to DROP for EVERYTHING, and then only allow what you need.
bwkaz
05-10-2007, 07:24 PM
On Linux, tcpdump ignores any iptables rules you may have set up. If tcpdump is seeing the packets, that does not mean that the firewall is allowing them through.

To see if the firewall is allowing them through, you'll have to write a program that listens on that UDP port and writes out some message whenever it receives a packet. I bet you won't get any messages. :)

(But I'll echo je_fro's sentiment: Blocking just this one IP address is a horrible waste of time. The source IP is non-routable, which means that it's been forged. So what's to stop the sender from forging a different source address? Better to just set this table's "policy" (aka its default) to DROP, and individually allow the traffic you really need. Default-deny is always better (http://www.ranum.com/security/computer_security/editorials/dumb/) than default-allow. ;))