Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 3 replies
  • Answers 1 answer
  • Subscribers 3 subscribers
  • Views 4043 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Web Browsing stop for a few minutes

leonidas saldanha

Hi,

We are facing an issue on one of our UTMs, It has 4 wan interfaces, one is the main link with 50mbps. Sometimes usually in the morning or early afternoon the internet browsing stops, we can ping but cannot browse internet pages. We've tested the link when the issue appears, but the link works correctly.

We got in touch with Sophos Asia support and they claim we are being attacked with Flood UDP, ICMP. They've sent us a list of IPs that are attacking us. But this list seems to be changing overtime and sometimes IPs from Smarphones appars on the logs.

Support told us that when being attacked the UTM is overloaded and web browsing stops. But Since we have other WAN links we tested that those links work normally when browsing on the main link is not working.

I know Sophos Support said we are under attack, but there is no way to ask the ISP to block all IPs that appear on the list, and why browsing via other wan link works? If CPU is overloaded because of the attack, browsing was supposed to stop on all interfaces, right?

Another thing that got my attention is that sometimes the LOG shows the same srcmac for different srcips! Seems someone is spoofing IPs.

 

Example

2016:11:21-09:00:59 cga-fw ulogd[26883]: id="2104" severity="info" sys="SecureNet" sub="ips" name="ICMP flood detected" action="ICMP flood" fwrule="60014" initf="eth1" srcmac="00:e0:fc:51:5b:74" dstmac="00:1a:8c:18:6a:4b" srcip="182.128.191.113" dstip="XXX.XXX.XXX.XXX" proto="1" length="111" tos="0x00" prec="0x00" ttl="56" type="3" code="3"
2016:11:21-09:00:59 cga-fw ulogd[26883]: id="2104" severity="info" sys="SecureNet" sub="ips" name="ICMP flood detected" action="ICMP flood" fwrule="60014" initf="eth1" srcmac="00:e0:fc:51:5b:74" dstmac="00:1a:8c:18:6a:4b" srcip="110.185.86.213" dstip="XXX.XXX.XXX.XXX" proto="1" length="138" tos="0x00" prec="0x00" ttl="56" type="3" code="3"
2016:11:21-09:00:59 cga-fw ulogd[26883]: id="2104" severity="info" sys="SecureNet" sub="ips" name="ICMP flood detected" action="ICMP flood" fwrule="60014" initf="eth1" srcmac="00:e0:fc:51:5b:74" dstmac="00:1a:8c:18:6a:4b" srcip="115.148.234.29" dstip="XXX.XXX.XXX.XXX" proto="1" length="138" tos="0x00" prec="0x00" ttl="56" type="3" code="3"
2016:11:21-09:00:59 cga-fw ulogd[26883]: id="2104" severity="info" sys="SecureNet" sub="ips" name="ICMP flood detected" action="ICMP flood" fwrule="60014" initf="eth1" srcmac="00:e0:fc:51:5b:74" dstmac="00:1a:8c:18:6a:4b" srcip="115.148.234.29" dstip="XXX.XXX.XXX.XXX" proto="1" length="138" tos="0x00" prec="0x00" ttl="56" type="3" code="3"
2016:11:21-09:00:59 cga-fw ulogd[26883]: id="2104" severity="info" sys="SecureNet" sub="ips" name="ICMP flood detected" action="ICMP flood" fwrule="60014" initf="eth1" srcmac="00:e0:fc:51:5b:74" dstmac="00:1a:8c:18:6a:4b" srcip="180.124.239.195" dstip="XXX.XXX.XXX.XXX" proto="1" length="112" tos="0x00" prec="0x00" ttl="55" type="3" code="3"
2016:11:21-09:01:05 cga-fw ulogd[26883]: id="2104" severity="info" sys="SecureNet" sub="ips" name="ICMP flood detected" action="ICMP flood" fwrule="60014" initf="eth1" srcmac="00:e0:fc:51:5b:74" dstmac="00:1a:8c:18:6a:4b" srcip="113.25.56.64" dstip="XXX.XXX.XXX.XXX" proto="1" length="138" tos="0x00" prec="0xc0" ttl="54" type="3" code="3"
2016:11:21-09:01:05 cga-fw ulogd[26883]: id="2104" severity="info" sys="SecureNet" sub="ips" name="ICMP flood detected" action="ICMP flood" fwrule="60014" initf="eth1" srcmac="00:e0:fc:51:5b:74" dstmac="00:1a:8c:18:6a:4b" srcip="27.187.89.8" dstip="XXX.XXX.XXX.XXX" proto="1" length="138" tos="0x00" prec="0xc0" ttl="55" type="3" code="3"
2016:11:21-09:01:05 cga-fw ulogd[26883]: id="2104" severity="info" sys="SecureNet" sub="ips" name="ICMP flood detected" action="ICMP flood" fwrule="60014" initf="eth1" srcmac="00:e0:fc:51:5b:74" dstmac="00:1a:8c:18:6a:4b" srcip="27.187.89.8" dstip="XXX.XXX.XXX.XXX" proto="1" length="138" tos="0x00" prec="0xc0" ttl="55" type="3" code="3"
2016:11:21-09:01:05 cga-fw ulogd[26883]: id="2104" severity="info" sys="SecureNet" sub="ips" name="ICMP flood detected" action="ICMP flood" fwrule="60014" initf="eth1" srcmac="00:e0:fc:51:5b:74" dstmac="00:1a:8c:18:6a:4b" srcip="123.171.11.67" dstip="XXX.XXX.XXX.XXX" proto="1" length="138" tos="0x00" prec="0x00" ttl="54" type="3" code="3"
2016:11:21-09:01:05 cga-fw ulogd[26883]: id="2104" severity="info" sys="SecureNet" sub="ips" name="ICMP flood detected" action="ICMP flood" fwrule="60014" initf="eth1" srcmac="00:e0:fc:51:5b:74" dstmac="00:1a:8c:18:6a:4b" srcip="123.171.11.67" dstip="XXX.XXX.XXX.XXX" proto="1" length="138" tos="0x00" prec="0x00" ttl="54" type="3" code="3"
2016:11:21-09:01:05 cga-fw ulogd[26883]: id="2105" severity="info" sys="SecureNet" sub="ips" name="UDP flood detected" action="UDP flood" fwrule="60013" initf="eth1" srcmac="00:e0:fc:51:5b:74" dstmac="00:1a:8c:18:6a:4b" srcip="123.171.11.67" dstip="XXX.XXX.XXX.XXX" proto="17" length="41" tos="0x00" prec="0x00" ttl="52" srcport="7173" dstport="1863"
2016:11:21-09:01:05 cga-fw ulogd[26883]: id="2105" severity="info" sys="SecureNet" sub="ips" name="UDP flood detected" action="UDP flood" fwrule="60013" initf="eth1" srcmac="00:e0:fc:51:5b:74" dstmac="00:1a:8c:18:6a:4b" srcip="123.171.11.67" dstip="XXX.XXX.XXX.XXX" proto="17" length="41" tos="0x00" prec="0x00" ttl="52" srcport="7173" dstport="1863"
2016:11:21-09:01:05 cga-fw ulogd[26883]: id="2105" severity="info" sys="SecureNet" sub="ips" name="UDP flood detected" action="UDP flood" fwrule="60013" initf="eth1" srcmac="00:e0:fc:51:5b:74" dstmac="00:1a:8c:18:6a:4b" srcip="124.112.199.223" dstip="XXX.XXX.XXX.XXX" proto="17" length="1153" tos="0x00" prec="0x00" ttl="55" srcport="1863" dstport="1108"
2016:11:21-09:01:05 cga-fw ulogd[26883]: id="2105" severity="info" sys="SecureNet" sub="ips" name="UDP flood detected" action="UDP flood" fwrule="60013" initf="eth1" srcmac="00:e0:fc:51:5b:74" dstmac="00:1a:8c:18:6a:4b" srcip="124.112.199.223" dstip="XXX.XXX.XXX.XXX" proto="17" length="1153" tos="0x00" prec="0x00" ttl="55" srcport="1863" dstport="1108"
2016:11:21-09:01:05 cga-fw ulogd[26883]: id="2105" severity="info" sys="SecureNet" sub="ips" name="UDP flood detected" action="UDP flood" fwrule="60013" initf="eth1" srcmac="00:e0:fc:51:5b:74" dstmac="00:1a:8c:18:6a:4b" srcip="124.112.199.223" dstip="XXX.XXX.XXX.XXX" proto="17" length="1153" tos="0x00" prec="0x00" ttl="55" srcport="1863" dstport="1108"
2016:11:21-09:01:06 cga-fw ulogd[26883]: id="2105" severity="info" sys="SecureNet" sub="ips" name="UDP flood detected" action="UDP flood" fwrule="60013" initf="eth1" srcmac="00:e0:fc:51:5b:74" dstmac="00:1a:8c:18:6a:4b" srcip="117.95.238.160" dstip="XXX.XXX.XXX.XXX" proto="17" length="1152" tos="0x00" prec="0x00" ttl="54" srcport="1863" dstport="1108"
2016:11:21-09:01:06 cga-fw ulogd[26883]: id="2105" severity="info" sys="SecureNet" sub="ips" name="UDP flood detected" action="UDP flood" fwrule="60013" initf="eth1" srcmac="00:e0:fc:51:5b:74" dstmac="00:1a:8c:18:6a:4b" srcip="117.95.238.160" dstip="XXX.XXX.XXX.XXX" proto="17" length="1152" tos="0x00" prec="0x00" ttl="54" srcport="1863" dstport="1108"
2016:11:21-09:01:06 cga-fw ulogd[26883]: id="2105" severity="info" sys="SecureNet" sub="ips" name="UDP flood detected" action="UDP flood" fwrule="60013" initf="eth1" srcmac="00:e0:fc:51:5b:74" dstmac="00:1a:8c:18:6a:4b" srcip="117.95.238.160" dstip="XXX.XXX.XXX.XXX" proto="17" length="1152" tos="0x00" prec="0x00" ttl="54" srcport="1863" dstport="1108"
2016:11:21-09:01:07 cga-fw ulogd[26883]: id="2105" severity="info" sys="SecureNet" sub="ips" name="UDP flood detected" action="UDP flood" fwrule="60013" initf="eth1" srcmac="00:e0:fc:51:5b:74" dstmac="00:1a:8c:18:6a:4b" srcip="124.112.199.223" dstip="XXX.XXX.XXX.XXX" proto="17" length="1160" tos="0x00" prec="0x00" ttl="55" srcport="1863" dstport="1108"
2016:11:21-09:01:07 cga-fw ulogd[26883]: id="2105" severity="info" sys="SecureNet" sub="ips" name="UDP flood detected" action="UDP flood" fwrule="60013" initf="eth1" srcmac="00:e0:fc:51:5b:74" dstmac="00:1a:8c:18:6a:4b" srcip="124.112.199.223" dstip="XXX.XXX.XXX.XXX" proto="17" length="1160" tos="0x00" prec="0x00" ttl="55" srcport="1863" dstport="1108"
2016:11:21-09:01:17 cga-fw ulogd[26883]: id="2105" severity="info" sys="SecureNet" sub="ips" name="UDP flood detected" action="UDP flood" fwrule="60013" initf="eth1" srcmac="00:e0:fc:51:5b:74" dstmac="00:1a:8c:18:6a:4b" srcip="110.188.225.222" dstip="XXX.XXX.XXX.XXX" proto="17" length="68" tos="0x00" prec="0x00" ttl="120" srcport="38912" dstport="1112"
2016:11:21-09:01:17 cga-fw ulogd[26883]: id="2105" severity="info" sys="SecureNet" sub="ips" name="UDP flood detected" action="UDP flood" fwrule="60013" initf="eth1" srcmac="00:e0:fc:51:5b:74" dstmac="00:1a:8c:18:6a:4b" srcip="110.188.225.222" dstip="XXX.XXX.XXX.XXX" proto="17" length="68" tos="0x00" prec="0x00" ttl="120" srcport="38912" dstport="1112"
2016:11:21-09:01:17 cga-fw ulogd[26883]: id="2105" severity="info" sys="SecureNet" sub="ips" name="UDP flood detected" action="UDP flood" fwrule="60013" initf="eth1" srcmac="00:e0:fc:51:5b:74" dstmac="00:1a:8c:18:6a:4b" srcip="110.188.225.222" dstip="XXX.XXX.XXX.XXX" proto="17" length="68" tos="0x00" prec="0x00" ttl="120" srcport="38912" dstport="1112"
2016:11:21-09:01:17 cga-fw ulogd[26883]: id="2105" severity="info" sys="SecureNet" sub="ips" name="UDP flood detected" action="UDP flood" fwrule="60013" initf="eth1" srcmac="00:e0:fc:51:5b:74" dstmac="00:1a:8c:18:6a:4b" srcip="110.188.225.222" dstip="XXX.XXX.XXX.XXX" proto="17" length="68" tos="0x00" prec="0x00" ttl="120" srcport="38912" dstport="1112"



This thread was automatically locked due to age.
Parents Reply Children
  • 0 in reply to leonidas saldanha

    Classic DDoS.  The srcmac is the same because it's the MAC of the last-hop router in front of you.  I don't think the UTM is overloaded, it's just that the attacker is filling your pipe.  I guess the quickest thing you can do is put a different IP.  Is your ISP able to stop the DDoS in their network?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?

Unfiltered HTML