For several hours now, amprgw has been seeing a storm of traceroutes from hundreds of different source addresses. It looks like a botnet has been activated to probe net 44 using short-TTL packets like traceroute.
In reaction to this, I've temporarily set the gateway to discard any packet with a TTL of less than 30. (The TTL is decremented by one when the packet is forwarded; normally, of course, only packets with a TTL value of zero are discarded.)
This will not affect normal traffic, most of which has TTL values in the 40 to 64 range, but will throw away the short TTL packets used by traceroute.
If you have problems with some site suddenly timing out instead of its normal reachability, let me know and I'll re-enable the normal TTL processing. In that case, we'll have to find some other way to cope with the storm of traceroutes. - Brian
May you add the line of how the log see that kind of probe ?
What about the statistic ?
Is this storm is what that seen now as an increment in the noise from 15mb/s to about 35MB/s?
Regards
Ronen 4Z4ZQ
________________________________
For several hours now, amprgw has been seeing a storm of traceroutes from hundreds of different source addresses. It looks like a botnet has been activated to probe net 44 using short-TTL packets like traceroute.
-
Brian Kantor -
R P