binford6100
Welcome My Son...To The Machine
Premium
join:2003-01-09
Pewaukee, WI
| IP Subnet Broadcast Amplification???
I'm currently on a static IP package, with the Cayman 3546 router. Earlier this week I found that my internet connection was down and appeared to be for some time. After several hours of checking settings and restarting the gateway the connection finally came back.
Since then, I've come home every day to find my connection down, requiring a restart of the cayman to get it started again. The home status screen shows "bad username or password..."
In checking the security logs, I've been finding these messages (I've removed the destination address for obvious reasons)
Security alert type : IP Subnet Broadcast Amplification
IP source address : 66.132.228.98
IP destination address : xx.xx.xx.xx --- my subnet broadcast address
Number of attempts : 1
Time at last attempt : 00:01:34
IP broadcast address : 68.74.96.1
Security alert type : IP Subnet Broadcast Amplification
IP source address : 68.86.155.150
IP destination address : xx.xx.xx.xx --- my subnet broadcast address
Number of attempts : 1
Time at last attempt : 00:04:32
IP broadcast address : 68.74.96.1
Security alert type : IP Subnet Broadcast Amplification
IP source address : 68.75.175.232
IP destination address : xx.xx.xx.xx --- my subnet broadcast address
Number of attempts : 3
Time at last attempt : 00:26:17
IP broadcast address : 68.74.96.1
Security alert type : IP Subnet Broadcast Amplification
IP source address : 68.237.192.183
IP destination address : xx.xx.xx.xx --- my subnet broadcast address
Number of attempts : 1
Time at last attempt : 00:26:31
IP broadcast address : 68.74.96.1
Security alert type : IP Subnet Broadcast Amplification
IP source address : 68.49.20.114
IP destination address : xx.xx.xx.xx --- my subnet broadcast address
Number of attempts : 1
Time at last attempt : 00:28:54
IP broadcast address : 68.74.96.1
Any ideas what is going on here? Any help is greatly appreciated... |
|
RadioDoc
58ef2c0
Premium,ExMod 2000-03
join:2000-05-11
 ·AT&T Midwest
| That could be a "smurf" attack attempt either inbound or outbound. See »www.iss.net/security_center/advi···ault.htm and »Security alert type : IP Subnet Broadcast Amplific,
»www.sans.org/dosstep/ and »Network compromised
It may be a good idea to scan your systems for evidence of any trojans or worms. |
|
binford6100
Welcome My Son...To The Machine
Premium
join:2003-01-09
Pewaukee, WI
| reply to binford6100
I did check all of the computers on my local Lan and all of the showed "clean" for virus' and spyware. Just to be safe, I disconnected the Cayman routers LAN connection but left the WAN connected. Same thing...
Is there a way to simply shut off the security checking and let the Netscreen firewall do it's job?
Ken |
|
RadioDoc
58ef2c0
Premium,ExMod 2000-03
join:2000-05-11 | reply to binford6100
There should be a way to turn off the firewall features of the 3546. I have no idea how to do that though. If you've got a separate firewall it is probably the way to go. |
|
binford6100
Welcome My Son...To The Machine
Premium
join:2003-01-09
Pewaukee, WI
| reply to binford6100
Thanks for the quick reply!
Since the Cayman is configured as a bridge, the firewall settings have no effect. Just to test that theory, I set the firewall to "lanlocked" which should eliminate any connectivity whatsoever from the WAN interface. Made no difference. The problem seems to stem from the Cayman logs filling up until that device goes defunct. If I could disable the logging on the Cayman I'd probably be OK. I'm fairly confident in the Netscreen 5GT firewall. |
|
RadioDoc
58ef2c0
Premium,ExMod 2000-03
join:2000-05-11
·AT&T Midwest
| Well I tracked down the COS docs and it doesn't look like there is an easy way to turn the "security log" off. It has a capacity of 100 entries and the unit is just supposed to ignore additional ones and not crash your PPP session. That's an old Linksys trick... 
Methinks we need someone who knows this box a little better to chip in here. |
|
binford6100
Welcome My Son...To The Machine
Premium
join:2003-01-09
Pewaukee, WI
1 edit | reply to binford6100
Just for grins, I sent an email to Netopia/Cayman tech support asking about this issue. I'm guessing that there isn't a way to do this but maybe I'm wrong - it's been known to happen.  |
|
RadioDoc
58ef2c0
Premium,ExMod 2000-03
join:2000-05-11 | I wonder if there is some way to set up an external logging agent to catch these and dump them rather than letting them pile up in there.
Well, good luck. If you find out anything let us know. You can't be the only one having this problem. |
|
trader22
Premium
join:2003-11-12
Nashotah, WI
1 edit | reply to binford6100
If you're truely in bridge mode, I'm surprised the cayman would even decode the pppoe to recognise the IPs of the incoming packets. I ran the 3546 in bridge mode for almost 2 months with static IPs and never had the problem, even though there were lots of connection attempts on the broadcast address of my static IP range (SBC obviously doesn't filter broadcast at its routers). I've since switched to a Westell 2200.
I wonder if you have the cayman configured for remote administrative access, and thats why its even registering IP addresses. The cayman will still respond to its assigned (normally local) IP address even in bridge mode, for configuration. If you're allowing remote (accross the internet) administration maybe try turning it off.
Otherwise, if you're really in bridge mode, this is very strange.
Edit: And, if you're really in bridge mode, make sure the IP address you have assigned to the cayman is not within your SBC assigned IP block. Ideally, cayman recommends just leaving it at the default 192.168.1.254. |
|
davidg
Good Bye My Friend
Premium,MVM
join:2002-06-15
none
clubs:
1 edit | reply to binford6100
to cut down on the logging, browse into the cayman, goto configure, advanced, systems and set the logging level to failures. this will then only log DSL failures, not all data.
next, under configure, WAN, wan ip interface, advanced turn off RIP if you do not use it.
do the same under configure, LAN, advanced.
lastly, to stop the bad username/password see »Cayman Routers »My Cayman keeps reporting Bad UserName/Password
do not forget to save and restart after making your changes!
i reallly think your problem is either a line problem or a virus of some kind that is causing the restart, not the logging. i have never seen a cayman lock up when the log gets full, it just overwrites the old stuff.
what version Firmware are you running? it should be 6.4.0R2 |
|
binford6100
Welcome My Son...To The Machine
Premium
join:2003-01-09
Pewaukee, WI
| reply to trader22
Originally, I configured the Cayman using the instructions found on Netopia/Cayman web site:
»www.netopia.com/support/technote···020.html
Configured in this manner, it doesn't work. I then called SBC and after several hours of being passed from tech to tech, I finally found someone who at least understood what I was trying to do.
He had me config the LAN IP as the gateway address for my static block of assigned addresses. When I questioned him about this, he told me "this is how we do things in Ameritech country".
I have setup the same model Cayman routers in bridging mode for this very same purpose as a routine in my "day job" but never specifically for SBC, it's always been for Southwest Bell or one of the others. In all of those cases, using the instructions found on Netopia's web site worked like a charm with none of the side effects I've described.
One more note: the Cayman has been upgraded to the latest COS version, 6.40R2.
If there are instructions available for configuring the cayman for use specifically with SBC, I'd be grateful to anyone who can point me in that direction.
Thanks,
Ken |
|
davidg
Good Bye My Friend
Premium,MVM
join:2002-06-15
none
clubs:
| reply to binford6100
i gather you are on ppoe/a, see either »Cayman Routers »[SBC] How do you Configure a Cayman with Static IP's? (PPPoE) or »Cayman Routers »[BellSouth] How do I configure my Cayman for 5 Static IPs? either one should work, depending on how you want to setup the cayman. |
|
binford6100
Welcome My Son...To The Machine
Premium
join:2003-01-09
Pewaukee, WI
| reply to binford6100
I just found these instructions as I was browsing the Cayman forum on this site.
Am I correct in assuming that the document is still valid?
»/r0/down···SNET.zip |
|
binford6100
Welcome My Son...To The Machine
Premium
join:2003-01-09
Pewaukee, WI | reply to binford6100
One more question...
Once I configure the Cayman as directed in the above mentioned document, will I need to setup the Netscreen to handle the PPoE?? |
|
davidg
Good Bye My Friend
Premium,MVM
join:2002-06-15
none
clubs: | if you set the cayman to true bridged mode, then yes the netscreen would have to handle all ppoe. or you could set it to use ppoe and ipmaps or true statics and point those to the netscreens WAN. |
|
trader22
Premium
join:2003-11-12
Nashotah, WI
1 edit | reply to binford6100
said by binford6100  :
Originally, I configured the Cayman using the instructions found on Netopia/Cayman web site:
»www.netopia.com/support/technote···020.html
Configured in this manner, it doesn't work.
This is exactly what I did, and it worked fine here. But, as mentioned above, your router (behind the cayman) has to do the pppoe dance. Ameritech statics are different from SW Bell statics in that they use pppoe in Ameritech land. The cayman is bridging pppoe. Setting your cayman IP to your static IP gateway (or any IP in your static IP range) will create any number of problems. Follow the tech note recommendations for the cayman IP. |
|
binford6100
Welcome My Son...To The Machine
Premium
join:2003-01-09
Pewaukee, WI
| reply to binford6100
First, let me say thank you to everyone who made suggestions and offered ideas regarding what might be wrong with my setup. Each one seemed to bring me one step closer to figuring this thing out...
To that end, I did finally get this resolved!!! The instructions that I found here were the secret to getting the Cayman configured correctly. Once again, the good people here at BBR came to the rescue.
I'd like to extend my sincerest thanks to everyone for their helpful suggestions and ideas. This forum and the top-notch support that can be found here are the reason I'm still an SBC customer!
Sincerely,
Ken |
|
