DDOS attacks from LAN side

Discussion in 'Cisco Small Business Routers and VPN Solutions' started by kineotech, Jun 4, 2007.

  1. kineotech

    kineotech LI Guru Member


    Glad I found this forum -- it appears to be the place to go for Linksys issues ;)

    I installed an RVS4000 router at a customer site and it does appear to be working fine. I am, however, concerned about some log entries that are emailed to me several times a day. Based on the log entry (- hit KRIS_DDOS_TYPE) the IPS is reporting that the router is under DDOS attacks. I looked at the IPS report logs and it shows that the "attacks" are coming from LAN side computers. For example, here is a snippet from the IPS report:

    1	2007-06-04 09:47:59	DDOS_TYPE_UDP_FLOOD
    2	2007-06-04 09:31:15	DDOS_TYPE_ICMP_FLOOD
    3	2007-06-04 08:56:26	DDOS_TYPE_UDP_FLOOD
    4	2007-06-04 08:46:12	DDOS_TYPE_ICMP_FLOOD
    5	2007-06-04 08:33:49	DDOS_TYPE_UDP_FLOOD
    6	2007-06-04 08:01:56	DDOS_TYPE_ICMP_FLOOD
    7	2007-06-04 07:49:48	DDOS_TYPE_UDP_FLOOD
    8	2007-06-04 07:46:10	DoS MS-SQL Slammer Worm
    9	2007-06-04 07:39:48	DDOS_TYPE_ICMP_FLOOD
    10	2007-06-04 07:17:40	DDOS_TYPE_ICMP_FLOOD
    11	2007-06-04 07:05:10	DDOS_TYPE_UDP_FLOOD
    Since the PC's on the LAN side are not doing anything apparently suspicious (based on watching the LAN with WireShark), I would like to know if there is a way to filter out DDOS alerts from the LAN side other than to turn off IPS. Has anyone else seen this happen on their router?

  2. firegate

    firegate LI Guru Member

    as there's many LAN IPs this problem occur with so it is impossible that all of them trying to hack:)
    there's another one thing may could cause this ,check you LAN PCs that they are not infected with a type of viruses, some virused could cause such problem

    i wish this to help
  3. net_eng

    net_eng Network Guru Member

    DDOS_TYPE_UDP_FLOOD - This message if you have windows PC's behind your router is probably the netbios (UDP 137-139). By default pc's(at least that I have seen) send out hundreds of these all the time, so it could be the router seeing a large amount and flagging it as DDOS.

    In terms of filtering it out, you might be able to (if you dont use it) put in access rules/firewall rules to deny the traffic and dont log, but I dont know if the RVS will still see the packets and flag them anyway even if blocked.

  4. kineotech

    kineotech LI Guru Member

    That's what I was thinking. All the UDP traffic I saw was netbios and DNS (port 53) requests. I could try denying netbios traffic but I have to let the DNS traffic through. To me, I am more concerned about DDOS coming from the internet and not from within the LAN. It seems to me, this should have been an option in the IPS settings.
  5. net_eng

    net_eng Network Guru Member

    Of course it depends on your requirements, but watching for DDOS etc on the LAN side could be a good thing (if you could filter out the false etc).

    If one of the machines are infected with a worm/trojan/zombie software, the IPS might detect it(even if a signature doesnt exist for the specifics) if it sends out hundreds of requests or a denial of service to someone on the internet.

    The hard part is filtering the false alarms. This by the way is a similar issue with enterprise IDS/IPS etc systems, at least the ones I used. False alarms or knowing what is good traffic could be very difficult to identify without having the IDS trigger alerts. Some are better than others so you are not the first to encounter this situation.

    Though as you mentioned an option to disable the IPS on the LAN side if you dont want or require it would be useful in your case.

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice