Hi, I receive a lot o log messages like the one below. I guess this regards some Microsoft robot, which is passed through, but cannot reach apache properly on my SuSE 11.2 server and it won’t give up.

Jan 28 06:45:33 xxxx kernel: [370019.686176] SFW2-INext-ACC-TCP IN=eth2 OUT= MAC=00:0c:f1:c7:39:3c:00:50:7f:c0:43:88:08:00 SRC=65.55.216.33 DST=192.168.1.17 LEN=48 TOS=0x00 PREC=0x00 TTL=116 ID=11944 DF PROTO=TCP SPT=20098 DPT=80 WINDOW=65535 RES=0x00 SYN URGP=0 OPT (0204057A01010402)

The log level is “Log only critical” and the messages disappear if I switch off logging for accepted packets.
Could somebody help me please, to undestand why the firewall is assuming these packets are critical ? My apache2 server is otherwise working properly.

Thanx in advance for your answere
Zbyszek

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Get your list of iptables rules:

sudo /sbin/iptables-save

Post the output here and we’ll see the specific rule that actually does
the logging.

Good luck.

zlisiecki wrote:
> Hi, I receive a lot o log messages like the one below. I guess this
> regards some Microsoft robot, which is passed through, but cannot reach
> apache properly on my SuSE 11.2 server and it won’t give up.
>
> Jan 28 06:45:33 xxxx kernel: [370019.686176] SFW2-INext-ACC-TCP IN=eth2
> OUT= MAC=00:0c:f1:c7:39:3c:00:50:7f:c0:43:88:08:00 SRC=65.55.216.33
> DST=192.168.1.17 LEN=48 TOS=0x00 PREC=0x00 TTL=116 ID=11944 DF PROTO=TCP
> SPT=20098 DPT=80 WINDOW=65535 RES=0x00 SYN URGP=0 OPT
> (0204057A01010402)
>
> The log level is “Log only critical” and the messages disappear if I
> switch off logging for accepted packets.
> Could somebody help me please, to undestand why the firewall is
> assuming these packets are critical ? My apache2 server is otherwise
> working properly.
>
> Thanx in advance for your answere
> Zbyszek
>
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJLYgDPAAoJEF+XTK08PnB5JygP/3/Lne4tQ7DgjqQUBzH/Om8d
mcW3zZbeBa3l1bf1nptr+d62wqTaStraZiKbkMt34hVJEM+NJrhh5fB8+FOg/8V+
CFgTJaDmnAK5ZX0UXaayRprVI8K5kFuR9ltHlYNwwlp2BvcAOc70fQTKGgtLYUiS
17ymR8/13ekHXT9fXfWTmvaPA0/0tuqLr7wMQ1/JzlT4D+e1hKEpkabZEXdACk+Z
b/NuQ+0KQB6FbH2LtevwPYF+eTMZngQAyfM/wSz6euiiuAVpXeATVSZ9DD4BsWtg
PEfoABagbQbl4fz5igwgKV/66lycsaKoIyr471seco9PvolWSwTiPDTBVh/xxcaY
33+BfhrbYKQstdeBl5fzaZBIwC1tuayNlVucCl3JwzrhfFVReSNM48XGmN6b7icg
8e4rVVz1e+WyQJuvzS20MtgwRW/zkacz0vaDdfEzgsDK06XiMEwZhul0FpKIAN+A
HUdWDTp2+vmdbRzpi47QoXry0k0kLKnuePCgHE2XQSFTXz69NsLAgLbKXUUyPKXq
ii2e53kgzowCsa4pR5YjE2myHzLMPARHhH48Kolnn+mdm8H33xPtJL24FQsU9bQk
cXxDJ5SPBVQ4h0gn4OuP96L//4WjB4KDmRavEDgb3P8H9AwPoODs1R4p6n9YhtLr
ultNvgbesF0s8rV8jQDt
=5sJ/
-----END PGP SIGNATURE-----

Hi
Isn’t that the Microsoft bot that is DDOSing everyone ab?

this may help…
http://www.bing.com/community/blogs/webmaster/archive/2009/08/10/crawl-delay-and-the-bing-crawler-msnbot.aspx

–
Cheers Malcolm °¿° (Linux Counter #276890)
SUSE Linux Enterprise Desktop 11 (x86_64) Kernel 2.6.27.42-0.1-default
up 13 days 8:09, 6 users, load average: 0.02, 0.07, 0.08
GPU GeForce 8600 GTS Silent - CUDA Driver Version: 190.18

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Good catch… it doesn’t fall into the range of a similar story on
slashdot ten days ago but it looks the same otherwise:

http://blogs.perl.org/users/cpan_testers/2010/01/msnbot-must-die.html

The box definitely belongs to microsoft:

<quote>
ab@mybox0:~/Desktop> dig -x 65.55.216.33

; <<>> DiG 9.5.0-P2 <<>> -x 65.55.216.33
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 55370
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 5, ADDITIONAL: 5

;; QUESTION SECTION:
;33.216.55.65.in-addr.arpa. IN PTR

;; ANSWER SECTION:
33.216.55.65.in-addr.arpa. 3600 IN PTR
msnbot-65-55-216-33.search.msn.com.

;; AUTHORITY SECTION:
55.65.in-addr.arpa. 36043 IN NS NS2.MSFT.NET.
55.65.in-addr.arpa. 36043 IN NS NS3.MSFT.NET.
55.65.in-addr.arpa. 36043 IN NS NS4.MSFT.NET.
55.65.in-addr.arpa. 36043 IN NS NS5.MSFT.NET.
55.65.in-addr.arpa. 36043 IN NS NS1.MSFT.NET.

;; ADDITIONAL SECTION:
NS1.MSFT.NET. 121893 IN A 65.55.37.62
NS2.MSFT.NET. 108 IN A 64.4.59.173
NS3.MSFT.NET. 121893 IN A 213.199.161.77
NS4.MSFT.NET. 121893 IN A 207.46.75.254
NS5.MSFT.NET. 3297 IN A 65.55.226.140

;; Query time: 38 msec
;; SERVER: 137.65.1.2#53(137.65.1.2)
;; WHEN: Thu Jan 28 14:56:48 2010
;; MSG SIZE rcvd: 269
</quote>

I guess I was a bit too focused on the symptom rather than the problem.
Time to block another poorly-configured range of IP addresses.

Good luck.

malcolmlewis wrote:
>

> Hi
> Isn’t that the Microsoft bot that is DDOSing everyone ab?
>
> this may help…
> http://www.bing.com/community/blogs/webmaster/archive/2009/08/10/crawl-delay-and-the-bing-crawler-msnbot.aspx
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJLYghbAAoJEF+XTK08PnB5OscP/Aoz2eUl9FvO/MEpeWB/aWR3
zDIq3OF2VotuOnrIib57f5VLt2dZOsCyU4M/zEY0HKpIGInaOE+sE8xhh+8QoMp6
iGbvWqU4vvOwNxe7kNcpkZG6VmP5XlFOLeSL5RNDfgBP92dFiVUzKzDEvMfshfVN
fzmpMVUuWu/DCzVDv3TOp1mosapm4IVtHEv5EH7iPunswaN+moA6SBQU0BAXBdM+
2jCYhaMJAeqO+bzICgEMRz19V7nPvwzewqif3XxOY9pr3/SAmO1f9CC7ofh57iLe
AzVh4i/qUY3T3THibZUJ18PdZPFP8o/UAk5wNAGTjTzcbm5Moq7Ie8pksW6IghM7
qTX7423ulc9ItOBJsAwkDsF0x+Wg6zCqRkzh7+7/B7X6y06EeekY6GPcEUdH3W+w
H2Fti8ySKPOjQnUZTD1xkvQ8hTNMojWQP4JFBaxod6svteo7i+1qk8ja/N2NL1He
z5LTqclV/HsaTWKMhTBGhWOeLaTlJOyKqNEnyPOY+iT/r7EQuCko5+rKnxSaJkcR
6rtEqs7RnMRpU88upOyoFtVStTgQbQC59v4qy6eYEFbZwVqLuiSsGq5KZui56Jz9
fWgcmn5vtE6xkawsPqp5S59VikkdPhZgVrUT5RlOr95aOlpE0nl7dSXD/2df0K/3
CGX1yG59Mhq4AdtqkPF3
=MjJ/
-----END PGP SIGNATURE-----

Hi, here are the rules. Surely its’ a Microsoft robot.

Generated by iptables-save v1.4.4 on Fri Jan 29 00:44:11 2010

*raw
:PREROUTING ACCEPT [2240581:751235777]
:OUTPUT ACCEPT [2145344:1968437535]
-A PREROUTING -i lo -j NOTRACK
-A OUTPUT -o lo -j NOTRACK
COMMIT

Completed on Fri Jan 29 00:44:11 2010

Generated by iptables-save v1.4.4 on Fri Jan 29 00:44:11 2010

*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:forward_ext - [0:0]
:input_ext - [0:0]
:reject_func - [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state ESTABLISHED -j ACCEPT
-A INPUT -p icmp -m state --state RELATED -j ACCEPT
-A INPUT -i eth2 -j input_ext
-A INPUT -i eth0 -j input_ext
-A INPUT -i eth1 -j input_ext
-A INPUT -j input_ext
-A INPUT -m limit --limit 3/min -j LOG --log-prefix "SFW2-IN-ILL-TARGET " --log-tcp-options --log-ip-options
-A INPUT -j DROP
-A FORWARD -m limit --limit 3/min -j LOG --log-prefix "SFW2-FWD-ILL-ROUTING " --log-tcp-options --log-ip-options
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -m limit --limit 3/min -j LOG --log-prefix "SFW2-OUT-ERROR " --log-tcp-options --log-ip-options
-A input_ext -m pkttype --pkt-type broadcast -j DROP
-A input_ext -p icmp -m icmp --icmp-type 4 -j ACCEPT
-A input_ext -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A input_ext -p tcp -m limit --limit 3/min -m tcp --dport 80 --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-ACC-TCP " --log-tcp-options --log-ip-options
-A input_ext -p tcp -m tcp --dport 80 -j ACCEPT
-A input_ext -p tcp -m limit --limit 3/min -m tcp --dport 443 --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-ACC-TCP " --log-tcp-options --log-ip-options
-A input_ext -p tcp -m tcp --dport 443 -j ACCEPT
-A input_ext -p tcp -m limit --limit 3/min -m tcp --dport 53 --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-ACC-TCP " --log-tcp-options --log-ip-options
-A input_ext -p tcp -m tcp --dport 53 -j ACCEPT
-A input_ext -p tcp -m limit --limit 3/min -m tcp --dport 22 --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-ACC-TCP " --log-tcp-options --log-ip-options
-A input_ext -p tcp -m tcp --dport 22 -j ACCEPT
-A input_ext -p udp -m udp --dport 514 -j ACCEPT
-A input_ext -p udp -m udp --dport 443 -j ACCEPT
-A input_ext -p udp -m udp --dport 53 -j ACCEPT
-A input_ext -m pkttype --pkt-type multicast -j DROP
-A input_ext -m pkttype --pkt-type broadcast -j DROP
-A input_ext -p tcp -m limit --limit 3/min -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-DROP-DEFLT " --log-tcp-options --log-ip-options
-A input_ext -p icmp -m limit --limit 3/min -j LOG --log-prefix "SFW2-INext-DROP-DEFLT " --log-tcp-options --log-ip-options
-A input_ext -p udp -m limit --limit 3/min -m state --state NEW -j LOG --log-prefix "SFW2-INext-DROP-DEFLT " --log-tcp-options --log-ip-options
-A input_ext -j DROP
-A reject_func -p tcp -j REJECT --reject-with tcp-reset
-A reject_func -p udp -j REJECT --reject-with icmp-port-unreachable
-A reject_func -j REJECT --reject-with icmp-proto-unreachable
COMMIT

Completed on Fri Jan 29 00:44:11 2010

Maybe just block that bot’s IP range until they teach it some manners?

Yes, I see, its’ limit 3/min which causes the logging, am I right ?
Microsoft robot is too fast. The crawl deley parameter in robots.txt is responsible.
But I set:
User-Agent: *
Crawl-delay: 30
Request-rate: 1/5

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

As shown in those links posted earlier, the bots do not respect the
robots.txt file, which is why they should be blocked completely until they
grow up.

Good luck.

zlisiecki wrote:
> Yes, I see, its’ limit 3/min which causes the logging, am I right ?
> Microsoft robot is too fast. The crawl deley parameter in robots.txt is
> responsible.
> But I set:
> User-Agent: *
> Crawl-delay: 30
> Request-rate: 1/5
>
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJLYiiLAAoJEF+XTK08PnB5YC8P/2EGZQoWwLCS6MKFodVuQQG2
aGv98cmXl1p/Qqr/UkAphyS7brqsUZBN2sBzmgjnbpWLxGtJamAuaD+2oVaXAWRX
fN6sc8txKbwUDhk8PAZBUw3Vuvm/dNAdY1bqBVMLR7Xk+Ap4zMqogRinAPRS5QBJ
Pjk1dq8GZ5o0DYPL8hKxNzhb0vMOujn5DjYRS2smxXrtGu71JBZxu3+uXfblrBqa
KrvQGeklATECR4wdvp4ueC+jKwPfgI8+LrOLPBQTzzcJhFoaFBxg6RasDXMOUSM+
y8UOe3HKe2UQG2h7ihlt5gInbnEO7XVkNx4hEUbn/6cABpWVsnvf2UVxT1PdBULD
UXhZIJE347g1ByBaEjybkv0KLbX5214kma5Cq5hEDydv/V89QQKAejzQz1oJljsC
lfQJbhqMLY2FgDsPyqn89SGMOrE/pX+jyTwmQqtLsxxWjulHdto9veMEqGeAsCzV
C3q1KdkgyjDdh8OywznhnX9+vOrZXYWIpED9kdWuEkeLxjw3qy7Mdr8d/VzesrMU
CE+Htx+SD9XtFUyD8Ns11W/a62kJxXW7YUeNPaqNbgFGMpe5eughDJYGqN45pGH4
SjlAUKjfjfBWfjBrTWm1LeHmcV4QbsJ2PH1wd+Dl4rjMLC6GemnIOs93bvKVFKyt
HRbQwsFBf4AIp3p52tOd
=sSFw
-----END PGP SIGNATURE-----

Ok, I could deny msnbot access, but now suddenly a lot others appeared. This is the sample list in 10 minutes intervall with the number of logfile lines for each:

194.146.217.118 8
89.229.94.74 4
77.253.217.58 4
87.206.61.211 2
83.15.0.194 2
95.169.190.182 1
84.10.213.138 1
66.249.67.132 1
65.55.106.186 1
62.243.224.179 1

google and msnbot are 66.* and 65.* . Others seem to come from ISPs users with dynamic IPs. I’d like to deny access to all IPs which violate my robots.txt settings. But do you often have such situation too ? Should I interpret this as some attack ?

If those addresses are “home” connections, they are probably malware infected zombies looking for websites to infect. Not much you can do about those.

Yes, I assume they are zombies. I’d like to change SuSE Firewall adding lines like this one:

iptables -A input_ext -p tcp -m limit --limit 3/min -m tcp --dport 80 --tcp-flags FIN,SYN,RST,ACK SYN -j DROP

Is this ok ? Do you know the proper way to do this ? Just putting it in a bash script called after SuSE Firewall ?

Is this some sort of smaller DDoS what I experience ?

There is I believe a place in SuSEfirewall2 for custom rules, but you’d have to read the comments, I use a separate firewall box so I don’t use SF2.

Be careful you don’t deny legitimate users while trying too hard to block zombies. Remember that each fetch of a page element like an icon image also counts as one connection, although HTTP/1.1 may reuse a connection.