Iptables – How to properly drop ICMP type 3 packets on possible DDoS attack

Even after running

iptables -A INPUT -p icmp -m icmp --icmp-type 3 -j DROP

I keep getting ICMP type 3 code 13 packets on tcpdump. when I run tcpdump icmp, I get messages like:

19:41:31.923630 IP NAMESOURCE  > MY_NAME: ICMP net IP_SOURCE unreachable, length 76

My question is, How can I get rid of this packets?

Btw, I'm getting this packets from multiple sources, which leads me to think this might be some kind of (D)DoS. But I'm not sure which role I'm playing on this.

Also, snort keeps giving alerts:

[**] [1:485:4] ICMP Destination Unreachable Communication Administratively Prohibited [**]
[Classification: Misc activity] [Priority: 3] 
05/02-19:44:20.171298 SOURCE_IP -> MY_IP
ICMP TTL:238 TOS:0x0 ID:13584 IpLen:20 DgmLen:56
Type:3  Code:13  DESTINATION UNREACHABLE: ADMINISTRATIVELY PROHIBITED,
PACKET FILTERED
** ORIGINAL DATAGRAM DUMP:
MY_IP:47541 -> SOURCE_IP:8080
TCP TTL:47 TOS:0x0 ID:22750 IpLen:20 DgmLen:60 DF
Seq: 0x5EB7CF7A
** END OF DUMP

Best Answer

I'd hazard a guess (hard to be sure without more investigation) that someone is spoofing your IP as a source and you're getting the return traffic.

Remember that tcpdump examines the "wire" (ie, BEFORE iptables) so you'll still see the traffic in tcpdump even if iptables is dropping the traffic.

You can't stop the packets coming to you (your provider needs to do that), all you can do is drop them to minimize the impact on your host.

Best Answer

Related Solutions

Linux – Reject with ICMP Code 3 Type 13

Iptables – http request via iptables –to-destination ip redirect results in no response

Related Topic