SnapGear 550 and Strange Messages: DoS Attack?

[FOBSIDE]

Our SnapGear firewall at work has been getting lots and lots of messages in the log file that I'm not sure how to interpret. My guess is that we're just getting pounded by something/someone.

I'm going to paste pieces of the code and if anyone can help me figure it out and a possible solution, that would be great.

The first set of messages...we get about 100 of these in a row:

Oct 30 09:28:43 klogd: NET: 78 messages suppressed.
Oct 30 09:28:43 klogd: dst cache overflow
Oct 30 09:28:48 klogd: NET: 66 messages suppressed.
Oct 30 09:28:48 klogd: dst cache overflow
Oct 30 09:28:53 klogd: NET: 71 messages suppressed.
Oct 30 09:28:53 klogd: dst cache overflow

Then we will get these once in a while:

Oct 30 09:36:26 klogd: Flood - dropped: IN=eth1 OUT= MAC=000:cf:02:04:11:00:00:c5:93:22:90:08:00 SRC=64.254.230.138 DST=<our IP> LEN=48 TOS=0x10 PREC=0x00 TTL=114 ID=39693 DF PROTO=TCP SPT=1367 DPT=80 WINDOW=65535 RES=0x00 SYN URGP=0
Oct 30 09:36:26 klogd: Flood - dropped: IN=eth1 OUT= MAC=000:cf:02:04:11:00:00:c5:93:22:90:08:00 SRC=64.254.230.138 DST=<our IP> LEN=48 TOS=0x10 PREC=0x00 TTL=114 ID=39949 DF PROTO=TCP SPT=1368 DPT=80 WINDOW=65535 RES=0x00 SYN URGP=0
Oct 30 09:38:39 klogd: Default - dropped: IN=eth1 OUT= MAC=000:cf:02:04:11:00:00:c5:93:22:90:08:00 SRC=80.61.64.131 DST=<our IP> LEN=78 TOS=0x10 PREC=0x00 TTL=113 ID=24376 PROTO=UDP SPT=32860 DPT=137 LEN=58

The IPs that are hitting us change. There was a wahington.edu IP, then a couple different ISP IP addresses. Anyone know what's going on here? Any help would be greatly appreciated.

 

[mboy]

Since I now have the SME 550 and have gotten into it, I might be able to help.

Looks like these:
Oct 30 09:28:43 klogd: NET: 78 messages suppressed.
Oct 30 09:28:43 klogd: dst cache overflow
Oct 30 09:28:48 klogd: NET: 66 messages suppressed.
Oct 30 09:28:48 klogd: dst cache overflow
Oct 30 09:28:53 klogd: NET: 71 messages suppressed.
Oct 30 09:28:53 klogd: dst cache overflow

Are from someone on your network overloading the NAT table (peer-to-peer most likely).
Out of the box, the Snapgears only support 1024 concurrent conections.
However, they can be configged to allow up to 20,000 concurrent connects. I upped mine to 6,000.

You need to do a few things (taken from their knowledge base):

Firstly, establish a telnet connection to the unit and login. At the command prompt, type:

cp /dev/tty /etc/config/conntrack_max

Now enter the new maximum, eg.

4096

.. then hit control-d to finish editing the file. Save your changes to FLASH by typing:

sync

Next, point your browser to the SnapGear's internal address to display the web management console.

Select Rules under the Firewall section, and enter the following Custom Firewall Rule in addition to built in rules.

cp /etc/config/conntrack_max /proc/sys/net/ipv4/ip_conntrack_max

Finally, reboot to apply the new maximum.

Unless you are running a large number of VPN sessions, it should be safe to set the new maximum to anything up to 20,000 or so. However, it is advisable to be more conservative with this number on LITE and LITE+ models.
I am pretty positive this will help.
The other logs look like some peer to peer stuff (others hitting your IP looking for stuff, etc)

Let me know how u make out.
BTW, this snapgear is AWESOME, especially for what it costs compared to the comp.