<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; color: rgb(0, 0, 0); font-size: 14px; font-family: Calibri, sans-serif;">
<div>
<div>For us on boot, we configure the systems init scripts to bring up br-ext and plug in the ethernet (or in our case bond) device into the external bridge. You should look at your specific distro for guidence here. Redhat based (RHEL/CentOS/Fedora) use: <a href="http://blog.oddbit.com/2014/05/20/fedora-and-ovs-bridge-interfac">http://blog.oddbit.com/2014/05/20/fedora-and-ovs-bridge-interfac</a>/
as a guide.</div>
<div><br>
</div>
<div>We do not assign any ip address to the interface attached to the bridge. If you assigned 0.0.0.0 netmask 0.0.0.0 you basically assigned every ip address in ipv4 to your interface, so anything that arps on your network for an ip address, you server is
going to respond say "hey that’s me".</div>
<div>
<div id="">
<div><font class="Apple-style-span" color="#000000"><font class="Apple-style-span" face="Calibri"><span class="Apple-style-span" style="font-size: 14px;">___________________________________________________________________</span></font></font></div>
<div><font class="Apple-style-span" color="#000000"><font class="Apple-style-span" face="Calibri"><span class="Apple-style-span" style="font-size: 14px;">Kris Lindgren</span></font></font></div>
<div><font class="Apple-style-span" color="#000000"><font class="Apple-style-span" face="Calibri"><span class="Apple-style-span" style="font-size: 14px;">Senior Linux Systems Engineer</span></font></font></div>
<div><font class="Apple-style-span" color="#000000"><font class="Apple-style-span" face="Calibri"><span class="Apple-style-span" style="font-size: 14px;">GoDaddy</span></font></font></div>
</div>
</div>
</div>
<div><br>
</div>
<span id="OLK_SRC_BODY_SECTION">
<div style="font-family:Calibri; font-size:12pt; text-align:left; color:black; BORDER-BOTTOM: medium none; BORDER-LEFT: medium none; PADDING-BOTTOM: 0in; PADDING-LEFT: 0in; PADDING-RIGHT: 0in; BORDER-TOP: #b5c4df 1pt solid; BORDER-RIGHT: medium none; PADDING-TOP: 3pt">
<span style="font-weight:bold">From: </span>applyhhj<br>
<span style="font-weight:bold">Date: </span>Thursday, September 17, 2015 at 8:55 AM<br>
<span style="font-weight:bold">To: </span>openstack-operators<br>
<span style="font-weight:bold">Subject: </span>[Openstack-operators] Please help!!!!Openvswitch attacked by ICMP!!!!!!!<br>
</div>
<div><br>
</div>
<div xmlns:o="urn:schemas-microsoft-com:office:office"><style type="text/css"> <!--@import url(scrollbar.css); --></style><style> body{FONT-SIZE:12pt; FONT-FAMILY:宋体,serif;} </style>
<meta name="GENERATOR" content="MSHTML 8.00.7601.18969">
<base target="_blank"><style type="text/css"> <!--@import url(scrollbar.css); --></style><style> BLOCKQUOTE{margin-Top: 0px; margin-Bottom: 0px; margin-Left: 2em} body{FONT-SIZE:12.1pt; COLOR:#001; FONT-FAMILY:宋体,serif;} </style>
<meta name="GENERATOR" content="MSHTML 8.00.7601.18969">
<base target="_blank">
<div style="LINE-HEIGHT: 1.3; BORDER-RIGHT-WIDTH: 0px; MARGIN: 12px; BORDER-TOP-WIDTH: 0px; BORDER-BOTTOM-WIDTH: 0px; BORDER-LEFT-WIDTH: 0px" marginheight="0" marginwidth="0">
<div><font size="2" face="Verdana"><span lang="EN-US"><font color="#000000"><font face="Calibri"><span lang="EN-US"><font size="3">Hi,<o:p></o:p></font></span></font></font></span></font></div>
<font size="2" face="Verdana"><font color="#000000"><font face="Calibri"></font></font></font>
<div><font size="2" face="Verdana"><font color="#000000"><font face="Calibri"></font></font>
<p style="MARGIN: 0cm 0cm 0pt" class="MsoNormal"><span lang="EN-US"><font size="3"><font color="#000000"><font face="Calibri">I followed The Guidance and tried to configure openvswitch(OVS) service. I first created a bridge br-ex and then added eth2 to the
bridge. After that I set the IP of eth2 to 0.0.0.0 and then reboot the system. However br-ex was not up when system launched. So I turned on br-ex manually and then restart the network, but br-ex could not get ip from dhcp server. Thus I used “dhclient br-ex”
to manually acquire IP. Well till then everything worked fine, but in the evening the Network Node was continuously attacked by ICMP package. Iptraf showed the following messages:<o:p></o:p></font></font></font></span></p>
<p style="MARGIN: 0cm 0cm 0pt" class="MsoNormal"><i style="mso-bidi-font-style: normal"><span lang="EN-US"><o:p><font color="#000000" size="3" face="Calibri"> </font></o:p></span></i></p>
<p style="MARGIN: 0cm 0cm 0pt" class="MsoNormal"><i style="mso-bidi-font-style: normal"><span lang="EN-US"><font size="3"><font color="#000000"><font face="Calibri">x ICMP time excd (56 bytes) from 4.69.143.125 to 166.111.61.xx on eth2<span style="mso-spacerun: yes">
</span><o:p></o:p></font></font></font></span></i></p>
<p style="MARGIN: 0cm 0cm 0pt" class="MsoNormal"><i style="mso-bidi-font-style: normal"><span lang="EN-US"><font size="3"><font color="#000000"><font face="Calibri">x ICMP dest unrch (host comm denied) (576 bytes) from 176.32.36.23 to 166.111.61.xxx on eth2<span style="mso-spacerun: yes">
</span><span style="mso-spacerun: yes"> </span><o:p></o:p></font></font></font></span></i></p>
<p style="MARGIN: 0cm 0cm 0pt" class="MsoNormal"><i style="mso-bidi-font-style: normal"><span lang="EN-US"><font size="3"><font color="#000000"><font face="Calibri">x ICMP dest unrch (host comm denied) (576 bytes) from 176.32.36.23 to 166.111.61.xx on eth2<span style="mso-spacerun: yes">
</span><o:p></o:p></font></font></font></span></i></p>
<p style="MARGIN: 0cm 0cm 0pt" class="MsoNormal"><i style="mso-bidi-font-style: normal"><span lang="EN-US"><font size="3"><font color="#000000"><font face="Calibri">x ICMP dest unrch (host) (100 bytes) from 59.66.96.226 to 166.111.61.xx on eth2<span style="mso-spacerun: yes">
</span><o:p></o:p></font></font></font></span></i></p>
<p style="MARGIN: 0cm 0cm 0pt" class="MsoNormal"><i style="mso-bidi-font-style: normal"><span lang="EN-US"><font size="3"><font color="#000000"><font face="Calibri">x ICMP time excd (56 bytes) from 4.69.143.125 to 166.111.61.xx on eth2<span style="mso-spacerun: yes">
</span><span style="mso-spacerun: yes"> </span><o:p></o:p></font></font></font></span></i></p>
<p style="MARGIN: 0cm 0cm 0pt" class="MsoNormal"><i style="mso-bidi-font-style: normal"><span lang="EN-US"><font size="3"><font color="#000000"><font face="Calibri">x ICMP dest unrch (host comm denied) (576 bytes) from 176.32.36.23 to 166.111.61.xxx on eth2<span style="mso-spacerun: yes">
</span><span style="mso-spacerun: yes"> </span><o:p></o:p></font></font></font></span></i></p>
<p style="MARGIN: 0cm 0cm 0pt" class="MsoNormal"><i style="mso-bidi-font-style: normal"><span lang="EN-US"><font size="3"><font color="#000000"><font face="Calibri">x ICMP dest unrch (host comm denied) (576 bytes) from 176.32.36.23 to 166.111.61.xx on eth2<span style="mso-spacerun: yes">
</span><o:p></o:p></font></font></font></span></i></p>
<p style="MARGIN: 0cm 0cm 0pt" class="MsoNormal"><i style="mso-bidi-font-style: normal"><span lang="EN-US"><font size="3"><font color="#000000"><font face="Calibri">x ICMP dest unrch (host) (100 bytes) from 59.66.96.226 to 166.111.61.x on eth2<span style="mso-spacerun: yes">
</span><o:p></o:p></font></font></font></span></i></p>
<p style="MARGIN: 0cm 0cm 0pt" class="MsoNormal"><i style="mso-bidi-font-style: normal"><span lang="EN-US"><font size="3"><font color="#000000"><font face="Calibri">x ICMP time excd (56 bytes) from 4.69.143.125 to 166.111.61.63 on eth2<span style="mso-spacerun: yes">
</span><span style="mso-spacerun: yes"> </span><o:p></o:p></font></font></font></span></i></p>
<p style="MARGIN: 0cm 0cm 0pt" class="MsoNormal"><i style="mso-bidi-font-style: normal"><span lang="EN-US"><font size="3"><font color="#000000"><font face="Calibri">x ICMP dest unrch (host comm denied) (576 bytes) from 176.32.36.23 to 166.111.61.xx on eth2<span style="mso-spacerun: yes">
</span><span style="mso-spacerun: yes"> </span><o:p></o:p></font></font></font></span></i></p>
<p style="MARGIN: 0cm 0cm 0pt" class="MsoNormal"><i style="mso-bidi-font-style: normal"><span lang="EN-US"><font size="3"><font color="#000000"><font face="Calibri">x ICMP dest unrch (host comm denied) (576 bytes) from 176.32.36.23 to 166.111.61.xxx on eth2<span style="mso-spacerun: yes">
</span><o:p></o:p></font></font></font></span></i></p>
<p style="MARGIN: 0cm 0cm 0pt" class="MsoNormal"><i style="mso-bidi-font-style: normal"><span lang="EN-US"><font size="3"><font color="#000000"><font face="Calibri">x ICMP dest unrch (host) (100 bytes) from 59.66.96.226 to 166.111.61.xx on eth2<span style="mso-spacerun: yes">
</span><o:p></o:p></font></font></font></span></i></p>
<p style="MARGIN: 0cm 0cm 0pt" class="MsoNormal"><i style="mso-bidi-font-style: normal"><span lang="EN-US"><font size="3"><font color="#000000"><font face="Calibri">x ICMP time excd (56 bytes) from 4.69.143.125 to 166.111.61.x on eth2<o:p></o:p></font></font></font></span></i></p>
<p style="MARGIN: 0cm 0cm 0pt" class="MsoNormal"><span lang="EN-US"><o:p><font color="#000000" size="3" face="Calibri"> </font></o:p></span></p>
<p style="MARGIN: 0cm 0cm 0pt" class="MsoNormal"><span lang="EN-US"><font size="3"><font color="#000000"><font face="Calibri">My ip is none of the above ones. The download speed in system monitor went up to 3m/s or even higher to 8m/s. I tried to use iptables
and ebtable to filter icmp packages and also set icmp_echo_ignore_all to drop all icmp pacakges. But, unfortunately, nothing works. As long as I deleted eth2 from br-ex or brought down br-ex, the network went back normal.If you have any idea, please help me.
I have been stuck here for several days. Thank you very much!!<o:p></o:p></font></font></font></span></p>
<p style="MARGIN: 0cm 0cm 0pt" class="MsoNormal"><span lang="EN-US"><o:p><font color="#000000" size="3" face="Calibri"> </font></o:p></span></p>
<p style="MARGIN: 0cm 0cm 0pt" class="MsoNormal"><span lang="EN-US"><font size="3"><font color="#000000"><font face="Calibri">Regards!<o:p></o:p></font></font></font></span></p>
<p style="MARGIN: 0cm 0cm 0pt" class="MsoNormal"><span lang="EN-US"><font size="3"><font color="#000000"><font face="Calibri">hjh<o:p></o:p></font></font></font></span></p>
<stationery>
<div><font color="#000000" size="3" face="宋体"></font> </div>
<div> </div>
<div align="left"><font color="#c0c0c0" size="2" face="Verdana">2015-09-17</font></div>
<font size="2" face="Verdana">
<hr style="WIDTH: 122px; HEIGHT: 2px" id="SignNameHR" align="left" size="2">
</font>
<div><font color="#c0c0c0" size="2" face="Verdana"><span id="_FlashSignName">applyhhj</span></font></div>
</stationery></font></div>
</div>
</div>
</span>
</body>
</html>