Joel, Beginning about six weeks ago we had (and still have) something similar on a Microsoft Windows NT Web/Proxy server. The same symptoms. The system is still running, no entries in any of the logs, but any incoming or outgoing traffic is blocked until we reboot the server.
What we found out so far looks like a (new?) kind of attack. It looks somewhat like the well known Syn Flood attack. As I'm not good in these things I have no idea what to do against it. We are currently evaluating the Qube 3 as a replacement for the NT server, but so far I did not find the time to put it in place. Using netstat, immediately before the NIC hangs, I can see a lot of SYN RECEIVED with connections to port 80 on any IP address we have. The source has a bogus (spoofed) IP address. Now we have written a job that runs netstat any 30 second and writes any source adress for connections having SYN RECEIVED for more than 30 seconds into a file. We use this file daily to block this addresses from entering our network in the router. Windows NT has an entry in the registry to protect from Syn Flood attacks. Enabling this protection helped a little but did not solve the problem. Hope you'll get your problem solved, soon! Kind regards, Peter ----- Original Message ----- From: "earthlink" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Sunday, March 31, 2002 9:51 PM Subject: [cobalt-developers] Raq 3 Hangs! Websites down > Hello, this is the 2nd time this week our Raq 3 has hung and now > I cannot telnet into it and all websites are down > > One person will have to go out monday and restart the darn thing > > When it reboots and is back up and running (as it was for 2 days after the > last hang and before it > died on us) what can I do to prevent this from happening again? > > It was fine for 1.5 years > > Is this just a piece of garbage that is no longer functional? We do not host > that many websites > > What can I do after a reboot to prevent this? This is PATHETIC > > Thanks > > Joel > > _______________________________________________ > cobalt-developers mailing list > [EMAIL PROTECTED] > http://list.cobalt.com/mailman/listinfo/cobalt-developers > _______________________________________________ cobalt-developers mailing list [EMAIL PROTECTED] http://list.cobalt.com/mailman/listinfo/cobalt-developers
