>From: Jeremy Chadwick [mailto:[EMAIL PROTECTED] > >On Wed, Oct 18, 2006 at 04:07:14PM -0400, Andresen, Jason R. wrote: >> Ok, I have a recurring problem with my webserver. Once a >day or so it >> gets locked into a loop with some random server usually >somewhere in my >> ISP. When it does this, it spends all of its time spitting >out packets >> and getting FIN, ACKs back. >> >> Shutting down the HTTP server doesn't stop the traffic. I have to >> create firewall rules to block the outgoing traffic to stop >it. Wiping >> the disk and reinstalling from the CD didn't help either. >This host is >> behind a NAT (A D-Link DI-604 router). Is this a bad packet >injection >> attack, a bug, or has my box been compromised? > >And let me guess: your DI-604 is set to port forward TCP 80 to >192.168.42.2 (rather than make 192.168.42.2 the DMZ host). > >I recommend removing the DI-604 from the topology and see if the >problem continues. Gut feeling (based on past experience with >D-Link's residential products) is the problem will disappear. >You'll have to trust me on this -- no matter how reliable you think >the DI-series units are ("It works fine for me!"), they aren't. >There are major IP stack implementation issues with these units >(same with the DI-614+). > >Thoroughly scan the D-Link forum on www.broadbandreports.com for >details of these problems. The IP stack on those units is awful. > >Consider picking up a WRT54GL (which runs Linux; sure, I'd prefer >they run BSD, but I'll trust Linux's IP stack over some third-party >out-of-country IP stack any day of the week). Do not go with a >WRT54G (because you won't know what version you get; Linux-based >or VxWorks-based (which has other IP stack problems), nor a WRT54GS >(same risk (Linux vs. VxWorks)).
So the upshot is to not trust anything that uses VxWorks? I've been considering reworking my network by adding a second interface to the webserver machine and having it replace the DI-604, but I've been reluctant because if my box was being compromised I didn't want to open it up even further to attack. Looks like I should do it anyway. _______________________________________________ [email protected] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "[EMAIL PROTECTED]"
