W dniu 2011-05-16 23:07, Paul de Weerd pisze:
On Mon, May 16, 2011 at 10:27:17PM +0200, RLW wrote:
| W dniu 2011-05-16 16:29, RLW pisze:
|>Hello,
|>
|>I need help to diagnose where the problem is...
|>
|>Below you can see traceroute and ping to facebook.com but the same
|>happens with other domains.
|>
|>I restarted router, logs show no errors.
|>
|>
|>OpenBSD 4.8
|>
|>#traceroute facebook.com
|>traceroute: Warning: facebook.com has multiple addresses; using
|>69.63.189.16
|>traceroute to facebook.com (69.63.189.16), 64 hops max, 40 byte packets
|>sendto: No route to host
|>1 traceroute: wrote facebook.com 40 chars, ret=-1
|>*sendto: No route to host
|>traceroute: wrote facebook.com 40 chars, ret=-1
|>^C
|>
|># ping facebook.com
|>PING facebook.com (69.63.189.11): 56 data bytes
|>ping: sendto: No route to host
|>ping: wrote facebook.com 64 chars, ret=-1
|>ping: sendto: No route to host
|>ping: wrote facebook.com 64 chars, ret=-1
|>64 bytes from 69.63.189.11: icmp_seq=2 ttl=244 time=113.365 ms
|>64 bytes from 69.63.189.11: icmp_seq=3 ttl=244 time=113.294 ms
|>64 bytes from 69.63.189.11: icmp_seq=4 ttl=244 time=113.567 ms
|>64 bytes from 69.63.189.11: icmp_seq=5 ttl=244 time=113.546 ms
|>64 bytes from 69.63.189.11: icmp_seq=6 ttl=244 time=113.435 ms
|>64 bytes from 69.63.189.11: icmp_seq=7 ttl=244 time=113.948 ms
|>--- facebook.com ping statistics ---
|>8 packets transmitted, 6 packets received, 25.0% packet loss
|>round-trip min/avg/max/std-dev = 113.294/113.525/113.948/0.483 ms
|>
|>
|>best regards,
|>RLW
|>
|>
|
| I see that for more than 24h inserts and removals in state table are
| higher than normal:
|
| State Table Total Rate
| current entries 8876
| searches 53632700 2157.6/s
| inserts 4318144 173.7/s
| removals 4309268 173.4/s
| Counters
| match 4673697 188.0/s
|
| There is many connections like this:
| all tcp AAA.AA.AAA.AAA:62146 (BBB.BBB.BB.B:59475) ->
| CCC.CC.CC.CCC:6667 TIME_WAIT:TIME_WAIT
| all tcp CCC.CC.CC.CCC:6667<- BBB.BBB.BB.B:59476 TIME_WAIT:TIME_WAIT
|
| CCC.CC.CC.CCC:6667 is some SVN server...
|
| My questions are:
| 1. Does so many connections to some uknown svn server looks
| suspicious? or is it normal behaviour when connected to svn server?
| 2. could so many inserts/removals cause problems with ping and
| traceroute? and dns (problems/slow resolving) ?
| 3. what can be done to tune router and get higher inserts/removals rate?
'some SVN server' seems more like an IRC server that NATted machines
(AAA.AA.AAA.AAA) in your network are connecting to (a botnet,
perhaps ?)
So, yeah:
1. definitely suspicious
2. yes, that could be
3. well, if it is indeed local machines connecting to a botnet, you
can "tune" your network by disconnecting it from the rest of the
internet and cleaning that shit up. Do the rest of us a favour.
Don't try and provide better "service" to the (d)DoS software running
on the infected hosts on your network.
Note that this is all quite a bit of speculation. As you've not given
any details on what it is you're doing (as I suggested in my previous
reply), this is what my crystal orb came up with. It's been acting up
recently - it may be dying. If you recently received a fridge and a
car, you know I'm totally wrong here.
Paul 'WEiRD' de Weerd
While i was writing email i looked closely at the states table, it looks
like one server which is located in our server room but its admin is
from abroad got hacked. I blocked all traffic - don't worry.
Answer to question number 3 is still important to me, because this time
it was rogue connections but what if some day we got so many legitimate
connections?? what can be done/tune to improve insert/removals rate on
OpenBSD router?
best regards,
RLW
