bogus SYN flood?

1997-12-06 Thread Jason Wright 
Howdy...

I came home to find my workstation thrashing - errors are appended to this
message.  Kerneld was consuming over 50meg of memory, so I bounced it,
which seems to have cleared the problem up.

Overmind is a P90, 2.0.32 and is fairly well synced with Hamm.  Modutils
is 2.1.55-4.  Current uptime is almost 13 days.  The machine was idle at
the time.

I've been unsubscribed from linux-kernel since before 2.0.32 came out,
so I don't know if this problem has been discussed over there.  I just
resubscribed.

PeeWee

Full transcript of errors from /var/adm/messages follows:

Dec  5 14:30:01 overmind kernel: validated probe(127.0.0.1:726, 127.0.0.1:778, 
-580073059) 
Dec  5 14:45:01 overmind kernel: Warning: possible SYN flood from 127.0.0.1 on 
127.0.0.1:778.  Sending cookies. 
Dec  5 14:45:01 overmind kernel: validated probe(127.0.0.1:804, 127.0.0.1:778, 
1528032577) 
Dec  5 15:00:02 overmind kernel: Warning: possible SYN flood from 127.0.0.1 on 
127.0.0.1:778.  Sending cookies. 
Dec  5 15:00:03 overmind kernel: validated probe(127.0.0.1:871, 127.0.0.1:778, 
-1098321254) 
Dec  5 15:05:05 overmind kernel: flushed 1084 old SYSVIPC messages1Ouch, no 
kerneld for message 2147442165 
Dec  5 15:15:01 overmind kernel: flushed 1086 old SYSVIPC messages6Warning: 
possible SYN flood from 127.0.0.1 on 127.0.0.1:778.  Sending cookies. 
Dec  5 15:15:01 overmind kernel: validated probe(127.0.0.1:942, 127.0.0.1:778, 
-1341543110) 
Dec  5 15:30:00 overmind kernel: flushed 1079 old SYSVIPC messages4flushed 
1085 old SYSVIPC messages6Warning: possible SYN flood from 127.0.0.1 on 
127.0.0.1:778.  Sending cookies. 
Dec  5 15:30:01 overmind kernel: validated probe(127.0.0.1:1000, 127.0.0.1:778, 
754024873) 
Dec  5 15:45:01 overmind kernel: flushed 1084 old SYSVIPC messages6Warning: 
possible SYN flood from 127.0.0.1 on 127.0.0.1:778.  Sending cookies. 
Dec  5 15:45:01 overmind kernel: validated probe(127.0.0.1:640, 127.0.0.1:778, 
-2079395917) 
Dec  5 16:00:01 overmind kernel: flushed 1086 old SYSVIPC messages4flushed 
1084 old SYSVIPC messages6Warning: possible SYN flood from 127.0.0.1 on 
127.0.0.1:778.  Sending cookies. 
Dec  5 16:00:01 overmind kernel: validated probe(127.0.0.1:696, 127.0.0.1:778, 
521267003) 
Dec  5 16:05:01 overmind kernel: flushed 1084 old SYSVIPC messages6Warning: 
possible SYN flood from 127.0.0.1 on 127.0.0.1:778.  Sending cookies. 
Dec  5 16:05:01 overmind kernel: validated probe(127.0.0.1:720, 127.0.0.1:778, 
-1748167046) 
Dec  5 16:05:07 overmind kernel: Ouch, no kerneld for message 2147442166 
Dec  5 16:15:00 overmind kernel: flushed 1084 old SYSVIPC messages6Warning: 
possible SYN flood from 127.0.0.1 on 127.0.0.1:778.  Sending cookies. 
Dec  5 16:15:01 overmind kernel: validated probe(127.0.0.1:766, 127.0.0.1:778, 
891621602) 
Dec  5 16:30:00 overmind kernel: flushed 1083 old SYSVIPC messages4flushed 
1080 old SYSVIPC messages6Warning: possible SYN flood from 127.0.0.1 on 
127.0.0.1:778.  Sending cookies. 
Dec  5 16:30:00 overmind kernel: validated probe(127.0.0.1:824, 127.0.0.1:778, 
723969002) 
Dec  5 16:45:00 overmind kernel: flushed 1085 old SYSVIPC messages4flushed 
1084 old SYSVIPC messages6Warning: possible SYN flood from 127.0.0.1 on 
127.0.0.1:778.  Sending cookies. 
Dec  5 16:45:00 overmind kernel: validated probe(127.0.0.1:887, 127.0.0.1:778, 
29768560) 
Dec  5 17:00:01 overmind kernel: flushed 1086 old SYSVIPC messages4flushed 
1084 old SYSVIPC messages6Warning: possible SYN flood from 127.0.0.1 on 
127.0.0.1:778.  Sending cookies. 
Dec  5 17:00:01 overmind kernel: validated probe(127.0.0.1:946, 127.0.0.1:778, 
525624201) 
Dec  5 17:05:01 overmind kernel: Warning: possible SYN flood from 127.0.0.1 on 
127.0.0.1:778.  Sending cookies. 
Dec  5 17:05:01 overmind kernel: validated probe(127.0.0.1:970, 127.0.0.1:778, 
-1800602240) 
Dec  5 17:05:05 overmind kernel: Ouch, no kerneld for message 2147442167 
Dec  5 17:15:01 overmind kernel: flushed 1082 old SYSVIPC messages6Warning: 
possible SYN flood from 127.0.0.1 on 127.0.0.1:778.  Sending cookies. 
Dec  5 17:15:01 overmind kernel: validated probe(127.0.0.1:1016, 127.0.0.1:778, 
1304971566) 
Dec  5 17:30:00 overmind kernel: flushed 1086 old SYSVIPC messages4flushed 
1081 old SYSVIPC messages6Warning: possible SYN flood from 127.0.0.1 on 
127.0.0.1:778.  Sending cookies. 
Dec  5 17:30:00 overmind kernel: validated probe(127.0.0.1:650, 127.0.0.1:778, 
-1483188710) 
Dec  5 17:45:01 overmind kernel: flushed 1085 old SYSVIPC messages4flushed 
1085 old SYSVIPC messages6Warning: possible SYN flood from 127.0.0.1 on 
127.0.0.1:778.  Sending cookies. 
Dec  5 17:45:01 overmind kernel: validated probe(127.0.0.1:714, 127.0.0.1:778, 
-1528760368) 
Dec  5 18:00:01 overmind kernel: flushed 1086 old SYSVIPC messages4flushed 
1085 old SYSVIPC messages6Warning: possible SYN flood from 127.0.0.1 on 
127.0.0.1:778.  Sending cookies. 
Dec  5 18:00:01 overmind kernel: validated probe(127.0.0.1:770, 127.0.0.1:778, 
-2043635234) 
Dec  5 18:05:02 overmind

Re: bogus SYN flood?

1997-12-06 Thread Alain Nissen 
---BeginMessage---
Jason Wright wrote:
 
 I came home to find my workstation thrashing - errors are appended to this
 message.  Kerneld was consuming over 50meg of memory, so I bounced it,
 which seems to have cleared the problem up.

I saw exactly the same warnings on my Linux box three days ago (running
debian-unstable at the latest level, with Debian kernel 2.0.30-9
replaced by my own self-made 2.0.32 kernel).  The box became more and
more slow, and eventually did not respond at all. I had to press on the
reset button :/

Dec  3 21:41:17 demon kernel: Warning: possible SYN flood from
195.0.100.253 on 194.78.79.73:21666.  Sending cookies. 
Dec  3 21:41:22 demon kernel: validated probe(195.0.100.253:5708,
194.78.79.73:21666, 536524169) 
Dec  3 21:41:39 demon kernel: validated probe(194.78.79.71:2397,
194.78.79.73:21666, -1494314061) 
Dec  3 21:42:11 demon kernel: validated probe(132.206.150.30:10325,
194.78.79.73:21666, -1224464230) 

(and so on until crash)


Alain

---End Message---