Re: Runaway kernel? Or an attack?
"Joseph Koshy" <[EMAIL PROTECTED]> writes: Hi, > There's work going in Perforce: > http://perforce.freebsd.org/changeList.cgi?FSPC=//depot/projects/mips2/... Ah, good, it seems that embedded mips platforms are targeted. Is there any other way than perforce commit logs to follow project status ? Regards Éric Masson -- [...] C'est aussi mon avis. Il reigne par ici une frenesie autour du GMP tout a fait inquietante... (Et la je suis encore bon pour le GMP, surtout que je fais 3 lignes, comme par hasard) ;o) -+- ED in Guide du Macounet Pervers : Hasard (?) frénétique -+- ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Runaway kernel? Or an attack?
em> I'd love to see a project similar to OpenWRT based on a BSD, em> but so far, and it seems that FreeBSD mips port effort has em> stalled : em> http://www.freebsd.org/projects/mips/ There's work going in Perforce: http://perforce.freebsd.org/changeList.cgi?FSPC=//depot/projects/mips2/... -- FreeBSD Volunteer, http://people.freebsd.org/~jkoshy/ ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Runaway kernel? Or an attack?
Jeremy Chadwick <[EMAIL PROTECTED]> writes:
Hi,
> I recommend removing the DI-604 from the topology and see if the
> problem continues. Gut feeling (based on past experience with
> D-Link's residential products) is the problem will disappear.
> You'll have to trust me on this -- no matter how reliable you think
> the DI-series units are ("It works fine for me!"), they aren't.
> There are major IP stack implementation issues with these units
> (same with the DI-614+).
These units can be made reliable when flashed with an alternative
firmware like OpenWRT (http://www.OpenWRT.org). Take a look at the
following pages :
http://wiki.openwrt.org/OpenWrtDocs/Hardware/D-Link?highlight=%28CategoryAR7Device%29
http://wiki.openwrt.org/AR7Port
I have here a WRT54GS 1.1 running OpenWRT whiterussian rc5, a DLink
DSL504T and a Netgear WGT634U waiting for Kamikaze builds.
I'd love to see a project similar to OpenWRT based on a BSD, but so far,
and it seems that FreeBSD mips port effort has stalled :
http://www.freebsd.org/projects/mips/
Éric Masson
--
Jh 28 ans, informaticien, cherche femme sur Chartres.
-+- PGeorges in GNU - Elle est où la Charte du groupe ? -+-
___
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
RE: Runaway kernel? Or an attack?
>From: Jeremy Chadwick [mailto:[EMAIL PROTECTED]
>
>On Wed, Oct 18, 2006 at 04:07:14PM -0400, Andresen, Jason R. wrote:
>> Ok, I have a recurring problem with my webserver. Once a
>day or so it
>> gets locked into a loop with some random server usually
>somewhere in my
>> ISP. When it does this, it spends all of its time spitting
>out packets
>> and getting FIN, ACKs back.
>>
>> Shutting down the HTTP server doesn't stop the traffic. I have to
>> create firewall rules to block the outgoing traffic to stop
>it. Wiping
>> the disk and reinstalling from the CD didn't help either.
>This host is
>> behind a NAT (A D-Link DI-604 router). Is this a bad packet
>injection
>> attack, a bug, or has my box been compromised?
>
>And let me guess: your DI-604 is set to port forward TCP 80 to
>192.168.42.2 (rather than make 192.168.42.2 the DMZ host).
>
>I recommend removing the DI-604 from the topology and see if the
>problem continues. Gut feeling (based on past experience with
>D-Link's residential products) is the problem will disappear.
>You'll have to trust me on this -- no matter how reliable you think
>the DI-series units are ("It works fine for me!"), they aren't.
>There are major IP stack implementation issues with these units
>(same with the DI-614+).
>
>Thoroughly scan the D-Link forum on www.broadbandreports.com for
>details of these problems. The IP stack on those units is awful.
>
>Consider picking up a WRT54GL (which runs Linux; sure, I'd prefer
>they run BSD, but I'll trust Linux's IP stack over some third-party
>out-of-country IP stack any day of the week). Do not go with a
>WRT54G (because you won't know what version you get; Linux-based
>or VxWorks-based (which has other IP stack problems), nor a WRT54GS
>(same risk (Linux vs. VxWorks)).
So the upshot is to not trust anything that uses VxWorks? I've been
considering reworking my network by adding a second interface to the
webserver machine and having it replace the DI-604, but I've been
reluctant because if my box was being compromised I didn't want to open
it up even further to attack. Looks like I should do it anyway.
___
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
RE: Runaway kernel? Or an attack?
I would have thought so too excep that it's always a different host. It's usually inside of Verizon though. >-Original Message- >From: Chuck Swiger [mailto:[EMAIL PROTECTED] >Sent: Wednesday, October 18, 2006 4:33 PM >To: Andresen, Jason R. >Cc: freebsd-stable@freebsd.org >Subject: Re: Runaway kernel? Or an attack? > >On Oct 18, 2006, at 1:07 PM, Andresen, Jason R. wrote: >> Ok, I have a recurring problem with my webserver. Once a >day or so it >> gets locked into a loop with some random server usually somewhere >> in my >> ISP. When it does this, it spends all of its time spitting out >> packets >> and getting FIN, ACKs back. >> >> Shutting down the HTTP server doesn't stop the traffic. I have to >> create firewall rules to block the outgoing traffic to stop it. > >Frankly, this sounds more like the random remote host has been >compromised, rather than your machine, and it is scanning the network >for other hosts to attack. What URLs are being requested (check the >http logs)? > >> Here's a short tcpdump of the traffic when it happens, these packets >> are going out at a rate of thousands per second. The 192.168.42.2 is >> the local host and 192.76.86.83 is the apparently random victim: > >I'd talk to verizon.com and ask them what is going on from their side >with that host... > >-- >-Chuck > > ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Runaway kernel? Or an attack?
On Wed, Oct 18, 2006 at 04:07:14PM -0400, Andresen, Jason R. wrote:
> Ok, I have a recurring problem with my webserver. Once a day or so it
> gets locked into a loop with some random server usually somewhere in my
> ISP. When it does this, it spends all of its time spitting out packets
> and getting FIN, ACKs back.
>
> Shutting down the HTTP server doesn't stop the traffic. I have to
> create firewall rules to block the outgoing traffic to stop it. Wiping
> the disk and reinstalling from the CD didn't help either. This host is
> behind a NAT (A D-Link DI-604 router). Is this a bad packet injection
> attack, a bug, or has my box been compromised?
And let me guess: your DI-604 is set to port forward TCP 80 to
192.168.42.2 (rather than make 192.168.42.2 the DMZ host).
I recommend removing the DI-604 from the topology and see if the
problem continues. Gut feeling (based on past experience with
D-Link's residential products) is the problem will disappear.
You'll have to trust me on this -- no matter how reliable you think
the DI-series units are ("It works fine for me!"), they aren't.
There are major IP stack implementation issues with these units
(same with the DI-614+).
Thoroughly scan the D-Link forum on www.broadbandreports.com for
details of these problems. The IP stack on those units is awful.
Consider picking up a WRT54GL (which runs Linux; sure, I'd prefer
they run BSD, but I'll trust Linux's IP stack over some third-party
out-of-country IP stack any day of the week). Do not go with a
WRT54G (because you won't know what version you get; Linux-based
or VxWorks-based (which has other IP stack problems), nor a WRT54GS
(same risk (Linux vs. VxWorks)).
--
| Jeremy Chadwick jdc at parodius.com |
| Parodius Networkinghttp://www.parodius.com/ |
| UNIX Systems Administrator Mountain View, CA, USA |
| Making life hard for others since 1977. PGP: 4BD6C0CB |
___
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Runaway kernel? Or an attack?
On Oct 18, 2006, at 1:07 PM, Andresen, Jason R. wrote: Ok, I have a recurring problem with my webserver. Once a day or so it gets locked into a loop with some random server usually somewhere in my ISP. When it does this, it spends all of its time spitting out packets and getting FIN, ACKs back. Shutting down the HTTP server doesn't stop the traffic. I have to create firewall rules to block the outgoing traffic to stop it. Frankly, this sounds more like the random remote host has been compromised, rather than your machine, and it is scanning the network for other hosts to attack. What URLs are being requested (check the http logs)? Here's a short tcpdump of the traffic when it happens, these packets are going out at a rate of thousands per second. The 192.168.42.2 is the local host and 192.76.86.83 is the apparently random victim: I'd talk to verizon.com and ask them what is going on from their side with that host... -- -Chuck ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "[EMAIL PROTECTED]"
