RE: Runaway kernel? Or an attack?
I would have thought so too excep that it's always a different host. It's usually inside of Verizon though. -Original Message- From: Chuck Swiger [mailto:[EMAIL PROTECTED] Sent: Wednesday, October 18, 2006 4:33 PM To: Andresen, Jason R. Cc: freebsd-stable@freebsd.org Subject: Re: Runaway kernel? Or an attack? On Oct 18, 2006, at 1:07 PM, Andresen, Jason R. wrote: Ok, I have a recurring problem with my webserver. Once a day or so it gets locked into a loop with some random server usually somewhere in my ISP. When it does this, it spends all of its time spitting out packets and getting FIN, ACKs back. Shutting down the HTTP server doesn't stop the traffic. I have to create firewall rules to block the outgoing traffic to stop it. Frankly, this sounds more like the random remote host has been compromised, rather than your machine, and it is scanning the network for other hosts to attack. What URLs are being requested (check the http logs)? Here's a short tcpdump of the traffic when it happens, these packets are going out at a rate of thousands per second. The 192.168.42.2 is the local host and 192.76.86.83 is the apparently random victim: I'd talk to verizon.com and ask them what is going on from their side with that host... -- -Chuck ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: Runaway kernel? Or an attack?
From: Jeremy Chadwick [mailto:[EMAIL PROTECTED] On Wed, Oct 18, 2006 at 04:07:14PM -0400, Andresen, Jason R. wrote: Ok, I have a recurring problem with my webserver. Once a day or so it gets locked into a loop with some random server usually somewhere in my ISP. When it does this, it spends all of its time spitting out packets and getting FIN, ACKs back. Shutting down the HTTP server doesn't stop the traffic. I have to create firewall rules to block the outgoing traffic to stop it. Wiping the disk and reinstalling from the CD didn't help either. This host is behind a NAT (A D-Link DI-604 router). Is this a bad packet injection attack, a bug, or has my box been compromised? And let me guess: your DI-604 is set to port forward TCP 80 to 192.168.42.2 (rather than make 192.168.42.2 the DMZ host). I recommend removing the DI-604 from the topology and see if the problem continues. Gut feeling (based on past experience with D-Link's residential products) is the problem will disappear. You'll have to trust me on this -- no matter how reliable you think the DI-series units are (It works fine for me!), they aren't. There are major IP stack implementation issues with these units (same with the DI-614+). Thoroughly scan the D-Link forum on www.broadbandreports.com for details of these problems. The IP stack on those units is awful. Consider picking up a WRT54GL (which runs Linux; sure, I'd prefer they run BSD, but I'll trust Linux's IP stack over some third-party out-of-country IP stack any day of the week). Do not go with a WRT54G (because you won't know what version you get; Linux-based or VxWorks-based (which has other IP stack problems), nor a WRT54GS (same risk (Linux vs. VxWorks)). So the upshot is to not trust anything that uses VxWorks? I've been considering reworking my network by adding a second interface to the webserver machine and having it replace the DI-604, but I've been reluctant because if my box was being compromised I didn't want to open it up even further to attack. Looks like I should do it anyway. ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Runaway kernel? Or an attack?
Jeremy Chadwick [EMAIL PROTECTED] writes: Hi, I recommend removing the DI-604 from the topology and see if the problem continues. Gut feeling (based on past experience with D-Link's residential products) is the problem will disappear. You'll have to trust me on this -- no matter how reliable you think the DI-series units are (It works fine for me!), they aren't. There are major IP stack implementation issues with these units (same with the DI-614+). These units can be made reliable when flashed with an alternative firmware like OpenWRT (http://www.OpenWRT.org). Take a look at the following pages : http://wiki.openwrt.org/OpenWrtDocs/Hardware/D-Link?highlight=%28CategoryAR7Device%29 http://wiki.openwrt.org/AR7Port I have here a WRT54GS 1.1 running OpenWRT whiterussian rc5, a DLink DSL504T and a Netgear WGT634U waiting for Kamikaze builds. I'd love to see a project similar to OpenWRT based on a BSD, but so far, and it seems that FreeBSD mips port effort has stalled : http://www.freebsd.org/projects/mips/ Éric Masson -- Jh 28 ans, informaticien, cherche femme sur Chartres. -+- PGeorges in GNU - Elle est où la Charte du groupe ? -+- ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Runaway kernel? Or an attack?
em I'd love to see a project similar to OpenWRT based on a BSD, em but so far, and it seems that FreeBSD mips port effort has em stalled : em http://www.freebsd.org/projects/mips/ There's work going in Perforce: http://perforce.freebsd.org/changeList.cgi?FSPC=//depot/projects/mips2/... -- FreeBSD Volunteer, http://people.freebsd.org/~jkoshy/ ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Runaway kernel? Or an attack?
Joseph Koshy [EMAIL PROTECTED] writes: Hi, There's work going in Perforce: http://perforce.freebsd.org/changeList.cgi?FSPC=//depot/projects/mips2/... Ah, good, it seems that embedded mips platforms are targeted. Is there any other way than perforce commit logs to follow project status ? Regards Éric Masson -- [...] C'est aussi mon avis. Il reigne par ici une frenesie autour du GMP tout a fait inquietante... (Et la je suis encore bon pour le GMP, surtout que je fais 3 lignes, comme par hasard) ;o) -+- ED in Guide du Macounet Pervers : Hasard (?) frénétique -+- ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to [EMAIL PROTECTED]
Runaway kernel? Or an attack?
Ok, I have a recurring problem with my webserver. Once a day or so it gets locked into a loop with some random server usually somewhere in my ISP. When it does this, it spends all of its time spitting out packets and getting FIN, ACKs back. Shutting down the HTTP server doesn't stop the traffic. I have to create firewall rules to block the outgoing traffic to stop it. Wiping the disk and reinstalling from the CD didn't help either. This host is behind a NAT (A D-Link DI-604 router). Is this a bad packet injection attack, a bug, or has my box been compromised? This problem has persisted from when the box was 5.4 all the way to it's current 6.0 life. Sadly, I cannot upgrade it beyond 6.0 Release at the moment because it has a proprietary vendor binary kernel module for the RAID array, and the newest version they have is for 6.0. Here's a short tcpdump of the traffic when it happens, these packets are going out at a rate of thousands per second. The 192.168.42.2 is the local host and 192.76.86.83 is the apparently random victim: 09:36:51.056914 IP (tos 0x0, ttl 64, id 57273, offset 0, flags [DF], proto: TCP (6), length: 52) 192.168.42.2.80 192.76.86.83.22929: ., cksum 0xd1b3 (correct), 0:0(0) ack 0 win 33120 nop,nop,timestamp 147178754 27589156 09:36:51.059404 IP (tos 0x0, ttl 51, id 61707, offset 0, flags [none], proto: TCP (6), length: 52) 192.76.86.83.22929 192.168.42.2.80: F, cksum 0x5331 (correct), 0:0(0) ack 1 win 65535 nop,nop,timestamp 27589156 147178723 09:36:51.059469 IP (tos 0x0, ttl 64, id 57274, offset 0, flags [DF], proto: TCP (6), length: 52) 192.168.42.2.80 192.76.86.83.22929: ., cksum 0xd1b0 (correct), 0:0(0) ack 0 win 33120 nop,nop,timestamp 147178757 27589156 09:36:51.060004 IP (tos 0x0, ttl 51, id 61709, offset 0, flags [none], proto: TCP (6), length: 52) 192.76.86.83.22929 192.168.42.2.80: F, cksum 0x5331 (correct), 0:0(0) ack 1 win 65535 nop,nop,timestamp 27589156 147178723 ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Runaway kernel? Or an attack?
On Oct 18, 2006, at 1:07 PM, Andresen, Jason R. wrote: Ok, I have a recurring problem with my webserver. Once a day or so it gets locked into a loop with some random server usually somewhere in my ISP. When it does this, it spends all of its time spitting out packets and getting FIN, ACKs back. Shutting down the HTTP server doesn't stop the traffic. I have to create firewall rules to block the outgoing traffic to stop it. Frankly, this sounds more like the random remote host has been compromised, rather than your machine, and it is scanning the network for other hosts to attack. What URLs are being requested (check the http logs)? Here's a short tcpdump of the traffic when it happens, these packets are going out at a rate of thousands per second. The 192.168.42.2 is the local host and 192.76.86.83 is the apparently random victim: I'd talk to verizon.com and ask them what is going on from their side with that host... -- -Chuck ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Runaway kernel? Or an attack?
On Wed, Oct 18, 2006 at 04:07:14PM -0400, Andresen, Jason R. wrote: Ok, I have a recurring problem with my webserver. Once a day or so it gets locked into a loop with some random server usually somewhere in my ISP. When it does this, it spends all of its time spitting out packets and getting FIN, ACKs back. Shutting down the HTTP server doesn't stop the traffic. I have to create firewall rules to block the outgoing traffic to stop it. Wiping the disk and reinstalling from the CD didn't help either. This host is behind a NAT (A D-Link DI-604 router). Is this a bad packet injection attack, a bug, or has my box been compromised? And let me guess: your DI-604 is set to port forward TCP 80 to 192.168.42.2 (rather than make 192.168.42.2 the DMZ host). I recommend removing the DI-604 from the topology and see if the problem continues. Gut feeling (based on past experience with D-Link's residential products) is the problem will disappear. You'll have to trust me on this -- no matter how reliable you think the DI-series units are (It works fine for me!), they aren't. There are major IP stack implementation issues with these units (same with the DI-614+). Thoroughly scan the D-Link forum on www.broadbandreports.com for details of these problems. The IP stack on those units is awful. Consider picking up a WRT54GL (which runs Linux; sure, I'd prefer they run BSD, but I'll trust Linux's IP stack over some third-party out-of-country IP stack any day of the week). Do not go with a WRT54G (because you won't know what version you get; Linux-based or VxWorks-based (which has other IP stack problems), nor a WRT54GS (same risk (Linux vs. VxWorks)). -- | Jeremy Chadwick jdc at parodius.com | | Parodius Networkinghttp://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, USA | | Making life hard for others since 1977. PGP: 4BD6C0CB | ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to [EMAIL PROTECTED]
