From owner-freebsd-questions Sun Sep 3 18:51:30 2000 Delivered-To: freebsd-questions@freebsd.org Received: from wantadilla.lemis.com (wantadilla.lemis.com [192.109.197.80]) by hub.freebsd.org (Postfix) with ESMTP id CC2B937B424 for ; Sun, 3 Sep 2000 18:51:21 -0700 (PDT) Received: (from grog@localhost) by wantadilla.lemis.com (8.11.0/8.9.3) id e841pH589608 for questions@FreeBSD.ORG; Mon, 4 Sep 2000 11:21:17 +0930 (CST) (envelope-from grog) Date: Mon, 4 Sep 2000 11:21:17 +0930 From: Greg Lehey To: freebsd-questions Subject: Self-initated DOS? (was: signature?) Message-ID: <20000904112117.C57161@wantadilla.lemis.com> References: <200009030608.GAA02427@groggy.anc.ptialaska.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: <200009030608.GAA02427@groggy.anc.ptialaska.net>; from groggy@iname.com on Sun, Sep 03, 2000 at 06:08:55AM +0000 Organization: LEMIS, PO Box 460, Echunga SA 5153, Australia Phone: +61-8-8388-8286 Fax: +61-8-8388-8725 Mobile: +61-418-838-708 WWW-Home-Page: http://www.lemis.com/~grog X-PGP-Fingerprint: 6B 7B C3 8C 61 CD 54 AF 13 24 52 F8 6D A4 95 EF Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Sunday, 3 September 2000 at 6:08:55 +0000, groggy@iname.com wrote: >> It's not port UDP 68, it's netbios-ns; it's Windows boxs that like to do a >> netbios nameserver lookup on whoever connections to them. MS assumed that >> anything connecting to them "must" be a windows box and tries to log the >> Netbios name of it.... these end up as mostly noise in firewall logs. >> >> I specifically disabled monitoring of UDP 137/138 in my own firewalls as the >> number of stupid IIS servers that kept trying to find out the netbios name >> of the squid proxies was filling the logs with useless information... > > this sounds good to me :) i figured it was some IIS crap ... > i think my ISP recently replaced their SunOS and System V boxes > with IIS servers - i know they renamed all their boxes - and that's > when this problem started. it still bothers me that they have a right > to clutter my connection with so much useless garbage! i mean, it does > cause "stalls" on connections to my server since 10 seconds > of every minute my connectin is jammed with this garbage ... > it would be a hassle to change providers for many reasons, > do i have any right to make them stop? :) i mean, it's > almost a DOS attack, isn't it? :) Well, no. As I said, all indications are that this is coming from *your* machine. >> Aren't these caused by samba or another program of the sort which are >> answered by an "MS" machine? That is how it is on my network... > > i am not running samba or anything ... > i have one other BSD machine on an ethernet, > but it is quiet and doesn't have anything to do with this. > it happens every minute ... 24 hours a day ... OK, let's look at your network more closely. 1. Is the other box the only machine on the Ethernet? 2. Is the machine 'groggy' performing address translation for the Ethernet? 3. Is the other box running anything Microsoft-like? 4. Are you blocking port 137 coming in? 5. Which version of named are you running? > i run only the following - apache + squid ... > (3.5.1-R) > > ftp stream > telnet stream > pop3 stream > finger stream > auth stream > comsat dgram > ntalk dgram > > my machine is groggy, and it seems to all be intiated with : > >>>> 05:13:24.048994 209-193-28-245.adsl.jnu.acsalaska.net.netbios-ns > 208.151.115.193.netbios-ns: udp 68 >>>> 05:13:24.049044 209-193-28-245.adsl.jnu.acsalaska.net.netbios-ns > 208.151.115.193.netbios-ns: udp 68 Please don't wrap these lines. There's no reason to believe that these messages initiate anything. There is, however, a very good question what these messages are doing on your particular ppp link. From here, the three machines in question seem to be quite a distance apart. traceroute to 208.151.115.193 (208.151.115.193), 30 hops max, 40 byte packets ... 11 sea-sjc2-oc48.sea.above.net (208.184.102.178) 368.395 ms 368.317 ms 379.927 ms 12 seattle-core1.sea.above.net (208.185.175.18) 383.597 ms 388.555 ms 375.767 ms 13 alaska-abovenet.sea.above.net (209.249.0.148) 366.970 ms 370.782 ms 375.406 ms 14 *^C traceroute to groggy.anc.ptialaska.net (198.70.228.224), 30 hops max, 40 byte packets ... 13 alaska-abovenet.sea.above.net (209.249.0.148) 381.277 ms 367.127 ms 366.569 ms 14 ds3-p2p.anc.ptialaska.net (208.151.100.165) 408.009 ms 435.738 ms 408.855 ms 15 enh-4.anc.ptialaska.net (208.151.119.1) 421.441 ms 439.651 ms 401.611 ms 16 groggy.anc.ptialaska.net (198.70.228.224) 544.191 ms 556.567 ms 601.520 ms traceroute to 209.193.28.245 (209.193.28.245), 30 hops max, 40 byte packets ... 13 alaska-abovenet.sea.above.net (209.249.0.148) 377.137 ms 376.383 ms 379.356 ms 14 ds3-p2p.anc.ptialaska.net (208.151.100.165) 413.292 ms 428.787 ms 398.543 ms 15 fe9-0-cr2.nwc.ptialaska.net (208.151.100.222) 407.105 ms 432.320 ms 400.682 ms 16 s2-0-cr1.jdc.ptialaska.net (208.151.100.210) 429.451 ms 417.332 ms 431.438 ms 17 208.151.107.245 (208.151.107.245) 445.840 ms 449.656 ms 426.777 ms 18 * * * I wouldn't expect any traffic for either of the other systems to come even close to where you are. You should definitely ask your ISP what is going on. > Active Internet connections (including servers) This all looks normal enough. >>>> i don't use dhcp or anything like that ... >>> >>> Are you sure you're not running some other daemon which uses this >>> service? Take a look with 'ps lax' and see what you get. > > ps alx ... (i don't think anything is unusual here ...) No, I don't see anything either. >>> The messages seem to be coming from your end. I don't even see any >>> replies. The two messages at 05:13:25.548800 have nothing to do with >>> you, but suggest that you're on a broadcast medium. Considering that >>> the names suggest this is ADSL, you might ask your ISP about that. > > i don't think i am initiating anything ... i am confused ... The tcpdump clearly shows that the initiator of nearly all these machines is groggy, which is your machine. > it seems that my udp 68 stuff is initiated by those first 2 packets > using my machine as a relay or something - and i don't like being a > relay for anything :) The first two packets have nothing to do with it, except they seem to be doing the same thing rather less frequently. It seems that your system is sending pairs of packets in intervals which range from 90 to 130 ms, which is rather frequent, admittedly. Look at the following second: > 05:15:26.040337 groggy.56121 > 208.151.115.193.netbios-ns: udp 68 > 05:15:26.040375 groggy.56121 > 208.151.115.193.netbios-ns: udp 68 > 05:15:26.080330 groggy.37645 > 208.151.115.193.netbios-ns: udp 68 > 05:15:26.080362 groggy.37645 > 208.151.115.193.netbios-ns: udp 68 > 05:15:26.160306 groggy.60574 > 208.151.115.193.netbios-ns: udp 68 > 05:15:26.160338 groggy.60574 > 208.151.115.193.netbios-ns: udp 68 > 05:15:26.200359 groggy.65226 > 208.151.115.193.netbios-ns: udp 68 > 05:15:26.200391 groggy.65226 > 208.151.115.193.netbios-ns: udp 68 > 05:15:26.290300 groggy.46666 > 208.151.115.193.netbios-ns: udp 68 > 05:15:26.290332 groggy.46666 > 208.151.115.193.netbios-ns: udp 68 > 05:15:26.330318 groggy.39500 > 208.151.115.193.netbios-ns: udp 68 > 05:15:26.330352 groggy.39500 > 208.151.115.193.netbios-ns: udp 68 > 05:15:26.410323 groggy.47168 > 208.151.115.193.netbios-ns: udp 68 > 05:15:26.410358 groggy.47168 > 208.151.115.193.netbios-ns: udp 68 > 05:15:26.470325 groggy.55759 > 208.151.115.193.netbios-ns: udp 68 > 05:15:26.470374 groggy.55759 > 208.151.115.193.netbios-ns: udp 68 > 05:15:26.520400 groggy.34935 > 208.151.115.193.netbios-ns: udp 68 > 05:15:26.520432 groggy.34935 > 208.151.115.193.netbios-ns: udp 68 > 05:15:26.590339 groggy.44858 > 208.151.115.193.netbios-ns: udp 68 > 05:15:26.590371 groggy.44858 > 208.151.115.193.netbios-ns: udp 68 > 05:15:26.640321 groggy.49854 > 208.151.115.193.netbios-ns: udp 68 > 05:15:26.640353 groggy.49854 > 208.151.115.193.netbios-ns: udp 68 > 05:15:26.690360 groggy.33520 > 208.151.115.193.netbios-ns: udp 68 > 05:15:26.690392 groggy.33520 > 208.151.115.193.netbios-ns: udp 68 > 05:15:26.770299 groggy.54822 > 208.151.115.193.netbios-ns: udp 68 > 05:15:26.770330 groggy.54822 > 208.151.115.193.netbios-ns: udp 68 > 05:15:26.820697 groggy.50768 > 208.151.115.193.netbios-ns: udp 68 > 05:15:26.820730 groggy.50768 > 208.151.115.193.netbios-ns: udp 68 > 05:15:26.890317 groggy.37558 > 208.151.115.193.netbios-ns: udp 68 > 05:15:26.890348 groggy.37558 > 208.151.115.193.netbios-ns: udp 68 > 05:15:26.950327 groggy.52515 > 208.151.115.193.netbios-ns: udp 68 > 05:15:26.950359 groggy.52515 > 208.151.115.193.netbios-ns: udp 68 > 05:15:26.990323 groggy.65431 > 208.151.115.193.netbios-ns: udp 68 > 05:15:26.990355 groggy.65431 > 208.151.115.193.netbios-ns: udp 68 That's 34 messages of 68 bytes each, a total of 18,500 bits. That should be a good chunk of your modem bandwidth. Now the crucial question: which way are they going over the modem? Traceroute suggests that they're going out, but you have these other messages from 209-193-28-245.adsl.jnu.acsalaska.net which shouldn't be there at all. What if they're really coming in? In that case, your ISP has a real bad case of misconfiguration. > i collected 5MB of this stuff in a few hours, and it's exactly the > same sequence over and over, 24 hours a day. enh-1 is one of my > ISP's boxes. why is it telling me "exceeded time in transit" ? it > seems to be some kinda probe or something, or what? but what is > getting my FBSD box (groggy) to reply? This "time exceeded in transit" ICMP message appears to be coming as a result of the packets going out with ttl 1. They're all from port 49409, which has thus probably been active for at least 4 seconds. In fact, it looks as if all the ports send exactly 6 messages. If I sort by port number, I get: 05:15:28.240503 groggy.33236 > 208.151.115.193.netbios-ns: udp 68 05:15:28.240536 groggy.33236 > 208.151.115.193.netbios-ns: udp 68 05:15:29.840319 groggy.33236 > 208.151.115.193.netbios-ns: udp 68 05:15:29.840352 groggy.33236 > 208.151.115.193.netbios-ns: udp 68 05:15:31.430499 groggy.33236 > 208.151.115.193.netbios-ns: udp 68 05:15:31.430538 groggy.33236 > 208.151.115.193.netbios-ns: udp 68 05:15:26.690360 groggy.33520 > 208.151.115.193.netbios-ns: udp 68 05:15:26.690392 groggy.33520 > 208.151.115.193.netbios-ns: udp 68 05:15:28.290324 groggy.33520 > 208.151.115.193.netbios-ns: udp 68 05:15:28.290354 groggy.33520 > 208.151.115.193.netbios-ns: udp 68 05:15:29.860662 groggy.33520 > 208.151.115.193.netbios-ns: udp 68 05:15:29.860694 groggy.33520 > 208.151.115.193.netbios-ns: udp 68 05:15:29.170381 groggy.34570 > 208.151.115.193.netbios-ns: udp 68 05:15:29.170412 groggy.34570 > 208.151.115.193.netbios-ns: udp 68 05:15:30.740672 groggy.34570 > 208.151.115.193.netbios-ns: udp 68 05:15:30.740703 groggy.34570 > 208.151.115.193.netbios-ns: udp 68 05:15:32.320390 groggy.34570 > 208.151.115.193.netyou bios-ns: udp 68 05:15:32.320421 groggy.34570 > 208.151.115.193.netbios-ns: udp 68 etc. So if your system was sending this stuff, you'd expect it to show up in the netstat output. On the whole, I'm beginning to think that this is incoming traffic, not outgoing. If you have an external modem, the direction of traffic should be obvious from the LEDs. Otherwise you can confirm this with netstat. Greg -- When replying to this message, please copy the original recipients. If you don't, I may ignore the reply. For more information, see http://www.lemis.com/questions.html Finger grog@lemis.com for PGP public key See complete headers for address and phone numbers To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message