From owner-freebsd-hackers@FreeBSD.ORG Sat Nov 24 15:02:09 2007 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D449316A418 for ; Sat, 24 Nov 2007 15:02:09 +0000 (UTC) (envelope-from info@martenvijn.nl) Received: from lists.martenvijn.nl (vijn.xs4all.nl [194.109.254.102]) by mx1.freebsd.org (Postfix) with ESMTP id A389713C43E for ; Sat, 24 Nov 2007 15:02:09 +0000 (UTC) (envelope-from info@martenvijn.nl) Received: from [192.168.1.6] (workstation.martenvijn.nl [192.168.1.6]) by lists.martenvijn.nl (Postfix) with ESMTP id 6FFA85C97; Sat, 24 Nov 2007 15:59:48 +0100 (CET) From: Marten Vijn To: Bill Moran In-Reply-To: <20071124085117.5b31452c.wmoran@collaborativefusion.com> References: <000001c82e1c$27909d50$0200a8c0@windsor> <20071124085117.5b31452c.wmoran@collaborativefusion.com> Content-Type: text/plain Date: Sat, 24 Nov 2007 15:45:40 +0100 Message-Id: <1195915540.4426.15.camel@workstation.martenvijn.nl> Mime-Version: 1.0 X-Mailer: Evolution 2.10.3 FreeBSD GNOME Team Port Content-Transfer-Encoding: 7bit Cc: freebsd-hackers@freebsd.org, "Joel V." Subject: Re: Welcome to Hell / Mysterious networking troubles on FreeBSD X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 24 Nov 2007 15:02:09 -0000 On Sat, 2007-11-24 at 08:51 -0500, Bill Moran wrote: > "Joel V." wrote: > > > > Hello all, > > > > I'm not experiencing this problem, my friend is. He's simply too pissed off > > to write here and I'm afraid he's going to set his office on fire if he > > doesn't solve the problem soon, so without further ado, here's the problem: > > > > He has two fbsd boxes, main server running 6.1 and dns server running 4.3. > > He has 4 public IPs which he can use and the main server is running on > > x.x.x.122. He's main box is NOT acting as a gateway/NAT box in the office. > > Today he noticed that net is getting awfully slow. Sometimes there would be > > 50% pl when pinging, sometimes pinging would be all OK, but SSH is dead-slow > > and the webpages running on the main server are not displaying. E-mails are > > not going through. He calls the ISP, who say that his network is showing > > major uploading activity. He switches off networking services one by one in > > the main box but situation does not improve. He disconnects the main server > > and puts a windows xp box instead, which seems to run fine. He puts back the > > freebsd box, disables all networking services again except for SSH and > > connects the network: instant 100% networking slow-down. He tried to change > > the switch, thinking it's faulty. He disconnect every other computer in the > > office from the network: nothing. He put the public IP address on the > > second, internal network NIC: same thing. Now it gets really mysterious: he > > puts the old dns server with the x.x.x.122 IP and instantly it becomes slow > > as death. The logical conclusion would be that someone is flooding that IP? > > Only the windows xp box seemed to work fine and the ISP guy said it was > > upload bandwidth that was excessive... > > > > Netstat -a doesn't show anything interesting, arp -a doesn't show any > > incomplete addresses He tried to build and install a new fresh kernel. > > Nothing. This is the most creepy networking problem I've heard of. Can YOU > > help? Any ideas where to start looking? > > +1 on the tcpdump work. Once you have the packet capture, something like > Wireshark will give you a pretty view of the packets. However, posting > the text output of tcpdump will allow the crew on this mailing list to > give you specific advice (once you've done what Julian suggests, you > can get text output by doing tcpdump -r capture.out) > > Overall, based on your vague symptoms, I'd guess you got cracked and > someone's running a spambot or other bot on that box. They may even > have it rooted. > You may find that out putting bridging (man bridge and sysctl) box inbetween the internet connection and your box and dump there. I would use for temp my laptop with an extra usb_ethernet device. A mirrorport on a switch + sflow / netflow could show traffic in ntop to get more insight on your traffic. more tools: nmap tcpflow chkrootkit md5sum (too late for tripwire) if you have your bins somewhere else on tar/tape/cd Marten