From owner-freebsd-hackers@FreeBSD.ORG Sat Nov 24 22:09:00 2007 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 2C82016A41A for ; Sat, 24 Nov 2007 22:09:00 +0000 (UTC) (envelope-from julian@elischer.org) Received: from outW.internet-mail-service.net (outW.internet-mail-service.net [216.240.47.246]) by mx1.freebsd.org (Postfix) with ESMTP id 02ECB13C442 for ; Sat, 24 Nov 2007 22:08:59 +0000 (UTC) (envelope-from julian@elischer.org) Received: from mx0.idiom.com (HELO idiom.com) (216.240.32.160) by out.internet-mail-service.net (qpsmtpd/0.40) with ESMTP; Sat, 24 Nov 2007 14:08:59 -0800 X-Client-Authorized: MaGic Cook1e X-Client-Authorized: MaGic Cook1e Received: from julian-mac.elischer.org (home.elischer.org [216.240.48.38]) by idiom.com (Postfix) with ESMTP id 8DA4F126AC2; Sat, 24 Nov 2007 14:08:58 -0800 (PST) Message-ID: <4748A0FA.1060402@elischer.org> Date: Sat, 24 Nov 2007 14:08:58 -0800 From: Julian Elischer User-Agent: Thunderbird 2.0.0.9 (Macintosh/20071031) MIME-Version: 1.0 To: "Joel V." References: <000101c82ed9$4d0986b0$0200a8c0@windsor> In-Reply-To: <000101c82ed9$4d0986b0$0200a8c0@windsor> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-hackers@freebsd.org Subject: Re: Welcome to Hell / Mysterious networking troubles on FreeBSD X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 24 Nov 2007 22:09:00 -0000 Joel V. wrote: > Hello. > > A big thanks to everyone who contacted me. FreeBSD really has the best > community one could help for. > > Now, it has been confirmed by the backbone manager that we're dealing with a > DDOS attack. However, the ISP seems to be as clueless as a headless sheep, > and we haven't been able to contact their technical staff yet (of course one > can't be 100% sure that they even have a technical staff, judging by the > level of their response). > > Hopefully the situation will be fixed soon. One final question though: are > there any quick steps one can take to protect their server from DDOS attacks > like these? in the short term.. ipfw add 100 drop udp from (address) > > Again, thanks to everyone who helped out. > > Joel V. > > > -----Original Message----- > From: Joel V. [mailto:joel@smail.ee] > Sent: Saturday, November 24, 2007 2:56 PM > To: 'freebsd-hackers@freebsd.org' > Subject: RE: Welcome to Hell / Mysterious networking troubles on FreeBSD > > As a lot of people recommended using tcpdump, here it is. The only thing > that stands out, are hundreds and thousands of lines like this: > > 13:45:49.991592 IP 82.165.252.222.36887 > ns1.galandrex.ee.43077: UDP, > length 9216 > 13:45:49.996482 IP 82.165.252.222.36887 > ns1.galandrex.ee.33803: UDP, > length 9216 > 13:45:50.001174 IP 82.165.252.222.36887 > ns1.galandrex.ee.63574: UDP, > length 9216 > 13:45:50.005955 IP 82.165.252.222.36887 > ns1.galandrex.ee.36618: UDP, > length 9216 > 13:45:50.010749 IP 82.165.252.222.36887 > ns1.galandrex.ee.48231: UDP, > length 9216 > > That IP resolves to u15194704.onlinehome-server.com. Seems to be a german > ISP. After five seconds the capture.out file was already 2.8MB. You can see > the file here: https://89.219.136.126/capture.out > > Thank you again to all the nice people who contacted me. And again, it would > be nice if you could send me a copy of your reply, because I'm not a member > of the list (either reply or cc to joel@spirit.ee). Thanks! > > Joel V. > > > -----Original Message----- > From: Joel V. [mailto:joel@smail.ee] > Sent: Saturday, November 24, 2007 12:00 AM > To: 'freebsd-hackers@freebsd.org' > Subject: Welcome to Hell / Mysterious networking troubles on FreeBSD > > Hello all, > > I'm not experiencing this problem, my friend is. He's simply too pissed off > to write here and I'm afraid he's going to set his office on fire if he > doesn't solve the problem soon, so without further ado, here's the problem: > > He has two fbsd boxes, main server running 6.1 and dns server running 4.3. > He has 4 public IPs which he can use and the main server is running on > x.x.x.122. He's main box is NOT acting as a gateway/NAT box in the office. > Today he noticed that net is getting awfully slow. Sometimes there would be > 50% pl when pinging, sometimes pinging would be all OK, but SSH is dead-slow > and the webpages running on the main server are not displaying. E-mails are > not going through. He calls the ISP, who say that his network is showing > major uploading activity. He switches off networking services one by one in > the main box but situation does not improve. He disconnects the main server > and puts a windows xp box instead, which seems to run fine. He puts back the > freebsd box, disables all networking services again except for SSH and > connects the network: instant 100% networking slow-down. He tried to change > the switch, thinking it's faulty. He disconnect every other computer in the > office from the network: nothing. He put the public IP address on the > second, internal network NIC: same thing. Now it gets really mysterious: he > puts the old dns server with the x.x.x.122 IP and instantly it becomes slow > as death. The logical conclusion would be that someone is flooding that IP? > Only the windows xp box seemed to work fine and the ISP guy said it was > upload bandwidth that was excessive... > > Netstat -a doesn't show anything interesting, arp -a doesn't show any > incomplete addresses He tried to build and install a new fresh kernel. > Nothing. This is the most creepy networking problem I've heard of. Can YOU > help? Any ideas where to start looking? > > I'm not in the freebsd-hackers list, so if you want the e-mail to reach me, > send a copy to joel@spirit.ee > > Thank you in advance! > Joel > > > _______________________________________________ > freebsd-hackers@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-hackers > To unsubscribe, send any mail to "freebsd-hackers-unsubscribe@freebsd.org"