From owner-freebsd-security Thu Nov 2 15:34:10 2000 Delivered-To: freebsd-security@freebsd.org Received: from mail.fpsn.net (mail.fpsn.net [63.224.69.57]) by hub.freebsd.org (Postfix) with ESMTP id E367437B4D7 for ; Thu, 2 Nov 2000 15:34:03 -0800 (PST) Received: from fpsn.net (control.fpsn.net [63.224.69.60]) by mail.fpsn.net (8.9.3/8.9.3) with ESMTP id QAA29512; Thu, 2 Nov 2000 16:28:19 -0700 (MST) (envelope-from cfaber@fpsn.net) Message-ID: <3A01F87B.9E31FA26@fpsn.net> Date: Thu, 02 Nov 2000 16:27:55 -0700 From: Colin Faber Reply-To: cfaber@fpsn.net Organization: fpsn.net, Inc. X-Mailer: Mozilla 4.75 [en] (Win98; U) X-Accept-Language: en MIME-Version: 1.0 To: Buliwyf McGraw Cc: security@FreeBSD.ORG Subject: Re: DOS attack II References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Sounds like someone tried to ping flood you, Buliwyf McGraw wrote: > > Have you checked your squid logs for the times when server load goes too > > high? > > It was the first thing we did... but there is not something different > or strange in the logs... i check the /var/log/messages and the squid > logs... the only special thing was what i told you: > "icmp_request bandwidth limit 105/100 pps" > Nothing more. > > > Just a wild guess, but you may have an open HTTP proxy, being abused by > > people who get paid for each click on a banner. > > The proxy isn't open. It is only for my domain... the problem maybe is > that we have much users... but anyway, the proxy was working good until > some weeks ago. > > > What is the source of the squid connections? > > All my intranet (only) do the requests. Internet give us the answers. > > The next time, when the problems come back, i gonna use tcpdump to check > what is coming to the interface... i will use ttt to see what is the > protocol with more load in the segment... and then i expect get > something about the problem. > > Thanks for Any coment... > > > > On Thu, 2 Nov 2000, Buliwyf McGraw wrote: > > > > > > > > I was researching about the last incidents on the machine with the > > > system load problem (possible attack) ... > > > I get this: the service which crash the server when the problem > > > starts is the famous "squid". > > > Normal days, the squid is running without problems and the load of > > > the server is 0.5 (average), the required cputime for the program > > > is 20%. Then the world is beatiful. > > > But, when we have a bad day... the squid need 90% 95% 100% cputime > > > and the load of the server jump until crash. The interrupts are too > > > big in these moments. > > > If i quit the network cable from the server... the load dissapear and > > > everything is rigth, but, if i put the network cable again... booom!!! > > > > > > The problem isnt everyday, is just sometimes, somedays... few hours. > > > > > > Thanks for any comment or sugestion... ;) > > > > ======================================================================= > Buliwyf McGraw > Administrador del Servidor Libertad > Centro de Servicios de Informacion > Universidad del Valle > ======================================================================= > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message