From owner-freebsd-security Tue May 18 2:49:55 1999 Delivered-To: freebsd-security@freebsd.org Received: from mta2-rme.xtra.co.nz (mta.xtra.co.nz [203.96.92.3]) by hub.freebsd.org (Postfix) with ESMTP id DA06814CFF for ; Tue, 18 May 1999 02:49:51 -0700 (PDT) (envelope-from junkmale@pop3.xtra.co.nz) Received: from wocker ([210.55.152.50]) by mta2-rme.xtra.co.nz (InterMail v04.00.02.07 201-227-108) with SMTP id <19990518095202.EPCY7623210.mta2-rme@wocker> for ; Tue, 18 May 1999 21:52:02 +1200 From: "Dan Langille" Organization: The FreeBSD Diary To: freebsd-security@freebsd.org Date: Tue, 18 May 1999 21:49:49 +1200 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: http attack(?) Reply-To: junkmale@xtra.co.nz X-mailer: Pegasus Mail for Win32 (v3.01d) Message-Id: <19990518095202.EPCY7623210.mta2-rme@wocker> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org A few days ago, I noticed my machine was running extremely slowly. I did a top 10 at the console and got "too many open files". Existing telnet sessions were non-responsive. New telnets would not start. I then tried a top 5. named and syslogd were busy. I looked at httpd.error and 21 of these spread over 14 seconds: [Sat May 15 16:45:34 1999] accept: (client socket): Too many open files in system Looking in the access logs for one of my virtual websites I found this. Bits have been snipped to save repetition and conserve space. per.wave.orc.ru - - [15/May/1999:10:55:57 +1200] "-" 408 - per.wave.orc.ru - - [15/May/1999:10:56:58 +1200] "-" 408 - [etc] per.wave.orc.ru - - [15/May/1999:16:42:21 +1200] "-" 408 - per.wave.orc.ru - - [15/May/1999:16:42:49 +1200] "-" 408 - 212.48.133.22 - - [15/May/1999:16:45:30 +1200] "-" 408 - 212.48.133.22 - - [15/May/1999:16:46:19 +1200] "-" 408 - [at which point I guess httpd decided not to translate any more or named gave up] [this is also roughly the point at which I noticed the system was slowing] 212.48.133.22 - - [15/May/1999:16:55:35 +1200] "-" 408 - 212.48.133.22 - - [15/May/1999:16:55:40 +1200] "-" 408 - per.wave.orc.ru - - [15/May/1999:16:55:47 +1200] "-" 408 - per.wave.orc.ru - - [15/May/1999:16:55:47 +1200] "-" 408 - per.wave.orc.ru - - [15/May/1999:16:55:48 +1200] "-" 408 - per.wave.orc.ru - - [15/May/1999:16:55:48 +1200] "-" 408 - 212.48.133.22 - - [15/May/1999:16:55:59 +1200] "-" 408 - per.wave.orc.ru - - [15/May/1999:16:56:05 +1200] "-" 408 - per.wave.orc.ru - - [15/May/1999:16:56:47 +1200] "-" 408 - [etc] per.wave.orc.ru - - [15/May/1999:17:14:13 +1200] "-" 408 - [ends] I shortly thereafter started blocking this address at my firewall. A further 200 or so packets were blocked. No further activity has been seen. Messages sent to various addresses at orc.ru have gone unanswered. Is this a known attack? A browser gone mad? A remark on irc was that httpd was trying to consume more resources than the machine possessed. -- Dan Langille - DVL Software Limited The FreeBSD Diary - http://www.FreeBSDDiary.org/freebsd/ NZ FreeBSD User Group - http://www.nzfug.nz.freebsd.org/ The Racing System - http://www.racingsystem.com/racingsystem.htm To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message