From owner-freebsd-questions@FreeBSD.ORG Mon May 16 14:36:53 2005 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C10CA16A4CE for ; Mon, 16 May 2005 14:36:53 +0000 (GMT) Received: from wproxy.gmail.com (wproxy.gmail.com [64.233.184.193]) by mx1.FreeBSD.org (Postfix) with ESMTP id D9FEB43DDC for ; Mon, 16 May 2005 14:36:52 +0000 (GMT) (envelope-from juu.borg@gmail.com) Received: by wproxy.gmail.com with SMTP id 69so1590827wra for ; Mon, 16 May 2005 07:36:49 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=s2BZDDfn01ZdCBv8DPs2aMrLdfJj+m1ETdgdDZZkJ4VEaEYHt8CTF3GBrLEVHclI4qYP6iKsDRrEsLYUcLaUVA8x+NzjcX6EjqeVL1IGxJAeD4xSIb/YPE2+tm1dYQNdJBAPImW8tnw4ju4kXp6+wjG7MumOehprJjyB0VS/3Uo= Received: by 10.54.51.78 with SMTP id y78mr3726124wry; Mon, 16 May 2005 07:36:49 -0700 (PDT) Received: by 10.54.140.4 with HTTP; Mon, 16 May 2005 07:36:49 -0700 (PDT) Message-ID: <6f2ed49705051607363f0876c4@mail.gmail.com> Date: Mon, 16 May 2005 16:36:49 +0200 From: Joseph Borg To: "Chad Leigh -- Shire.Net LLC" In-Reply-To: Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline References: cc: FreeBSD Mailing List Subject: Re: is this a possible DoS attack? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: joeborg@ieee.org List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 16 May 2005 14:36:53 -0000 On 5/16/05, Chad Leigh -- Shire.Net LLC wrote: >=20 > I had a server reboot itself twice in close succession in the middle > of the night, after a long uptime. This server had not reboot itself > in ages (years) -- all previous boots were controlled. >=20 > The syslog has the following in it a half hour or so prior to the > first boot (the first line or two is just to show that nothing much > happened before this happened): >=20 > May 16 02:20:00 crickhollow named[87025]: zone 22.63.209.in-addr.arpa/ > IN: loading master file ptr.209.63.22: file not found > May 16 02:33:31 crickhollow /kernel: Limiting icmp unreach response > from 232 to 200 packets per second > May 16 03:14:52 crickhollow /kernel: All mbufs exhausted, please see > tuning(7). > May 16 03:14:53 crickhollow last message repeated 3 times > May 16 03:14:59 crickhollow /kernel: o 00:20:ed:16:b9:07 on dc0 > May 16 03:14:59 crickhollow /kernel: arp: 166.70.252.252 moved from > 00:20:ed:16:b9:07 to 00:20:ed:56:b9:07 on dc0 > May 16 03:14:59 crickhollow /kernel: arp: 166.70.252.252 moved from > 00:20:ed:56:b9:07 to 00:20:ed:16:b9:07 on dc0 > May 16 03:14:59 crickhollow /kernel: arp: 166.70.252.252 moved from > 00:20:ed:16:b9:07 to 00:20:ed:56:b9:07 on dc0 > May 16 03:14:59 crickhollow /kernel: arp: 166.70.252.252 moved from > 00:20:ed:56:b9:07 to 00:20:ed:16:b9:07 on dc0 > May 16 03:14:59 crickhollow /kernel: arp: 166.70.252.252 moved from > 00:20:ed:16:b9:07 to 00:20:ed:56:b9:07 on dc0 > May 16 03:14:59 crickhollow /kernel: arp: 166.70.252.252 moved from > 00:20:ed:56:b9:07 to 00:20:ed:16:b9:07 on dc0 > May 16 03:14:59 crickhollow /kernel: arp: 166.70.252.252 moved from > 00:20:ed:16:b9:07 to 00:20:ed:56:b9:07 on dc0 > May 16 03:14:59 crickhollow /kernel: arp: 166.70.252.252 moved from > 00:20:ed:56:b9:07 to 00:20:ed:16:b9:07 on dc0 > May 16 03:14:59 crickhollow /kernel: arp: 166.70.252.252 moved from > 00:20:ed:16:b9:07 to 00:20:ed:56:b9:07 on dc0 > May 16 03:14:59 crickhollow /kernel: arp: 166.70.252.252 moved from > 00:20:ed:56:b9:07 to 00:20:ed:16:b9:07 on dc0 >=20 As a first guess, I'd say there's an IP conflict, with two machines having the same IP address and hence the corresponding arp keeps changing from one machine to another... > and then this arp message-pair (moving from one address to another > and back) goes on a ton for 20-30 minutes then a spontaneous reboot > then more of these arp message-pairs for another 20-30 minutes (no > mbuf message though during the intervening period) and then another > spontaneous reboot and then the arp message-pair went on for another > short while 10-20 minutes and then all is relatively quiet. >=20 > There were some intermediate >=20 > May 16 03:59:36 crickhollow /kernel: Limiting closed port RST > response from 646 to 200 packets per second >=20 > sort of messages during the "arp" flood. >=20 > The address 166.70.252.252 is on another server that has not > changed at all and is on a linux server that has that address but has > no open ports / services listening on that address at all (it does > all its listening on a private 192.168 type address -- the public > address assignment is to make it easier for it to go out to the world > for updates) >=20 Are these to machines "166.70.252.252 is on another server that has not > changed at all and is on a linux server that has that address" ? > The mbufs on this machine are pretty high and the usage of the > machine has not gone up much. >=20 > Here is what the mbufs look like this morning >=20 > host# netstat -m > 148/46048/131072 mbufs in use (current/peak/max): > 148 mbufs allocated to data > 144/468/32768 mbuf clusters in use (current/peak/max) > 12448 Kbytes allocated to network (12% of mb_map in use) > 0 requests for memory denied > 0 requests for memory delayed > 0 calls to protocol drain routines > host# >=20 > Any thoughts on what could have happened would be appreciated. >=20 > Thanks > Chad >=20 > --- > Chad Leigh -- Shire.Net LLC > Your Web App and Email hosting provider > chad@shire.net >=20 > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.o= rg" >