Date: Tue, 7 May 2002 21:46:37 -0700 (PDT) From: Patrick Thomas <root@utility.clubscholarship.com> To: Jason Stone <jason@shalott.net> Cc: <freebsd-security@freebsd.org> Subject: Re: what does a syncookies attack look like ? Message-ID: <20020507214035.B8475-100000@utility.clubscholarship.com> In-Reply-To: <20020507192651.T6630-100000@walter>
next in thread | previous in thread | raw e-mail | index | archive | help
> What evidence do you have that you're being attacked? Is it possible that > something on the system has just been misconfigured or something and is > eating up all your resources? The reason we suspect it is an attack - or at least an outside influence - is that the crash/hang occurs at exxactly the same time every day. Of course the first reaction to that would be "probably a cron job" ... however we have ruled that out by setting the system time to the time that it crashes .. at times of the day with analogous (or greater) load than when it really does crash. When we artificially set the time to the "zero hour" nothing happens. However, when that time comes up in the "real world", the server hangs like I described. So, much like you suggested, I was running a once-per minute cron job that tested the following: netstat -m >> /tmp/log ps auxw | wc -l >> /tmp/log ps auxw >> /tmp/log vmstat -m >> /tmp/log vmstat 1 4 >> /tmp/log pstat -s >> /tmp/log vmstat -z >> /tmp/log and there is no interesting output. Even the output one minute before the crash is completely uninteresting. swap usage is _literally_ _zero_. About 1gig total free memory ... and then 30-60 seconds later, before the next cron job can run and collect those stats again, it crashes - always at the exact same time. Any other metrics I should be looking at besides the ones I have ? tcpdump on the machine itself and on the firewall reveals nothing interesting. Not an interesting level of traffic in terms of transactions or bandwidth. We're going crazy here trying to figure it out. We are running the very first 4.5-RELEASE, and we have so far only patched the included sshd, and done the chmod on the `keylink` file or whatever it waw that was suid root. Otherwise it is a stock very first release of 4.5-RELEASE. thanks for any suggestions/help, PT To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020507214035.B8475-100000>