Date: Wed, 17 Jan 2001 02:12:13 +0100 (CET) From: Janko van Roosmalen <acs.van.roosmalen@hccnet.nl> To: "Ron 'The InSaNe One' Rosson" <insane@lunatic.oneinsane.net> Cc: freebsd-stable@freebsd.org, snort-users@lists.sourceforge.net, ipfilter@coombs.anu.edu.au Subject: Re: Server locks up every 5-6 days Message-ID: <Pine.BSF.4.10.10101170159140.614-100000@parmenides.utp.xnet> In-Reply-To: <20010115172424.A79430@lunatic.oneinsane.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, 15 Jan 2001, Ron 'The InSaNe One' Rosson wrote: > I have a server running at a clients that has a problem of rebooting > every 5-6 days. It duties are as follows: > > Provide NAT for 25 workstations > Be a Network Firewall > Be a Network IDS > Run a Web server for easy viewing for the Higher-ups > > The Server is FreeBSD 4.2-STABLE as of Dec 21, 2000 running on a k6-2 > 400 (mobo has the pcib2: <VIA 82C598MVP (Apollo MVP3) Chipset>. The > internal and externla interfaces are Intel Pro 10/100B/100+ Ethernet > cards. Machine has 64megs of RAM > > The NAT and Firewall chores are being handled by ipfilter 3.4.8 > > The IDS is snort version 1.7 logging to a mysql database (localhost) > running the vision.conf ruleset (http://whitehats.com/ids) > > The webserver is Apach version 1.3.14 with mod_php4 (to allow ACID for > snort to be viewed proplerly). > > The only public port open to this box is 22 (ssh) for administrative > purposes. All other ports are blocked or filtered. > > >From looking at the /var/log/messages and the ACID interface the box > seems to get bombarded with the following log entires: > > Jan 11 18:26:30 mybox snort: IDS193/ddos-stacheldraht server-spoof: xxx.xxx.xxx.xxx -> xxx.xxx.xxx.xxx > Stacheldraht (German for barbed wire) is a tool used for distributed DOS attacks. Either you are a target or used as a launchpad for Stacheldraht DOS attacks. This type of attack brought down yahoo and amazon last year. You can find information about Stacheldraht on www.cert.org. You also could report this incident to CERT at www.cert.org. > > Anyone have any ideas what could be causing this.. The Lockups are in > such a way that the only choice you have is to hit the reset button. > ===Janko van Roosmalen - Vught - Netherlands=== To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.10.10101170159140.614-100000>