From owner-freebsd-questions@FreeBSD.ORG Mon May 16 16:13:19 2005 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B8A4D16A4CE for ; Mon, 16 May 2005 16:13:19 +0000 (GMT) Received: from hobbiton.shire.net (hobbiton.shire.net [166.70.252.250]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5E44A43D41 for ; Mon, 16 May 2005 16:13:19 +0000 (GMT) (envelope-from chad@shire.net) Received: from [67.161.222.227] (helo=[192.168.99.68]) by hobbiton.shire.net with esmtpsa (TLSv1:RC4-SHA:128) (Exim 4.43) id 1DXiEa-0004Ra-Cp; Mon, 16 May 2005 10:14:24 -0600 In-Reply-To: <20050516154402.GA87442@Grumpy.DynDNS.org> References: <20050516154402.GA87442@Grumpy.DynDNS.org> Mime-Version: 1.0 (Apple Message framework v728) Message-Id: <96E49658-B868-43BA-9D62-380640EA1044@shire.net> From: "Chad Leigh -- Shire.Net LLC" Date: Mon, 16 May 2005 10:13:13 -0600 To: David Kelly X-Mailer: Apple Mail (2.728) X-SA-Exim-Connect-IP: 67.161.222.227 X-SA-Exim-Mail-From: chad@shire.net Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed Content-Transfer-Encoding: 7bit X-Spam-Checker-Version: SpamAssassin 3.0.0 (2004-09-13) on hobbiton.shire.net X-Spam-Status: No, score=-0.1 required=5.0 tests=AWL,BAYES_50 autolearn=disabled version=3.0.0 X-Spam-Level: X-SA-Exim-Version: 4.1+cvs (built Mon, 23 Aug 2004 08:44:05 -0700) X-SA-Exim-Scanned: Yes (on hobbiton.shire.net) cc: FreeBSD Mailing List Subject: Re: is this a possible DoS attack? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 16 May 2005 16:13:19 -0000 On May 16, 2005, at 9:44 AM, David Kelly wrote: > On Mon, May 16, 2005 at 08:26:58AM -0600, Chad Leigh -- Shire.Net > LLC wrote: > >> >> May 16 03:14:59 crickhollow /kernel: arp: 166.70.252.252 moved from >> 00:20:ed:16:b9:07 to 00:20:ed:56:b9:07 on dc0 >> > > [...] > > >> The address 166.70.252.252 is on another server that has not >> changed at all and is on a linux server that has that address but has >> no open ports / services listening on that address at all (it does >> all its listening on a private 192.168 type address -- the public >> address assignment is to make it easier for it to go out to the world >> for updates) >> > > Both nets on the Linux machine on the same NIC? Yes > If so then I'd suspect > something with Linux. Else note the MAC address only differs by one > bit. > Unless that rings a bell as a signature of a DoS then I'd suspect > either > the Linux NIC or ethernet switch between. None the less whatever the > cause doesn't excuse FreeBSD for falling on its face. True From what I have been able to dig up in the Linux boxes logs, there was a jfs filesystem bug of some sort and that is about when all this started happening. The machine itself cannot be remotely rebooted due to some filesystem errors so I am off downtown to reboot it and see what happens. I agree that the FBSD box should not fall on its face. It is a 4- something (reasonably recent) but is being "retired" as all the services and customers get moved to a new 5.3 box that we have been transitioning to, and this machine is to be rebuilt in 1 week as a 5.4 dedicated server. And thanks to all who replied, even if I do not get a reply off to you personally! Chad