From owner-freebsd-questions  Tue Jun 16 00:14:18 1998
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id AAA08233
          for freebsd-questions-outgoing; Tue, 16 Jun 1998 00:14:18 -0700 (PDT)
          (envelope-from owner-freebsd-questions@FreeBSD.ORG)
Received: from freefall.freebsd.org (freefall.FreeBSD.ORG [204.216.27.21])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id AAA08183
          for <freebsd-questions@freefall.cdrom.com>; Tue, 16 Jun 1998 00:14:08 -0700 (PDT)
          (envelope-from kuku@gilberto.physik.RWTH-Aachen.DE)
Received: from gilberto.physik.RWTH-Aachen.DE (gilberto.physik.rwth-aachen.de [137.226.30.2])
	by freefall.freebsd.org (8.8.8/8.8.5) with ESMTP id AAA23315
	for <freebsd-questions@freefall.cdrom.com>; Tue, 16 Jun 1998 00:13:04 -0700 (PDT)
Received: (from kuku@localhost)
	by gilberto.physik.RWTH-Aachen.DE (8.8.8/8.8.7) id JAA03105;
	Tue, 16 Jun 1998 09:14:00 +0200 (MEST)
	(envelope-from kuku)
Message-ID: <19980616091359.45134@gil.physik.rwth-aachen.de>
Date: Tue, 16 Jun 1998 09:13:59 +0200
From: Christoph Kukulies <kuku@gilberto.physik.RWTH-Aachen.DE>
To: Doug White <dwhite@resnet.uoregon.edu>
Cc: Christoph Kukulies <kuku@gilberto.physik.RWTH-Aachen.DE>,
        freebsd-questions@freefall.cdrom.com
Subject: Re: using tcpdump effectively
References: <199806151447.QAA29137@gilberto.physik.RWTH-Aachen.DE> <Pine.BSF.3.96.980615202757.2150D-100000@gdi.uoregon.edu>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Mailer: Mutt 0.81e
In-Reply-To: <Pine.BSF.3.96.980615202757.2150D-100000@gdi.uoregon.edu>; from Doug White on Mon, Jun 15, 1998 at 08:29:47PM -0700
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

On Mon, Jun 15, 1998 at 08:29:47PM -0700, Doug White wrote:
> On Mon, 15 Jun 1998, Christoph Kukulies wrote:
> 
> > 
> > To trace down why some network based X11 sessions are spuriously failing
> > I' trying to use tcpdump.
> > 
> > What sporadically happens is that a X session to our Mentor Design Architect
> > running on HP  is ceased and the connection breaks (we login via rlogin
> > and start the X client with DISPLAY set to the FreeBSD machine.)
> > 
> > When the connection breaks we see something like 'no route to host' 

It seems that I have found the problem. I logged (tcpdump) all
packets to and from the two hosts and this morning my colleague
called me up and said it happened again.

I peeked into my logs and found the following interesting
passage right at the time it happened:

08:28:03.140374 monk.6000 > hp.1327: P 151773:151805(32) ack 661157 win 17520 ( 
DF)
08:28:03.151214 monk.6000 > hp.1327: P 151805:151837(32) ack 661157 win 17520 ( 
DF)
08:28:03.152081 arp who-has monk tell aca402a.physik.rwth-aachen.de 
08:28:03.152336 arp reply monk is-at 0:40:95:24:d5:9b 
08:28:03.152780 aca402a.physik.rwth-aachen.de > monk: icmp: host hp unreachable 
08:28:03.163115 monk.6000 > hp.1327: P 151837:151869(32) ack 661157 win 17520 ( 
DF)
08:28:03.167881 hp.1327 > monk.6000: . ack 151869 win 7776 
08:28:03.172922 monk.6000 > hp.1327: P 151869:151901(32) ack 661157 win 17520 ( 
DF)
08:28:03.185096 monk.6000 > hp.1327: P 151901:151933(32) ack 661157 win 17520 ( 
DF)


Two things are interesting:

monk (the X Display server (FreeBSD)) received a package from a
host which shouldn't be involved at all (sniper hosts). This host is
telling monk via icmp that hp is unreachable. I'd bet this is an old
NT system (< 3.51).

The address of that host is a name which consists of only hex digits -
Maybe not important but you never know.

I've sent a colleague through the building to take this host
from the network. I'd bet it is an NT System < 3.51 (or in the worst
case, a malign program ).


> 
> Most likely the client is loosing the network connection to the host,
> either by damage to the routing tables on the client or on an intermediate
> network device. Run a traceroute to the HP box when MDA crashes and see if
> it fails anywhere.
> 
> > Could that be caused by denial of service attacks? What exactly is a denial
> > of service attack? 
> 
> A denial of service attack (DoS) attempts to keep a machine from being
> servicable by overwhelming it with requests or by disabling a server,
> rending it useless.
> 
> Doug White                              | University of Oregon  
> Internet:  dwhite@resnet.uoregon.edu    | Residence Networking Assistant
> http://gladstone.uoregon.edu/~dwhite    | Computer Science Major
> NOTICE:  Make sure your mailer replies to dwhite@resnet or I won't get it! 
> 
> 
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-questions" in the body of the message

-- 
--Chris Christoph P. U. Kukulies kuku@gil.physik.rwth-aachen.de

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message