From owner-freebsd-stable@FreeBSD.ORG  Wed Oct 18 20:33:08 2006
Return-Path: <owner-freebsd-stable@FreeBSD.ORG>
X-Original-To: freebsd-stable@freebsd.org
Delivered-To: freebsd-stable@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 5E55516A403
	for <freebsd-stable@freebsd.org>; Wed, 18 Oct 2006 20:33:08 +0000 (UTC)
	(envelope-from cswiger@mac.com)
Received: from smtpout.mac.com (smtpout.mac.com [17.250.248.182])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 97C8D43D79
	for <freebsd-stable@freebsd.org>; Wed, 18 Oct 2006 20:33:06 +0000 (GMT)
	(envelope-from cswiger@mac.com)
Received: from mac.com (smtpin05-en2 [10.13.10.150])
	by smtpout.mac.com (Xserve/8.12.11/smtpout12/MantshX 4.0) with ESMTP id
	k9IKX5mF013143; Wed, 18 Oct 2006 13:33:06 -0700 (PDT)
Received: from [17.214.13.96] (a17-214-13-96.apple.com [17.214.13.96])
	(authenticated bits=0)
	by mac.com (Xserve/smtpin05/MantshX 4.0) with ESMTP id k9IKX4Fv027152; 
	Wed, 18 Oct 2006 13:33:04 -0700 (PDT)
In-Reply-To: <F9F038204EE77C4AA9959A6B3C94AFE8F99CB8@IMCSRV2.MITRE.ORG>
References: <F9F038204EE77C4AA9959A6B3C94AFE8F99CB8@IMCSRV2.MITRE.ORG>
Mime-Version: 1.0 (Apple Message framework v752.2)
Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed
Message-Id: <BC53B472-8E48-4BE4-9011-5BA20D44630F@mac.com>
Content-Transfer-Encoding: 7bit
From: Chuck Swiger <cswiger@mac.com>
Date: Wed, 18 Oct 2006 13:33:03 -0700
To: "Andresen, Jason R." <jandrese@mitre.org>
X-Mailer: Apple Mail (2.752.2)
X-Brightmail-Tracker: AAAAAA==
X-Brightmail-scanned: yes
Cc: freebsd-stable@freebsd.org
Subject: Re: Runaway kernel?  Or an attack?
X-BeenThere: freebsd-stable@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Production branch of FreeBSD source code <freebsd-stable.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>, 
	<mailto:freebsd-stable-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-stable>
List-Post: <mailto:freebsd-stable@freebsd.org>
List-Help: <mailto:freebsd-stable-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>,
	<mailto:freebsd-stable-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 18 Oct 2006 20:33:08 -0000

On Oct 18, 2006, at 1:07 PM, Andresen, Jason R. wrote:
> Ok, I have a recurring problem with my webserver.  Once a day or so it
> gets locked into a loop with some random server usually somewhere  
> in my
> ISP.  When it does this, it spends all of its time spitting out  
> packets
> and getting FIN, ACKs back.
>
> Shutting down the HTTP server doesn't stop the traffic.  I have to
> create firewall rules to block the outgoing traffic to stop it.

Frankly, this sounds more like the random remote host has been  
compromised, rather than your machine, and it is scanning the network  
for other hosts to attack.  What URLs are being requested (check the  
http logs)?

> Here's a short tcpdump of the traffic when it happens, these packets
> are going out at a rate of thousands per second.  The 192.168.42.2 is
> the local host and 192.76.86.83 is the apparently random victim:

I'd talk to verizon.com and ask them what is going on from their side  
with that host...

-- 
-Chuck