From owner-freebsd-stable@FreeBSD.ORG Wed Oct 18 20:45:06 2006 Return-Path: X-Original-To: freebsd-stable@freebsd.org Delivered-To: freebsd-stable@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3788C16A416 for ; Wed, 18 Oct 2006 20:45:06 +0000 (UTC) (envelope-from jdc@koitsu.dyndns.org) Received: from sccrmhc12.comcast.net (sccrmhc12.comcast.net [63.240.77.82]) by mx1.FreeBSD.org (Postfix) with ESMTP id DD89043D5E for ; Wed, 18 Oct 2006 20:45:04 +0000 (GMT) (envelope-from jdc@koitsu.dyndns.org) Received: from icarus.home.lan (c-67-174-220-97.hsd1.ca.comcast.net[67.174.220.97]) by comcast.net (sccrmhc12) with ESMTP id <20061018204503012002i85ue>; Wed, 18 Oct 2006 20:45:03 +0000 Received: by icarus.home.lan (Postfix, from userid 1000) id 6B6391FA037; Wed, 18 Oct 2006 13:45:03 -0700 (PDT) Date: Wed, 18 Oct 2006 13:45:03 -0700 From: Jeremy Chadwick To: "Andresen, Jason R." Message-ID: <20061018204503.GB47563@icarus.home.lan> Mail-Followup-To: "Andresen, Jason R." , freebsd-stable@freebsd.org References: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: X-PGP-Key: http://jdc.parodius.com/pubkey.asc User-Agent: Mutt/1.5.13 (2006-08-11) Cc: freebsd-stable@freebsd.org Subject: Re: Runaway kernel? Or an attack? X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 18 Oct 2006 20:45:06 -0000 On Wed, Oct 18, 2006 at 04:07:14PM -0400, Andresen, Jason R. wrote: > Ok, I have a recurring problem with my webserver. Once a day or so it > gets locked into a loop with some random server usually somewhere in my > ISP. When it does this, it spends all of its time spitting out packets > and getting FIN, ACKs back. > > Shutting down the HTTP server doesn't stop the traffic. I have to > create firewall rules to block the outgoing traffic to stop it. Wiping > the disk and reinstalling from the CD didn't help either. This host is > behind a NAT (A D-Link DI-604 router). Is this a bad packet injection > attack, a bug, or has my box been compromised? And let me guess: your DI-604 is set to port forward TCP 80 to 192.168.42.2 (rather than make 192.168.42.2 the DMZ host). I recommend removing the DI-604 from the topology and see if the problem continues. Gut feeling (based on past experience with D-Link's residential products) is the problem will disappear. You'll have to trust me on this -- no matter how reliable you think the DI-series units are ("It works fine for me!"), they aren't. There are major IP stack implementation issues with these units (same with the DI-614+). Thoroughly scan the D-Link forum on www.broadbandreports.com for details of these problems. The IP stack on those units is awful. Consider picking up a WRT54GL (which runs Linux; sure, I'd prefer they run BSD, but I'll trust Linux's IP stack over some third-party out-of-country IP stack any day of the week). Do not go with a WRT54G (because you won't know what version you get; Linux-based or VxWorks-based (which has other IP stack problems), nor a WRT54GS (same risk (Linux vs. VxWorks)). -- | Jeremy Chadwick jdc at parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, USA | | Making life hard for others since 1977. PGP: 4BD6C0CB |