From owner-freebsd-stable@FreeBSD.ORG Thu Oct 19 14:17:28 2006 Return-Path: X-Original-To: freebsd-stable@freebsd.org Delivered-To: freebsd-stable@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8590C16A412 for ; Thu, 19 Oct 2006 14:17:28 +0000 (UTC) (envelope-from jandrese@mitre.org) Received: from smtp-mclean.mitre.org (smtpproxy2.mitre.org [192.80.55.71]) by mx1.FreeBSD.org (Postfix) with ESMTP id F2DF943D9A for ; Thu, 19 Oct 2006 14:16:29 +0000 (GMT) (envelope-from jandrese@mitre.org) Received: from smtp-mclean.mitre.org (localhost.localdomain [127.0.0.1]) by smtp-mclean.mitre.org (8.12.11.20060308/8.12.11) with SMTP id k9JEGNHs009573 for ; Thu, 19 Oct 2006 10:16:23 -0400 Received: from smtp-mclean.mitre.org (localhost.localdomain [127.0.0.1]) by smtp-mclean.mitre.org (Postfix) with ESMTP id 2D9ED1BDA2 for ; Thu, 19 Oct 2006 10:16:23 -0400 (EDT) Received: from IMCFE1.MITRE.ORG (imcfe1.mitre.org [129.83.29.3]) by smtp-mclean.mitre.org (8.12.11.20060308/8.12.11) with ESMTP id k9JEGM8A009557; Thu, 19 Oct 2006 10:16:23 -0400 Received: from IMCSRV2.MITRE.ORG ([129.83.20.164]) by IMCFE1.MITRE.ORG with Microsoft SMTPSVC(6.0.3790.1830); Thu, 19 Oct 2006 10:16:22 -0400 X-MimeOLE: Produced By Microsoft Exchange V6.5 Content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Date: Thu, 19 Oct 2006 10:16:17 -0400 Message-ID: In-Reply-To: X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: Runaway kernel? Or an attack? Thread-Index: Acby9KCzqa8q5f8ETnqMVGGU+J216gAlHTPQ From: "Andresen, Jason R." To: "Chuck Swiger" X-OriginalArrivalTime: 19 Oct 2006 14:16:22.0544 (UTC) FILETIME=[27808100:01C6F389] Cc: freebsd-stable@freebsd.org Subject: RE: Runaway kernel? Or an attack? X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 19 Oct 2006 14:17:28 -0000 I would have thought so too excep that it's always a different host. It's usually inside of Verizon though.=20 >-----Original Message----- >From: Chuck Swiger [mailto:cswiger@mac.com]=20 >Sent: Wednesday, October 18, 2006 4:33 PM >To: Andresen, Jason R. >Cc: freebsd-stable@freebsd.org >Subject: Re: Runaway kernel? Or an attack? > >On Oct 18, 2006, at 1:07 PM, Andresen, Jason R. wrote: >> Ok, I have a recurring problem with my webserver. Once a=20 >day or so it >> gets locked into a loop with some random server usually somewhere =20 >> in my >> ISP. When it does this, it spends all of its time spitting out =20 >> packets >> and getting FIN, ACKs back. >> >> Shutting down the HTTP server doesn't stop the traffic. I have to >> create firewall rules to block the outgoing traffic to stop it. > >Frankly, this sounds more like the random remote host has been =20 >compromised, rather than your machine, and it is scanning the network >for other hosts to attack. What URLs are being requested (check the =20 >http logs)? > >> Here's a short tcpdump of the traffic when it happens, these packets >> are going out at a rate of thousands per second. The 192.168.42.2 is >> the local host and 192.76.86.83 is the apparently random victim: > >I'd talk to verizon.com and ask them what is going on from their side >with that host... > >--=20 >-Chuck > >