Date: Wed, 18 Oct 2006 16:07:14 -0400 From: "Andresen, Jason R." <jandrese@mitre.org> To: <freebsd-stable@freebsd.org> Subject: Runaway kernel? Or an attack? Message-ID: <F9F038204EE77C4AA9959A6B3C94AFE8F99CB8@IMCSRV2.MITRE.ORG>
next in thread | raw e-mail | index | archive | help
Ok, I have a recurring problem with my webserver. Once a day or so it gets locked into a loop with some random server usually somewhere in my ISP. When it does this, it spends all of its time spitting out packets and getting FIN, ACKs back. =20 Shutting down the HTTP server doesn't stop the traffic. I have to create firewall rules to block the outgoing traffic to stop it. Wiping the disk and reinstalling from the CD didn't help either. This host is behind a NAT (A D-Link DI-604 router). Is this a bad packet injection attack, a bug, or has my box been compromised? =20 This problem has persisted from when the box was 5.4 all the way to it's current 6.0 life. Sadly, I cannot upgrade it beyond 6.0 Release at the moment because it has a proprietary vendor binary kernel module for the RAID array, and the newest version they have is for 6.0.=20 Here's a short tcpdump of the traffic when it happens, these packets are going out at a rate of thousands per second. The 192.168.42.2 is the local host and 192.76.86.83 is the apparently random victim: 09:36:51.056914 IP (tos 0x0, ttl 64, id 57273, offset 0, flags [DF], proto: TCP (6), length: 52) 192.168.42.2.80 > 192.76.86.83.22929: ., cksum 0xd1b3 (correct), 0:0(0) ack 0 win 33120 <nop,nop,timestamp 147178754 27589156> 09:36:51.059404 IP (tos 0x0, ttl 51, id 61707, offset 0, flags [none], proto: TCP (6), length: 52) 192.76.86.83.22929 > 192.168.42.2.80: F, cksum 0x5331 (correct), 0:0(0) ack 1 win 65535 <nop,nop,timestamp 27589156 147178723> 09:36:51.059469 IP (tos 0x0, ttl 64, id 57274, offset 0, flags [DF], proto: TCP (6), length: 52) 192.168.42.2.80 > 192.76.86.83.22929: ., cksum 0xd1b0 (correct), 0:0(0) ack 0 win 33120 <nop,nop,timestamp 147178757 27589156> 09:36:51.060004 IP (tos 0x0, ttl 51, id 61709, offset 0, flags [none], proto: TCP (6), length: 52) 192.76.86.83.22929 > 192.168.42.2.80: F, cksum 0x5331 (correct), 0:0(0) ack 1 win 65535 <nop,nop,timestamp 27589156 147178723>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?F9F038204EE77C4AA9959A6B3C94AFE8F99CB8>