Date: Mon, 16 May 2005 08:26:58 -0600 From: "Chad Leigh -- Shire.Net LLC" <chad@shire.net> To: FreeBSD Mailing List <freebsd-questions@freebsd.org> Cc: Chad Leigh <chad@shire.net> Subject: is this a possible DoS attack? Message-ID: <FDE0A023-085D-4258-ABB4-805772E3E699@shire.net>
next in thread | raw e-mail | index | archive | help
I had a server reboot itself twice in close succession in the middle
of the night, after a long uptime. This server had not reboot itself
in ages (years) -- all previous boots were controlled.
The syslog has the following in it a half hour or so prior to the
first boot (the first line or two is just to show that nothing much
happened before this happened):
May 16 02:20:00 crickhollow named[87025]: zone 22.63.209.in-addr.arpa/
IN: loading master file ptr.209.63.22: file not found
May 16 02:33:31 crickhollow /kernel: Limiting icmp unreach response
from 232 to 200 packets per second
May 16 03:14:52 crickhollow /kernel: All mbufs exhausted, please see
tuning(7).
May 16 03:14:53 crickhollow last message repeated 3 times
May 16 03:14:59 crickhollow /kernel: o 00:20:ed:16:b9:07 on dc0
May 16 03:14:59 crickhollow /kernel: arp: 166.70.252.252 moved from
00:20:ed:16:b9:07 to 00:20:ed:56:b9:07 on dc0
May 16 03:14:59 crickhollow /kernel: arp: 166.70.252.252 moved from
00:20:ed:56:b9:07 to 00:20:ed:16:b9:07 on dc0
May 16 03:14:59 crickhollow /kernel: arp: 166.70.252.252 moved from
00:20:ed:16:b9:07 to 00:20:ed:56:b9:07 on dc0
May 16 03:14:59 crickhollow /kernel: arp: 166.70.252.252 moved from
00:20:ed:56:b9:07 to 00:20:ed:16:b9:07 on dc0
May 16 03:14:59 crickhollow /kernel: arp: 166.70.252.252 moved from
00:20:ed:16:b9:07 to 00:20:ed:56:b9:07 on dc0
May 16 03:14:59 crickhollow /kernel: arp: 166.70.252.252 moved from
00:20:ed:56:b9:07 to 00:20:ed:16:b9:07 on dc0
May 16 03:14:59 crickhollow /kernel: arp: 166.70.252.252 moved from
00:20:ed:16:b9:07 to 00:20:ed:56:b9:07 on dc0
May 16 03:14:59 crickhollow /kernel: arp: 166.70.252.252 moved from
00:20:ed:56:b9:07 to 00:20:ed:16:b9:07 on dc0
May 16 03:14:59 crickhollow /kernel: arp: 166.70.252.252 moved from
00:20:ed:16:b9:07 to 00:20:ed:56:b9:07 on dc0
May 16 03:14:59 crickhollow /kernel: arp: 166.70.252.252 moved from
00:20:ed:56:b9:07 to 00:20:ed:16:b9:07 on dc0
and then this arp message-pair (moving from one address to another
and back) goes on a ton for 20-30 minutes then a spontaneous reboot
then more of these arp message-pairs for another 20-30 minutes (no
mbuf message though during the intervening period) and then another
spontaneous reboot and then the arp message-pair went on for another
short while 10-20 minutes and then all is relatively quiet.
There were some intermediate
May 16 03:59:36 crickhollow /kernel: Limiting closed port RST
response from 646 to 200 packets per second
sort of messages during the "arp" flood.
The address 166.70.252.252 is on another server that has not
changed at all and is on a linux server that has that address but has
no open ports / services listening on that address at all (it does
all its listening on a private 192.168 type address -- the public
address assignment is to make it easier for it to go out to the world
for updates)
The mbufs on this machine are pretty high and the usage of the
machine has not gone up much.
Here is what the mbufs look like this morning
host# netstat -m
148/46048/131072 mbufs in use (current/peak/max):
148 mbufs allocated to data
144/468/32768 mbuf clusters in use (current/peak/max)
12448 Kbytes allocated to network (12% of mb_map in use)
0 requests for memory denied
0 requests for memory delayed
0 calls to protocol drain routines
host#
Any thoughts on what could have happened would be appreciated.
Thanks
Chad
---
Chad Leigh -- Shire.Net LLC
Your Web App and Email hosting provider
chad@shire.net
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?FDE0A023-085D-4258-ABB4-805772E3E699>