Date: Mon, 16 May 2005 16:36:49 +0200 From: Joseph Borg <juu.borg@gmail.com> To: "Chad Leigh -- Shire.Net LLC" <chad@shire.net> Cc: FreeBSD Mailing List <freebsd-questions@freebsd.org> Subject: Re: is this a possible DoS attack? Message-ID: <6f2ed49705051607363f0876c4@mail.gmail.com> In-Reply-To: <FDE0A023-085D-4258-ABB4-805772E3E699@shire.net> References: <FDE0A023-085D-4258-ABB4-805772E3E699@shire.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On 5/16/05, Chad Leigh -- Shire.Net LLC <chad@shire.net> wrote: >=20 > I had a server reboot itself twice in close succession in the middle > of the night, after a long uptime. This server had not reboot itself > in ages (years) -- all previous boots were controlled. >=20 > The syslog has the following in it a half hour or so prior to the > first boot (the first line or two is just to show that nothing much > happened before this happened): >=20 > May 16 02:20:00 crickhollow named[87025]: zone 22.63.209.in-addr.arpa/ > IN: loading master file ptr.209.63.22: file not found > May 16 02:33:31 crickhollow /kernel: Limiting icmp unreach response > from 232 to 200 packets per second > May 16 03:14:52 crickhollow /kernel: All mbufs exhausted, please see > tuning(7). > May 16 03:14:53 crickhollow last message repeated 3 times > May 16 03:14:59 crickhollow /kernel: o 00:20:ed:16:b9:07 on dc0 > May 16 03:14:59 crickhollow /kernel: arp: 166.70.252.252 moved from > 00:20:ed:16:b9:07 to 00:20:ed:56:b9:07 on dc0 > May 16 03:14:59 crickhollow /kernel: arp: 166.70.252.252 moved from > 00:20:ed:56:b9:07 to 00:20:ed:16:b9:07 on dc0 > May 16 03:14:59 crickhollow /kernel: arp: 166.70.252.252 moved from > 00:20:ed:16:b9:07 to 00:20:ed:56:b9:07 on dc0 > May 16 03:14:59 crickhollow /kernel: arp: 166.70.252.252 moved from > 00:20:ed:56:b9:07 to 00:20:ed:16:b9:07 on dc0 > May 16 03:14:59 crickhollow /kernel: arp: 166.70.252.252 moved from > 00:20:ed:16:b9:07 to 00:20:ed:56:b9:07 on dc0 > May 16 03:14:59 crickhollow /kernel: arp: 166.70.252.252 moved from > 00:20:ed:56:b9:07 to 00:20:ed:16:b9:07 on dc0 > May 16 03:14:59 crickhollow /kernel: arp: 166.70.252.252 moved from > 00:20:ed:16:b9:07 to 00:20:ed:56:b9:07 on dc0 > May 16 03:14:59 crickhollow /kernel: arp: 166.70.252.252 moved from > 00:20:ed:56:b9:07 to 00:20:ed:16:b9:07 on dc0 > May 16 03:14:59 crickhollow /kernel: arp: 166.70.252.252 moved from > 00:20:ed:16:b9:07 to 00:20:ed:56:b9:07 on dc0 > May 16 03:14:59 crickhollow /kernel: arp: 166.70.252.252 moved from > 00:20:ed:56:b9:07 to 00:20:ed:16:b9:07 on dc0 >=20 As a first guess, I'd say there's an IP conflict, with two machines having the same IP address and hence the corresponding arp keeps changing from one machine to another... > and then this arp message-pair (moving from one address to another > and back) goes on a ton for 20-30 minutes then a spontaneous reboot > then more of these arp message-pairs for another 20-30 minutes (no > mbuf message though during the intervening period) and then another > spontaneous reboot and then the arp message-pair went on for another > short while 10-20 minutes and then all is relatively quiet. >=20 > There were some intermediate >=20 > May 16 03:59:36 crickhollow /kernel: Limiting closed port RST > response from 646 to 200 packets per second >=20 > sort of messages during the "arp" flood. >=20 > The address 166.70.252.252 is on another server that has not > changed at all and is on a linux server that has that address but has > no open ports / services listening on that address at all (it does > all its listening on a private 192.168 type address -- the public > address assignment is to make it easier for it to go out to the world > for updates) >=20 Are these to machines "166.70.252.252 is on another server that has not > changed at all and is on a linux server that has that address" ? > The mbufs on this machine are pretty high and the usage of the > machine has not gone up much. >=20 > Here is what the mbufs look like this morning >=20 > host# netstat -m > 148/46048/131072 mbufs in use (current/peak/max): > 148 mbufs allocated to data > 144/468/32768 mbuf clusters in use (current/peak/max) > 12448 Kbytes allocated to network (12% of mb_map in use) > 0 requests for memory denied > 0 requests for memory delayed > 0 calls to protocol drain routines > host# >=20 > Any thoughts on what could have happened would be appreciated. >=20 > Thanks > Chad >=20 > --- > Chad Leigh -- Shire.Net LLC > Your Web App and Email hosting provider > chad@shire.net >=20 > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.o= rg" >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?6f2ed49705051607363f0876c4>