Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 16 May 2005 10:13:13 -0600
From:      "Chad Leigh -- Shire.Net LLC" <chad@shire.net>
To:        David Kelly <dkelly@hiwaay.net>
Cc:        FreeBSD Mailing List <freebsd-questions@freebsd.org>
Subject:   Re: is this a possible DoS attack?
Message-ID:  <96E49658-B868-43BA-9D62-380640EA1044@shire.net>
In-Reply-To: <20050516154402.GA87442@Grumpy.DynDNS.org>
References:  <FDE0A023-085D-4258-ABB4-805772E3E699@shire.net> <20050516154402.GA87442@Grumpy.DynDNS.org>
next in thread | previous in thread | raw e-mail | index | archive | help 

On May 16, 2005, at 9:44 AM, David Kelly wrote:

> On Mon, May 16, 2005 at 08:26:58AM -0600, Chad Leigh -- Shire.Net  
> LLC wrote:
>
>>
>> May 16 03:14:59 crickhollow /kernel: arp: 166.70.252.252 moved from
>> 00:20:ed:16:b9:07 to 00:20:ed:56:b9:07 on dc0
>>
>
> [...]
>
>
>> The address  166.70.252.252  is on another server that has not
>> changed at all and is on a linux server that has that address but has
>> no open ports / services listening on that address at all (it does
>> all its listening on a private 192.168 type address -- the public
>> address assignment is to make it easier for it to go out to the world
>> for updates)
>>
>
> Both nets on the Linux machine on the same NIC?

Yes

> If so then I'd suspect
> something with Linux. Else note the MAC address only differs by one  
> bit.
> Unless that rings a bell as a signature of a DoS then I'd suspect  
> either
> the Linux NIC or ethernet switch between. None the less whatever the
> cause doesn't excuse FreeBSD for falling on its face.

True

 From what I have been able to dig up in the Linux boxes logs, there  
was a jfs filesystem bug of some sort and that is about when all this  
started happening.  The machine itself cannot be remotely rebooted  
due to some filesystem errors so I am off downtown to reboot it and  
see what happens.

I agree that the FBSD box should not fall on its face.  It is a 4- 
something (reasonably recent) but is being "retired" as all the  
services and customers get moved to a new 5.3 box that we have been  
transitioning to, and this machine is to be rebuilt in 1 week as a  
5.4 dedicated server.

And thanks to all who replied, even if I do not get a reply off to  
you personally!

Chad

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?96E49658-B868-43BA-9D62-380640EA1044>