From owner-freebsd-questions  Tue Dec  4  9:41:11 2001
Delivered-To: freebsd-questions@freebsd.org
Received: from aji.wilshire.net (worm.wilshire.net [64.161.77.242])
	by hub.freebsd.org (Postfix) with ESMTP id BAADA37BCD0
	for <freebsd-questions@FreeBSD.org>; Tue,  4 Dec 2001 09:40:04 -0800 (PST)
Received: from emilyd (emilyd.wilshire.net [10.100.123.20])
	by aji.wilshire.net (8.11.1/8.11.1) with SMTP id fB4HbTx22990
	for <freebsd-questions@FreeBSD.org>; Tue, 4 Dec 2001 09:37:30 -0800 (PST)
From: "Riley J. McIntire" <rileyjmc@pacbell.net>
To: "FreeBSD Questions" <freebsd-questions@FreeBSD.org>
Subject: icmp dos attack?   sshd core dump
Date: Tue, 4 Dec 2001 09:39:58 -0800
Message-ID: <NCBBLBILEPCHLFJAPIIPIEAGKFAA.rileyjmc@pacbell.net>
MIME-Version: 1.0
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0)
X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4807.1700
Importance: Normal
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-questions.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-questions>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-questions>
X-Loop: FreeBSD.ORG

Greetings:

This just showed up in a security check output log:

> icmp-response bandwidth limit 240/200 pps
> icmp-response bandwidth limit 213/200 pps
snip pages of this
then
> pid 49374 (sshd), uid 0: exited on signal 11 (core dumped)
> pid 49375 (sshd), uid 0: exited on signal 11 (core dumped)
snip
> pid 49391 (sshd), uid 0: exited on signal 11 (core dumped)
> pid 49394 (sshd), uid 0: exited on signal 11 (core dumped)
> pid 49396 (sshd), uid 0: exited on signal 10 (core dumped)
> pid 49397 (sshd), uid 0: exited on signal 10 (core dumped)
snip
> pid 49465 (sshd), uid 0: exited on signal 10 (core dumped)
> pid 49466 (sshd), uid 0: exited on signal 10 (core dumped)

Note the change from a sig 11 to 10.


A DOS attack?  The machine is up, I can connect via ssh, and I'm a bit
at a loss of what, if anything, to do about this?

Thanks,

Riley


"They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety."
Benjamin Franklin


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message