Date: Mon, 4 Sep 2000 11:21:17 +0930 From: Greg Lehey <grog@lemis.com> To: freebsd-questions <questions@FreeBSD.ORG> Subject: Self-initated DOS? (was: signature?) Message-ID: <20000904112117.C57161@wantadilla.lemis.com> In-Reply-To: <200009030608.GAA02427@groggy.anc.ptialaska.net>; from groggy@iname.com on Sun, Sep 03, 2000 at 06:08:55AM %2B0000 References: <200009030608.GAA02427@groggy.anc.ptialaska.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sunday, 3 September 2000 at 6:08:55 +0000, groggy@iname.com wrote:
>> It's not port UDP 68, it's netbios-ns; it's Windows boxs that like to do a
>> netbios nameserver lookup on whoever connections to them. MS assumed that
>> anything connecting to them "must" be a windows box and tries to log the
>> Netbios name of it.... these end up as mostly noise in firewall logs.
>>
>> I specifically disabled monitoring of UDP 137/138 in my own firewalls as the
>> number of stupid IIS servers that kept trying to find out the netbios name
>> of the squid proxies was filling the logs with useless information...
>
> this sounds good to me :) i figured it was some IIS crap ...
> i think my ISP recently replaced their SunOS and System V boxes
> with IIS servers - i know they renamed all their boxes - and that's
> when this problem started. it still bothers me that they have a right
> to clutter my connection with so much useless garbage! i mean, it does
> cause "stalls" on connections to my server since 10 seconds
> of every minute my connectin is jammed with this garbage ...
> it would be a hassle to change providers for many reasons,
> do i have any right to make them stop? :) i mean, it's
> almost a DOS attack, isn't it? :)
Well, no. As I said, all indications are that this is coming from
*your* machine.
>> Aren't these caused by samba or another program of the sort which are
>> answered by an "MS" machine? That is how it is on my network...
>
> i am not running samba or anything ...
> i have one other BSD machine on an ethernet,
> but it is quiet and doesn't have anything to do with this.
> it happens every minute ... 24 hours a day ...
OK, let's look at your network more closely.
1. Is the other box the only machine on the Ethernet?
2. Is the machine 'groggy' performing address translation for the
Ethernet?
3. Is the other box running anything Microsoft-like?
4. Are you blocking port 137 coming in?
5. Which version of named are you running?
> i run only the following - apache + squid ...
> (3.5.1-R)
>
> ftp stream
> telnet stream
> pop3 stream
> finger stream
> auth stream
> comsat dgram
> ntalk dgram
>
> my machine is groggy, and it seems to all be intiated with :
>
>>>> 05:13:24.048994 209-193-28-245.adsl.jnu.acsalaska.net.netbios-ns > 208.151.115.193.netbios-ns: udp 68
>>>> 05:13:24.049044 209-193-28-245.adsl.jnu.acsalaska.net.netbios-ns > 208.151.115.193.netbios-ns: udp 68
Please don't wrap these lines.
There's no reason to believe that these messages initiate anything.
There is, however, a very good question what these messages are doing
on your particular ppp link. From here, the three machines in
question seem to be quite a distance apart.
traceroute to 208.151.115.193 (208.151.115.193), 30 hops max, 40 byte packets
...
11 sea-sjc2-oc48.sea.above.net (208.184.102.178) 368.395 ms 368.317 ms 379.927 ms
12 seattle-core1.sea.above.net (208.185.175.18) 383.597 ms 388.555 ms 375.767 ms
13 alaska-abovenet.sea.above.net (209.249.0.148) 366.970 ms 370.782 ms 375.406 ms
14 *^C
traceroute to groggy.anc.ptialaska.net (198.70.228.224), 30 hops max, 40 byte packets
...
13 alaska-abovenet.sea.above.net (209.249.0.148) 381.277 ms 367.127 ms 366.569 ms
14 ds3-p2p.anc.ptialaska.net (208.151.100.165) 408.009 ms 435.738 ms 408.855 ms
15 enh-4.anc.ptialaska.net (208.151.119.1) 421.441 ms 439.651 ms 401.611 ms
16 groggy.anc.ptialaska.net (198.70.228.224) 544.191 ms 556.567 ms 601.520 ms
traceroute to 209.193.28.245 (209.193.28.245), 30 hops max, 40 byte packets
...
13 alaska-abovenet.sea.above.net (209.249.0.148) 377.137 ms 376.383 ms 379.356 ms
14 ds3-p2p.anc.ptialaska.net (208.151.100.165) 413.292 ms 428.787 ms 398.543 ms
15 fe9-0-cr2.nwc.ptialaska.net (208.151.100.222) 407.105 ms 432.320 ms 400.682 ms
16 s2-0-cr1.jdc.ptialaska.net (208.151.100.210) 429.451 ms 417.332 ms 431.438 ms
17 208.151.107.245 (208.151.107.245) 445.840 ms 449.656 ms 426.777 ms
18 * * *
I wouldn't expect any traffic for either of the other systems to come
even close to where you are. You should definitely ask your ISP what
is going on.
> Active Internet connections (including servers)
This all looks normal enough.
>>>> i don't use dhcp or anything like that ...
>>>
>>> Are you sure you're not running some other daemon which uses this
>>> service? Take a look with 'ps lax' and see what you get.
>
> ps alx ... (i don't think anything is unusual here ...)
No, I don't see anything either.
>>> The messages seem to be coming from your end. I don't even see any
>>> replies. The two messages at 05:13:25.548800 have nothing to do with
>>> you, but suggest that you're on a broadcast medium. Considering that
>>> the names suggest this is ADSL, you might ask your ISP about that.
>
> i don't think i am initiating anything ... i am confused ...
The tcpdump clearly shows that the initiator of nearly all these
machines is groggy, which is your machine.
> it seems that my udp 68 stuff is initiated by those first 2 packets
> using my machine as a relay or something - and i don't like being a
> relay for anything :)
The first two packets have nothing to do with it, except they seem to
be doing the same thing rather less frequently. It seems that your
system is sending pairs of packets in intervals which range from 90 to
130 ms, which is rather frequent, admittedly. Look at the following
second:
> 05:15:26.040337 groggy.56121 > 208.151.115.193.netbios-ns: udp 68
> 05:15:26.040375 groggy.56121 > 208.151.115.193.netbios-ns: udp 68
> 05:15:26.080330 groggy.37645 > 208.151.115.193.netbios-ns: udp 68
> 05:15:26.080362 groggy.37645 > 208.151.115.193.netbios-ns: udp 68
> 05:15:26.160306 groggy.60574 > 208.151.115.193.netbios-ns: udp 68
> 05:15:26.160338 groggy.60574 > 208.151.115.193.netbios-ns: udp 68
> 05:15:26.200359 groggy.65226 > 208.151.115.193.netbios-ns: udp 68
> 05:15:26.200391 groggy.65226 > 208.151.115.193.netbios-ns: udp 68
> 05:15:26.290300 groggy.46666 > 208.151.115.193.netbios-ns: udp 68
> 05:15:26.290332 groggy.46666 > 208.151.115.193.netbios-ns: udp 68
> 05:15:26.330318 groggy.39500 > 208.151.115.193.netbios-ns: udp 68
> 05:15:26.330352 groggy.39500 > 208.151.115.193.netbios-ns: udp 68
> 05:15:26.410323 groggy.47168 > 208.151.115.193.netbios-ns: udp 68
> 05:15:26.410358 groggy.47168 > 208.151.115.193.netbios-ns: udp 68
> 05:15:26.470325 groggy.55759 > 208.151.115.193.netbios-ns: udp 68
> 05:15:26.470374 groggy.55759 > 208.151.115.193.netbios-ns: udp 68
> 05:15:26.520400 groggy.34935 > 208.151.115.193.netbios-ns: udp 68
> 05:15:26.520432 groggy.34935 > 208.151.115.193.netbios-ns: udp 68
> 05:15:26.590339 groggy.44858 > 208.151.115.193.netbios-ns: udp 68
> 05:15:26.590371 groggy.44858 > 208.151.115.193.netbios-ns: udp 68
> 05:15:26.640321 groggy.49854 > 208.151.115.193.netbios-ns: udp 68
> 05:15:26.640353 groggy.49854 > 208.151.115.193.netbios-ns: udp 68
> 05:15:26.690360 groggy.33520 > 208.151.115.193.netbios-ns: udp 68
> 05:15:26.690392 groggy.33520 > 208.151.115.193.netbios-ns: udp 68
> 05:15:26.770299 groggy.54822 > 208.151.115.193.netbios-ns: udp 68
> 05:15:26.770330 groggy.54822 > 208.151.115.193.netbios-ns: udp 68
> 05:15:26.820697 groggy.50768 > 208.151.115.193.netbios-ns: udp 68
> 05:15:26.820730 groggy.50768 > 208.151.115.193.netbios-ns: udp 68
> 05:15:26.890317 groggy.37558 > 208.151.115.193.netbios-ns: udp 68
> 05:15:26.890348 groggy.37558 > 208.151.115.193.netbios-ns: udp 68
> 05:15:26.950327 groggy.52515 > 208.151.115.193.netbios-ns: udp 68
> 05:15:26.950359 groggy.52515 > 208.151.115.193.netbios-ns: udp 68
> 05:15:26.990323 groggy.65431 > 208.151.115.193.netbios-ns: udp 68
> 05:15:26.990355 groggy.65431 > 208.151.115.193.netbios-ns: udp 68
That's 34 messages of 68 bytes each, a total of 18,500 bits. That
should be a good chunk of your modem bandwidth. Now the crucial
question: which way are they going over the modem? Traceroute
suggests that they're going out, but you have these other messages
from 209-193-28-245.adsl.jnu.acsalaska.net which shouldn't be there at
all. What if they're really coming in? In that case, your ISP has a
real bad case of misconfiguration.
> i collected 5MB of this stuff in a few hours, and it's exactly the
> same sequence over and over, 24 hours a day. enh-1 is one of my
> ISP's boxes. why is it telling me "exceeded time in transit" ? it
> seems to be some kinda probe or something, or what? but what is
> getting my FBSD box (groggy) to reply?
This "time exceeded in transit" ICMP message appears to be coming as a
result of the packets going out with ttl 1. They're all from port
49409, which has thus probably been active for at least 4 seconds. In
fact, it looks as if all the ports send exactly 6 messages. If I sort
by port number, I get:
05:15:28.240503 groggy.33236 > 208.151.115.193.netbios-ns: udp 68
05:15:28.240536 groggy.33236 > 208.151.115.193.netbios-ns: udp 68
05:15:29.840319 groggy.33236 > 208.151.115.193.netbios-ns: udp 68
05:15:29.840352 groggy.33236 > 208.151.115.193.netbios-ns: udp 68
05:15:31.430499 groggy.33236 > 208.151.115.193.netbios-ns: udp 68
05:15:31.430538 groggy.33236 > 208.151.115.193.netbios-ns: udp 68
05:15:26.690360 groggy.33520 > 208.151.115.193.netbios-ns: udp 68
05:15:26.690392 groggy.33520 > 208.151.115.193.netbios-ns: udp 68
05:15:28.290324 groggy.33520 > 208.151.115.193.netbios-ns: udp 68
05:15:28.290354 groggy.33520 > 208.151.115.193.netbios-ns: udp 68
05:15:29.860662 groggy.33520 > 208.151.115.193.netbios-ns: udp 68
05:15:29.860694 groggy.33520 > 208.151.115.193.netbios-ns: udp 68
05:15:29.170381 groggy.34570 > 208.151.115.193.netbios-ns: udp 68
05:15:29.170412 groggy.34570 > 208.151.115.193.netbios-ns: udp 68
05:15:30.740672 groggy.34570 > 208.151.115.193.netbios-ns: udp 68
05:15:30.740703 groggy.34570 > 208.151.115.193.netbios-ns: udp 68
05:15:32.320390 groggy.34570 > 208.151.115.193.netyou bios-ns: udp 68
05:15:32.320421 groggy.34570 > 208.151.115.193.netbios-ns: udp 68
etc. So if your system was sending this stuff, you'd expect it to
show up in the netstat output. On the whole, I'm beginning to think
that this is incoming traffic, not outgoing. If you have an external
modem, the direction of traffic should be obvious from the LEDs.
Otherwise you can confirm this with netstat.
Greg
--
When replying to this message, please copy the original recipients.
If you don't, I may ignore the reply.
For more information, see http://www.lemis.com/questions.html
Finger grog@lemis.com for PGP public key
See complete headers for address and phone numbers
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20000904112117.C57161>