Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 24 Nov 2007 15:45:40 +0100
From:      Marten Vijn <info@martenvijn.nl>
To:        Bill Moran <wmoran@collaborativefusion.com>
Cc:        freebsd-hackers@freebsd.org, "Joel V." <joel@smail.ee>
Subject:   Re: Welcome to Hell / Mysterious networking troubles on FreeBSD
Message-ID:  <1195915540.4426.15.camel@workstation.martenvijn.nl>
In-Reply-To: <20071124085117.5b31452c.wmoran@collaborativefusion.com>
References:  <000001c82e1c$27909d50$0200a8c0@windsor> <20071124085117.5b31452c.wmoran@collaborativefusion.com>

next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, 2007-11-24 at 08:51 -0500, Bill Moran wrote:
> "Joel V." <joel@smail.ee> wrote:
> >
> > Hello all,
> > 
> > I'm not experiencing this problem, my friend is. He's simply too pissed off
> > to write here and I'm afraid he's going to set his office on fire if he
> > doesn't solve the problem soon, so without further ado, here's the problem:
> > 
> > He has two fbsd boxes, main server running 6.1 and dns server running 4.3.
> > He has 4 public IPs which he can use and the main server is running on
> > x.x.x.122. He's main box is NOT acting as a gateway/NAT box in the office.
> > Today he noticed that net is getting awfully slow. Sometimes there would be
> > 50% pl when pinging, sometimes pinging would be all OK, but SSH is dead-slow
> > and the webpages running on the main server are not displaying. E-mails are
> > not going through. He calls the ISP, who say that his network is showing
> > major uploading activity. He switches off networking services one by one in
> > the main box but situation does not improve. He disconnects the main server
> > and puts a windows xp box instead, which seems to run fine. He puts back the
> > freebsd box, disables all networking services again except for SSH and
> > connects the network: instant 100% networking slow-down. He tried to change
> > the switch, thinking it's faulty. He disconnect every other computer in the
> > office from the network: nothing. He put the public IP address on the
> > second, internal network NIC: same thing. Now it gets really mysterious: he
> > puts the old dns server with the x.x.x.122 IP and instantly it becomes slow
> > as death. The logical conclusion would be that someone is flooding that IP?
> > Only the windows xp box seemed to work fine and the ISP guy said it was
> > upload bandwidth that was excessive...
> > 
> > Netstat -a doesn't show anything interesting, arp -a doesn't show any
> > incomplete addresses He tried to build and install a new fresh kernel.
> > Nothing. This is the most creepy networking problem I've heard of. Can YOU
> > help? Any ideas where to start looking?
> 
> +1 on the tcpdump work.  Once you have the packet capture, something like
> Wireshark will give you a pretty view of the packets.  However, posting
> the text output of tcpdump will allow the crew on this mailing list to
> give you specific advice (once you've done what Julian suggests, you
> can get text output by doing tcpdump -r capture.out)
> 
> Overall, based on your vague symptoms, I'd guess you got cracked and
> someone's running a spambot or other bot on that box.  They may even
> have it rooted.
> 
You may find that out putting bridging (man bridge and sysctl) box
inbetween the internet connection and your box and dump there. I would
use for temp my laptop with an extra usb_ethernet device. 

A mirrorport on a switch + sflow / netflow could show traffic in ntop to
get more insight on your traffic.   

more tools:
nmap
tcpflow
chkrootkit
md5sum (too late for tripwire) if you have your bins somewhere else on
tar/tape/cd

Marten





Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1195915540.4426.15.camel>