Date: Sat, 24 Nov 2007 22:33:41 +0200 From: "Joel V." <joel@smail.ee> To: <freebsd-hackers@freebsd.org> Subject: RE: Welcome to Hell / Mysterious networking troubles on FreeBSD Message-ID: <000101c82ed9$4d0986b0$0200a8c0@windsor>
next in thread | raw e-mail | index | archive | help
Hello. A big thanks to everyone who contacted me. FreeBSD really has the best community one could help for. Now, it has been confirmed by the backbone manager that we're dealing with a DDOS attack. However, the ISP seems to be as clueless as a headless sheep, and we haven't been able to contact their technical staff yet (of course one can't be 100% sure that they even have a technical staff, judging by the level of their response). Hopefully the situation will be fixed soon. One final question though: are there any quick steps one can take to protect their server from DDOS attacks like these? Again, thanks to everyone who helped out. Joel V. -----Original Message----- From: Joel V. [mailto:joel@smail.ee] Sent: Saturday, November 24, 2007 2:56 PM To: 'freebsd-hackers@freebsd.org' Subject: RE: Welcome to Hell / Mysterious networking troubles on FreeBSD As a lot of people recommended using tcpdump, here it is. The only thing that stands out, are hundreds and thousands of lines like this: 13:45:49.991592 IP 82.165.252.222.36887 > ns1.galandrex.ee.43077: UDP, length 9216 13:45:49.996482 IP 82.165.252.222.36887 > ns1.galandrex.ee.33803: UDP, length 9216 13:45:50.001174 IP 82.165.252.222.36887 > ns1.galandrex.ee.63574: UDP, length 9216 13:45:50.005955 IP 82.165.252.222.36887 > ns1.galandrex.ee.36618: UDP, length 9216 13:45:50.010749 IP 82.165.252.222.36887 > ns1.galandrex.ee.48231: UDP, length 9216 That IP resolves to u15194704.onlinehome-server.com. Seems to be a german ISP. After five seconds the capture.out file was already 2.8MB. You can see the file here: https://89.219.136.126/capture.out Thank you again to all the nice people who contacted me. And again, it would be nice if you could send me a copy of your reply, because I'm not a member of the list (either reply or cc to joel@spirit.ee). Thanks! Joel V. -----Original Message----- From: Joel V. [mailto:joel@smail.ee] Sent: Saturday, November 24, 2007 12:00 AM To: 'freebsd-hackers@freebsd.org' Subject: Welcome to Hell / Mysterious networking troubles on FreeBSD Hello all, I'm not experiencing this problem, my friend is. He's simply too pissed off to write here and I'm afraid he's going to set his office on fire if he doesn't solve the problem soon, so without further ado, here's the problem: He has two fbsd boxes, main server running 6.1 and dns server running 4.3. He has 4 public IPs which he can use and the main server is running on x.x.x.122. He's main box is NOT acting as a gateway/NAT box in the office. Today he noticed that net is getting awfully slow. Sometimes there would be 50% pl when pinging, sometimes pinging would be all OK, but SSH is dead-slow and the webpages running on the main server are not displaying. E-mails are not going through. He calls the ISP, who say that his network is showing major uploading activity. He switches off networking services one by one in the main box but situation does not improve. He disconnects the main server and puts a windows xp box instead, which seems to run fine. He puts back the freebsd box, disables all networking services again except for SSH and connects the network: instant 100% networking slow-down. He tried to change the switch, thinking it's faulty. He disconnect every other computer in the office from the network: nothing. He put the public IP address on the second, internal network NIC: same thing. Now it gets really mysterious: he puts the old dns server with the x.x.x.122 IP and instantly it becomes slow as death. The logical conclusion would be that someone is flooding that IP? Only the windows xp box seemed to work fine and the ISP guy said it was upload bandwidth that was excessive... Netstat -a doesn't show anything interesting, arp -a doesn't show any incomplete addresses He tried to build and install a new fresh kernel. Nothing. This is the most creepy networking problem I've heard of. Can YOU help? Any ideas where to start looking? I'm not in the freebsd-hackers list, so if you want the e-mail to reach me, send a copy to joel@spirit.ee Thank you in advance! Joel
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?000101c82ed9$4d0986b0$0200a8c0>