Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 24 Nov 2007 14:08:58 -0800
From:      Julian Elischer <julian@elischer.org>
To:        "Joel V." <joel@smail.ee>
Cc:        freebsd-hackers@freebsd.org
Subject:   Re: Welcome to Hell / Mysterious networking troubles on FreeBSD
Message-ID:  <4748A0FA.1060402@elischer.org>
In-Reply-To: <000101c82ed9$4d0986b0$0200a8c0@windsor>
References:  <000101c82ed9$4d0986b0$0200a8c0@windsor>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
Joel V. wrote:
> Hello.
> 
> A big thanks to everyone who contacted me. FreeBSD really has the best
> community one could help for.
> 
> Now, it has been confirmed by the backbone manager that we're dealing with a
> DDOS attack. However, the ISP seems to be as clueless as a headless sheep,
> and we haven't been able to contact their technical staff yet (of course one
> can't be 100% sure that they even have a technical staff, judging by the
> level of their response).
> 
> Hopefully the situation will be fixed soon. One final question though: are
> there any quick steps one can take to protect their server from DDOS attacks
> like these?

in the short term..

ipfw add 100 drop udp from (address)

> 
> Again, thanks to everyone who helped out.
> 
> Joel V.
>  
> 
> -----Original Message-----
> From: Joel V. [mailto:joel@smail.ee] 
> Sent: Saturday, November 24, 2007 2:56 PM
> To: 'freebsd-hackers@freebsd.org'
> Subject: RE: Welcome to Hell / Mysterious networking troubles on FreeBSD
> 
> As a lot of people recommended using tcpdump, here it is. The only thing
> that stands out, are hundreds and thousands of lines like this:
> 
> 13:45:49.991592 IP 82.165.252.222.36887 > ns1.galandrex.ee.43077: UDP,
> length 9216
> 13:45:49.996482 IP 82.165.252.222.36887 > ns1.galandrex.ee.33803: UDP,
> length 9216
> 13:45:50.001174 IP 82.165.252.222.36887 > ns1.galandrex.ee.63574: UDP,
> length 9216
> 13:45:50.005955 IP 82.165.252.222.36887 > ns1.galandrex.ee.36618: UDP,
> length 9216
> 13:45:50.010749 IP 82.165.252.222.36887 > ns1.galandrex.ee.48231: UDP,
> length 9216 
> 
> That IP resolves to u15194704.onlinehome-server.com. Seems to be a german
> ISP. After five seconds the capture.out file was already 2.8MB. You can see
> the file here: https://89.219.136.126/capture.out
> 
> Thank you again to all the nice people who contacted me. And again, it would
> be nice if you could send me a copy of your reply, because I'm not a member
> of the list (either reply or cc to joel@spirit.ee). Thanks!
> 
> Joel V.
> 
> 
> -----Original Message-----
> From: Joel V. [mailto:joel@smail.ee]
> Sent: Saturday, November 24, 2007 12:00 AM
> To: 'freebsd-hackers@freebsd.org'
> Subject: Welcome to Hell / Mysterious networking troubles on FreeBSD
> 
> Hello all,
> 
> I'm not experiencing this problem, my friend is. He's simply too pissed off
> to write here and I'm afraid he's going to set his office on fire if he
> doesn't solve the problem soon, so without further ado, here's the problem:
> 
> He has two fbsd boxes, main server running 6.1 and dns server running 4.3.
> He has 4 public IPs which he can use and the main server is running on
> x.x.x.122. He's main box is NOT acting as a gateway/NAT box in the office.
> Today he noticed that net is getting awfully slow. Sometimes there would be
> 50% pl when pinging, sometimes pinging would be all OK, but SSH is dead-slow
> and the webpages running on the main server are not displaying. E-mails are
> not going through. He calls the ISP, who say that his network is showing
> major uploading activity. He switches off networking services one by one in
> the main box but situation does not improve. He disconnects the main server
> and puts a windows xp box instead, which seems to run fine. He puts back the
> freebsd box, disables all networking services again except for SSH and
> connects the network: instant 100% networking slow-down. He tried to change
> the switch, thinking it's faulty. He disconnect every other computer in the
> office from the network: nothing. He put the public IP address on the
> second, internal network NIC: same thing. Now it gets really mysterious: he
> puts the old dns server with the x.x.x.122 IP and instantly it becomes slow
> as death. The logical conclusion would be that someone is flooding that IP?
> Only the windows xp box seemed to work fine and the ISP guy said it was
> upload bandwidth that was excessive...
> 
> Netstat -a doesn't show anything interesting, arp -a doesn't show any
> incomplete addresses He tried to build and install a new fresh kernel.
> Nothing. This is the most creepy networking problem I've heard of. Can YOU
> help? Any ideas where to start looking?
> 
> I'm not in the freebsd-hackers list, so if you want the e-mail to reach me,
> send a copy to joel@spirit.ee
> 
> Thank you in advance!
> Joel
> 
> 
> _______________________________________________
> freebsd-hackers@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-hackers
> To unsubscribe, send any mail to "freebsd-hackers-unsubscribe@freebsd.org"




Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?4748A0FA.1060402>