Date: Thu, 19 Oct 2006 10:16:17 -0400 From: "Andresen, Jason R." <jandrese@mitre.org> To: "Chuck Swiger" <cswiger@mac.com> Cc: freebsd-stable@freebsd.org Subject: RE: Runaway kernel? Or an attack? Message-ID: <F9F038204EE77C4AA9959A6B3C94AFE8F99DC1@IMCSRV2.MITRE.ORG> In-Reply-To: <BC53B472-8E48-4BE4-9011-5BA20D44630F@mac.com>
next in thread | previous in thread | raw e-mail | index | archive | help
I would have thought so too excep that it's always a different host. It's usually inside of Verizon though.=20 >-----Original Message----- >From: Chuck Swiger [mailto:cswiger@mac.com]=20 >Sent: Wednesday, October 18, 2006 4:33 PM >To: Andresen, Jason R. >Cc: freebsd-stable@freebsd.org >Subject: Re: Runaway kernel? Or an attack? > >On Oct 18, 2006, at 1:07 PM, Andresen, Jason R. wrote: >> Ok, I have a recurring problem with my webserver. Once a=20 >day or so it >> gets locked into a loop with some random server usually somewhere =20 >> in my >> ISP. When it does this, it spends all of its time spitting out =20 >> packets >> and getting FIN, ACKs back. >> >> Shutting down the HTTP server doesn't stop the traffic. I have to >> create firewall rules to block the outgoing traffic to stop it. > >Frankly, this sounds more like the random remote host has been =20 >compromised, rather than your machine, and it is scanning the network >for other hosts to attack. What URLs are being requested (check the =20 >http logs)? > >> Here's a short tcpdump of the traffic when it happens, these packets >> are going out at a rate of thousands per second. The 192.168.42.2 is >> the local host and 192.76.86.83 is the apparently random victim: > >I'd talk to verizon.com and ask them what is going on from their side >with that host... > >--=20 >-Chuck > >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?F9F038204EE77C4AA9959A6B3C94AFE8F99DC1>