From owner-freebsd-stable@FreeBSD.ORG Thu Oct 19 14:21:54 2006 Return-Path: X-Original-To: freebsd-stable@freebsd.org Delivered-To: freebsd-stable@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EB3D916A549 for ; Thu, 19 Oct 2006 14:21:54 +0000 (UTC) (envelope-from jandrese@mitre.org) Received: from smtp-mclean.mitre.org (smtp-mclean.mitre.org [192.80.55.71]) by mx1.FreeBSD.org (Postfix) with ESMTP id EA5CF43DD8 for ; Thu, 19 Oct 2006 14:21:07 +0000 (GMT) (envelope-from jandrese@mitre.org) Received: from smtp-mclean.mitre.org (localhost.localdomain [127.0.0.1]) by smtp-mclean.mitre.org (8.12.11.20060308/8.12.11) with SMTP id k9JEL7u8014078 for ; Thu, 19 Oct 2006 10:21:07 -0400 Received: from smtp-mclean.mitre.org (localhost.localdomain [127.0.0.1]) by smtp-mclean.mitre.org (Postfix) with ESMTP id 4872B1BDA9 for ; Thu, 19 Oct 2006 10:21:06 -0400 (EDT) Received: from IMCFE1.MITRE.ORG (imcfe1.mitre.org [129.83.29.3]) by smtp-mclean.mitre.org (8.12.11.20060308/8.12.11) with ESMTP id k9JEL50j014024; Thu, 19 Oct 2006 10:21:05 -0400 Received: from IMCSRV2.MITRE.ORG ([129.83.20.164]) by IMCFE1.MITRE.ORG with Microsoft SMTPSVC(6.0.3790.1830); Thu, 19 Oct 2006 10:21:05 -0400 X-MimeOLE: Produced By Microsoft Exchange V6.5 Content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Date: Thu, 19 Oct 2006 10:21:00 -0400 Message-ID: In-Reply-To: <20061018204503.GB47563@icarus.home.lan> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: Runaway kernel? Or an attack? Thread-Index: Acby9krt6hxyqg56SY+v/MaZ3lRYQQAkvUug From: "Andresen, Jason R." To: "Jeremy Chadwick" X-OriginalArrivalTime: 19 Oct 2006 14:21:05.0273 (UTC) FILETIME=[D0058690:01C6F389] Cc: freebsd-stable@freebsd.org Subject: RE: Runaway kernel? Or an attack? X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 19 Oct 2006 14:21:55 -0000 >From: Jeremy Chadwick [mailto:freebsd@jdc.parodius.com]=20 > >On Wed, Oct 18, 2006 at 04:07:14PM -0400, Andresen, Jason R. wrote: >> Ok, I have a recurring problem with my webserver. Once a=20 >day or so it >> gets locked into a loop with some random server usually=20 >somewhere in my >> ISP. When it does this, it spends all of its time spitting=20 >out packets >> and getting FIN, ACKs back. =20 >>=20 >> Shutting down the HTTP server doesn't stop the traffic. I have to >> create firewall rules to block the outgoing traffic to stop=20 >it. Wiping >> the disk and reinstalling from the CD didn't help either. =20 >This host is >> behind a NAT (A D-Link DI-604 router). Is this a bad packet=20 >injection >> attack, a bug, or has my box been compromised? =20 > >And let me guess: your DI-604 is set to port forward TCP 80 to >192.168.42.2 (rather than make 192.168.42.2 the DMZ host). > >I recommend removing the DI-604 from the topology and see if the >problem continues. Gut feeling (based on past experience with >D-Link's residential products) is the problem will disappear. >You'll have to trust me on this -- no matter how reliable you think >the DI-series units are ("It works fine for me!"), they aren't. >There are major IP stack implementation issues with these units >(same with the DI-614+). > >Thoroughly scan the D-Link forum on www.broadbandreports.com for >details of these problems. The IP stack on those units is awful. > >Consider picking up a WRT54GL (which runs Linux; sure, I'd prefer >they run BSD, but I'll trust Linux's IP stack over some third-party >out-of-country IP stack any day of the week). Do not go with a >WRT54G (because you won't know what version you get; Linux-based >or VxWorks-based (which has other IP stack problems), nor a WRT54GS >(same risk (Linux vs. VxWorks)). So the upshot is to not trust anything that uses VxWorks? I've been considering reworking my network by adding a second interface to the webserver machine and having it replace the DI-604, but I've been reluctant because if my box was being compromised I didn't want to open it up even further to attack. Looks like I should do it anyway.