is this a possible DoS attack?

Chad Leigh -- Shire.Net LLC chad at shire.net
Mon May 16 07:27:01 PDT 2005


I had a server reboot itself twice in close succession in the middle  
of the night, after a long uptime.  This server had not reboot itself  
in ages (years) -- all previous boots were controlled.

The syslog has the following in it a half hour or so prior to the  
first boot (the first line or two is just to show that nothing much  
happened before this happened):

May 16 02:20:00 crickhollow named[87025]: zone 22.63.209.in-addr.arpa/ 
IN: loading master file ptr.209.63.22: file not found
May 16 02:33:31 crickhollow /kernel: Limiting icmp unreach response  
from 232 to 200 packets per second
May 16 03:14:52 crickhollow /kernel: All mbufs exhausted, please see  
tuning(7).
May 16 03:14:53 crickhollow last message repeated 3 times
May 16 03:14:59 crickhollow /kernel: o 00:20:ed:16:b9:07 on dc0
May 16 03:14:59 crickhollow /kernel: arp: 166.70.252.252 moved from  
00:20:ed:16:b9:07 to 00:20:ed:56:b9:07 on dc0
May 16 03:14:59 crickhollow /kernel: arp: 166.70.252.252 moved from  
00:20:ed:56:b9:07 to 00:20:ed:16:b9:07 on dc0
May 16 03:14:59 crickhollow /kernel: arp: 166.70.252.252 moved from  
00:20:ed:16:b9:07 to 00:20:ed:56:b9:07 on dc0
May 16 03:14:59 crickhollow /kernel: arp: 166.70.252.252 moved from  
00:20:ed:56:b9:07 to 00:20:ed:16:b9:07 on dc0
May 16 03:14:59 crickhollow /kernel: arp: 166.70.252.252 moved from  
00:20:ed:16:b9:07 to 00:20:ed:56:b9:07 on dc0
May 16 03:14:59 crickhollow /kernel: arp: 166.70.252.252 moved from  
00:20:ed:56:b9:07 to 00:20:ed:16:b9:07 on dc0
May 16 03:14:59 crickhollow /kernel: arp: 166.70.252.252 moved from  
00:20:ed:16:b9:07 to 00:20:ed:56:b9:07 on dc0
May 16 03:14:59 crickhollow /kernel: arp: 166.70.252.252 moved from  
00:20:ed:56:b9:07 to 00:20:ed:16:b9:07 on dc0
May 16 03:14:59 crickhollow /kernel: arp: 166.70.252.252 moved from  
00:20:ed:16:b9:07 to 00:20:ed:56:b9:07 on dc0
May 16 03:14:59 crickhollow /kernel: arp: 166.70.252.252 moved from  
00:20:ed:56:b9:07 to 00:20:ed:16:b9:07 on dc0


and then this arp message-pair (moving from one address to another  
and back) goes on a ton for 20-30 minutes then a spontaneous reboot  
then more of these arp message-pairs for another 20-30 minutes (no  
mbuf message though during the intervening period) and then another  
spontaneous reboot and then the arp message-pair went on for another  
short while 10-20 minutes and then all is relatively quiet.

There were some intermediate

May 16 03:59:36 crickhollow /kernel: Limiting closed port RST  
response from 646 to 200 packets per second

sort of messages during the "arp" flood.

The address  166.70.252.252  is on another server that has not  
changed at all and is on a linux server that has that address but has  
no open ports / services listening on that address at all (it does  
all its listening on a private 192.168 type address -- the public  
address assignment is to make it easier for it to go out to the world  
for updates)


The mbufs on this machine are pretty high and the usage of the  
machine has not gone up much.

Here is what the mbufs look like this morning

host# netstat -m
148/46048/131072 mbufs in use (current/peak/max):
         148 mbufs allocated to data
144/468/32768 mbuf clusters in use (current/peak/max)
12448 Kbytes allocated to network (12% of mb_map in use)
0 requests for memory denied
0 requests for memory delayed
0 calls to protocol drain routines
host#


Any thoughts on what could have happened would be appreciated.

Thanks
Chad



---
Chad Leigh -- Shire.Net LLC
Your Web App and Email hosting provider
chad at shire.net




More information about the freebsd-questions mailing list