is this a possible DoS attack?

Joseph Borg juu.borg at gmail.com
Mon May 16 07:36:53 PDT 2005


On 5/16/05, Chad Leigh -- Shire.Net LLC <chad at shire.net> wrote:
> 
> I had a server reboot itself twice in close succession in the middle
> of the night, after a long uptime.  This server had not reboot itself
> in ages (years) -- all previous boots were controlled.
> 
> The syslog has the following in it a half hour or so prior to the
> first boot (the first line or two is just to show that nothing much
> happened before this happened):
> 
> May 16 02:20:00 crickhollow named[87025]: zone 22.63.209.in-addr.arpa/
> IN: loading master file ptr.209.63.22: file not found
> May 16 02:33:31 crickhollow /kernel: Limiting icmp unreach response
> from 232 to 200 packets per second
> May 16 03:14:52 crickhollow /kernel: All mbufs exhausted, please see
> tuning(7).
> May 16 03:14:53 crickhollow last message repeated 3 times
> May 16 03:14:59 crickhollow /kernel: o 00:20:ed:16:b9:07 on dc0
> May 16 03:14:59 crickhollow /kernel: arp: 166.70.252.252 moved from
> 00:20:ed:16:b9:07 to 00:20:ed:56:b9:07 on dc0
> May 16 03:14:59 crickhollow /kernel: arp: 166.70.252.252 moved from
> 00:20:ed:56:b9:07 to 00:20:ed:16:b9:07 on dc0
> May 16 03:14:59 crickhollow /kernel: arp: 166.70.252.252 moved from
> 00:20:ed:16:b9:07 to 00:20:ed:56:b9:07 on dc0
> May 16 03:14:59 crickhollow /kernel: arp: 166.70.252.252 moved from
> 00:20:ed:56:b9:07 to 00:20:ed:16:b9:07 on dc0
> May 16 03:14:59 crickhollow /kernel: arp: 166.70.252.252 moved from
> 00:20:ed:16:b9:07 to 00:20:ed:56:b9:07 on dc0
> May 16 03:14:59 crickhollow /kernel: arp: 166.70.252.252 moved from
> 00:20:ed:56:b9:07 to 00:20:ed:16:b9:07 on dc0
> May 16 03:14:59 crickhollow /kernel: arp: 166.70.252.252 moved from
> 00:20:ed:16:b9:07 to 00:20:ed:56:b9:07 on dc0
> May 16 03:14:59 crickhollow /kernel: arp: 166.70.252.252 moved from
> 00:20:ed:56:b9:07 to 00:20:ed:16:b9:07 on dc0
> May 16 03:14:59 crickhollow /kernel: arp: 166.70.252.252 moved from
> 00:20:ed:16:b9:07 to 00:20:ed:56:b9:07 on dc0
> May 16 03:14:59 crickhollow /kernel: arp: 166.70.252.252 moved from
> 00:20:ed:56:b9:07 to 00:20:ed:16:b9:07 on dc0
> 

As a first guess, I'd say there's an IP conflict, with two machines
having the same IP address and hence the corresponding arp keeps
changing from one machine to another...

> and then this arp message-pair (moving from one address to another
> and back) goes on a ton for 20-30 minutes then a spontaneous reboot
> then more of these arp message-pairs for another 20-30 minutes (no
> mbuf message though during the intervening period) and then another
> spontaneous reboot and then the arp message-pair went on for another
> short while 10-20 minutes and then all is relatively quiet.
> 
> There were some intermediate
> 
> May 16 03:59:36 crickhollow /kernel: Limiting closed port RST
> response from 646 to 200 packets per second
> 
> sort of messages during the "arp" flood.
> 
> The address  166.70.252.252  is on another server that has not
> changed at all and is on a linux server that has that address but has
> no open ports / services listening on that address at all (it does
> all its listening on a private 192.168 type address -- the public
> address assignment is to make it easier for it to go out to the world
> for updates)
> 

Are these to machines "166.70.252.252  is on another server that has not
> changed at all and is on a linux server that has that address" ?


> The mbufs on this machine are pretty high and the usage of the
> machine has not gone up much.
> 
> Here is what the mbufs look like this morning
> 
> host# netstat -m
> 148/46048/131072 mbufs in use (current/peak/max):
>         148 mbufs allocated to data
> 144/468/32768 mbuf clusters in use (current/peak/max)
> 12448 Kbytes allocated to network (12% of mb_map in use)
> 0 requests for memory denied
> 0 requests for memory delayed
> 0 calls to protocol drain routines
> host#
> 
> Any thoughts on what could have happened would be appreciated.
> 
> Thanks
> Chad
> 
> ---
> Chad Leigh -- Shire.Net LLC
> Your Web App and Email hosting provider
> chad at shire.net
> 
> _______________________________________________
> freebsd-questions at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "freebsd-questions-unsubscribe at freebsd.org"
>


More information about the freebsd-questions mailing list