is this a possible DoS attack?
Chad Leigh -- Shire.Net LLC
chad at shire.net
Mon May 16 09:13:19 PDT 2005
On May 16, 2005, at 9:44 AM, David Kelly wrote:
> On Mon, May 16, 2005 at 08:26:58AM -0600, Chad Leigh -- Shire.Net
> LLC wrote:
>
>>
>> May 16 03:14:59 crickhollow /kernel: arp: 166.70.252.252 moved from
>> 00:20:ed:16:b9:07 to 00:20:ed:56:b9:07 on dc0
>>
>
> [...]
>
>
>> The address 166.70.252.252 is on another server that has not
>> changed at all and is on a linux server that has that address but has
>> no open ports / services listening on that address at all (it does
>> all its listening on a private 192.168 type address -- the public
>> address assignment is to make it easier for it to go out to the world
>> for updates)
>>
>
> Both nets on the Linux machine on the same NIC?
Yes
> If so then I'd suspect
> something with Linux. Else note the MAC address only differs by one
> bit.
> Unless that rings a bell as a signature of a DoS then I'd suspect
> either
> the Linux NIC or ethernet switch between. None the less whatever the
> cause doesn't excuse FreeBSD for falling on its face.
True
From what I have been able to dig up in the Linux boxes logs, there
was a jfs filesystem bug of some sort and that is about when all this
started happening. The machine itself cannot be remotely rebooted
due to some filesystem errors so I am off downtown to reboot it and
see what happens.
I agree that the FBSD box should not fall on its face. It is a 4-
something (reasonably recent) but is being "retired" as all the
services and customers get moved to a new 5.3 box that we have been
transitioning to, and this machine is to be rebuilt in 1 week as a
5.4 dedicated server.
And thanks to all who replied, even if I do not get a reply off to
you personally!
Chad
More information about the freebsd-questions
mailing list