Runaway kernel? Or an attack?
Jeremy Chadwick
freebsd at jdc.parodius.com
Wed Oct 18 20:45:06 UTC 2006
On Wed, Oct 18, 2006 at 04:07:14PM -0400, Andresen, Jason R. wrote:
> Ok, I have a recurring problem with my webserver. Once a day or so it
> gets locked into a loop with some random server usually somewhere in my
> ISP. When it does this, it spends all of its time spitting out packets
> and getting FIN, ACKs back.
>
> Shutting down the HTTP server doesn't stop the traffic. I have to
> create firewall rules to block the outgoing traffic to stop it. Wiping
> the disk and reinstalling from the CD didn't help either. This host is
> behind a NAT (A D-Link DI-604 router). Is this a bad packet injection
> attack, a bug, or has my box been compromised?
And let me guess: your DI-604 is set to port forward TCP 80 to
192.168.42.2 (rather than make 192.168.42.2 the DMZ host).
I recommend removing the DI-604 from the topology and see if the
problem continues. Gut feeling (based on past experience with
D-Link's residential products) is the problem will disappear.
You'll have to trust me on this -- no matter how reliable you think
the DI-series units are ("It works fine for me!"), they aren't.
There are major IP stack implementation issues with these units
(same with the DI-614+).
Thoroughly scan the D-Link forum on www.broadbandreports.com for
details of these problems. The IP stack on those units is awful.
Consider picking up a WRT54GL (which runs Linux; sure, I'd prefer
they run BSD, but I'll trust Linux's IP stack over some third-party
out-of-country IP stack any day of the week). Do not go with a
WRT54G (because you won't know what version you get; Linux-based
or VxWorks-based (which has other IP stack problems), nor a WRT54GS
(same risk (Linux vs. VxWorks)).
--
| Jeremy Chadwick jdc at parodius.com |
| Parodius Networking http://www.parodius.com/ |
| UNIX Systems Administrator Mountain View, CA, USA |
| Making life hard for others since 1977. PGP: 4BD6C0CB |
More information about the freebsd-stable
mailing list