Runaway kernel? Or an attack?

Andresen, Jason R. jandrese at mitre.org
Thu Oct 19 14:17:28 UTC 2006


I would have thought so too excep that it's always a different host.
It's usually inside of Verizon though. 

>-----Original Message-----
>From: Chuck Swiger [mailto:cswiger at mac.com] 
>Sent: Wednesday, October 18, 2006 4:33 PM
>To: Andresen, Jason R.
>Cc: freebsd-stable at freebsd.org
>Subject: Re: Runaway kernel? Or an attack?
>
>On Oct 18, 2006, at 1:07 PM, Andresen, Jason R. wrote:
>> Ok, I have a recurring problem with my webserver.  Once a 
>day or so it
>> gets locked into a loop with some random server usually somewhere  
>> in my
>> ISP.  When it does this, it spends all of its time spitting out  
>> packets
>> and getting FIN, ACKs back.
>>
>> Shutting down the HTTP server doesn't stop the traffic.  I have to
>> create firewall rules to block the outgoing traffic to stop it.
>
>Frankly, this sounds more like the random remote host has been  
>compromised, rather than your machine, and it is scanning the network

>for other hosts to attack.  What URLs are being requested (check the  
>http logs)?
>
>> Here's a short tcpdump of the traffic when it happens, these packets
>> are going out at a rate of thousands per second.  The 192.168.42.2
is
>> the local host and 192.76.86.83 is the apparently random victim:
>
>I'd talk to verizon.com and ask them what is going on from their side

>with that host...
>
>-- 
>-Chuck
>
>


More information about the freebsd-stable mailing list