Runaway kernel? Or an attack?
Andresen, Jason R.
jandrese at mitre.org
Thu Oct 19 14:21:55 UTC 2006
>From: Jeremy Chadwick [mailto:freebsd at jdc.parodius.com]
>
>On Wed, Oct 18, 2006 at 04:07:14PM -0400, Andresen, Jason R. wrote:
>> Ok, I have a recurring problem with my webserver. Once a
>day or so it
>> gets locked into a loop with some random server usually
>somewhere in my
>> ISP. When it does this, it spends all of its time spitting
>out packets
>> and getting FIN, ACKs back.
>>
>> Shutting down the HTTP server doesn't stop the traffic. I have to
>> create firewall rules to block the outgoing traffic to stop
>it. Wiping
>> the disk and reinstalling from the CD didn't help either.
>This host is
>> behind a NAT (A D-Link DI-604 router). Is this a bad packet
>injection
>> attack, a bug, or has my box been compromised?
>
>And let me guess: your DI-604 is set to port forward TCP 80 to
>192.168.42.2 (rather than make 192.168.42.2 the DMZ host).
>
>I recommend removing the DI-604 from the topology and see if the
>problem continues. Gut feeling (based on past experience with
>D-Link's residential products) is the problem will disappear.
>You'll have to trust me on this -- no matter how reliable you think
>the DI-series units are ("It works fine for me!"), they aren't.
>There are major IP stack implementation issues with these units
>(same with the DI-614+).
>
>Thoroughly scan the D-Link forum on www.broadbandreports.com for
>details of these problems. The IP stack on those units is awful.
>
>Consider picking up a WRT54GL (which runs Linux; sure, I'd prefer
>they run BSD, but I'll trust Linux's IP stack over some third-party
>out-of-country IP stack any day of the week). Do not go with a
>WRT54G (because you won't know what version you get; Linux-based
>or VxWorks-based (which has other IP stack problems), nor a WRT54GS
>(same risk (Linux vs. VxWorks)).
So the upshot is to not trust anything that uses VxWorks? I've been
considering reworking my network by adding a second interface to the
webserver machine and having it replace the DI-604, but I've been
reluctant because if my box was being compromised I didn't want to open
it up even further to attack. Looks like I should do it anyway.
More information about the freebsd-stable
mailing list