Re: Network attack?

To: Paul Goyette <paul%whooppee.com@localhost>
Subject: Re: Network attack?
From: Manuel Bouyer <bouyer%antioche.eu.org@localhost>
Date: Tue, 7 Jan 2014 21:50:24 +0100

On Tue, Jan 07, 2014 at 10:44:45AM -0800, Paul Goyette wrote:
> Still looking for why my machine has been crashing lately, at random
> intervals.  Earlier investigation shows that I might be having some
> issues with mbuf allocation.
> 
> After another recent episode, I took a look at netstat, and there
> are a lot of "sessions" to/from random ports that are sitting in
> TIMED_WAIT state.
> 
> tcp        0      0  50.193.51.18.54799     203.117.37.103.16881   ESTABLISHED
> tcp        0      0  50.193.51.18.54824     210.195.54.16.10756    ESTABLISHED
> tcp        0      0  50.193.51.18.54847     177.0.114.79.16882     TIME_WAIT
> tcp        0      0  50.193.51.18.54868     78.243.79.149.24781    TIME_WAIT
> tcp        0      0  50.193.51.18.54902     83.47.147.216.11682    TIME_WAIT
> tcp        0      0  50.193.51.18.54912     115.176.3.138.27756    TIME_WAIT
> tcp        0      0  50.193.51.18.54915     61.70.209.236.24138    TIME_WAIT
> tcp        0      0  50.193.51.18.54934     119.175.222.99.22961   TIME_WAIT
> tcp        0      0  50.193.51.18.54957     182.169.96.14.26732    TIME_WAIT
> tcp        0      0  50.193.51.18.54964     125.89.74.137.51413    TIME_WAIT
> tcp        0      0  50.193.51.18.54965     218.251.60.136.8589    TIME_WAIT
> tcp        0      0  50.193.51.18.55083     121.94.20.162.7227     TIME_WAIT
> tcp        0      0  50.193.51.18.55251     203.117.37.106.16884   TIME_WAIT
> tcp        0      0  50.193.51.18.55291     218.229.255.118.14143  TIME_WAIT
> tcp        0      0  50.193.51.18.55302     94.45.177.196.11866    TIME_WAIT
> tcp        0      0  50.193.51.18.55310     124.8.223.90.16884     TIME_WAIT
> tcp        0      0  50.193.51.18.55324     203.140.186.130.7830   TIME_WAIT
> tcp        0      0  50.193.51.18.55390     210.201.124.126.9311   TIME_WAIT
> tcp        0      0  50.193.51.18.55479     190.17.176.48.25613    TIME_WAIT
> tcp        0      0  50.193.51.18.55488     213.7.152.236.19578    TIME_WAIT
> tcp        0      0  50.193.51.18.55510     174.97.159.182.13422   TIME_WAIT
> tcp        0      0  50.193.51.18.55557     58.137.4.25.20784      TIME_WAIT
> tcp        0      0  50.193.51.18.55612     124.8.223.143.16882    TIME_WAIT
> tcp        0      0  50.193.51.18.55625     200.233.97.23.16882    TIME_WAIT
> tcp        0      0  50.193.51.18.55710     113.252.209.81.25529   TIME_WAIT
> 
> My understanding of TIME_WAIT state is that a connection has
> recently disconnected.  Which implies that the connection was
> previously in the ESTABLISHED state.
> 
> So where the heck are all these random connections coming from?  And
> why would they ever have been ESTABLISHED in the first place?

Do you have some p2p tool running ? I'm seeing similar connections here,
and my best guess is that they're from rtorrent

-- 
Manuel Bouyer <bouyer%antioche.eu.org@localhost>
     NetBSD: 26 ans d'experience feront toujours la difference
--

Follow-Ups:
- Re: Network attack?
  - From: Paul Goyette

References:
- Network attack?
  - From: Paul Goyette

Prev by Date: Network attack?
Next by Date: Re: Network attack?
Previous by Thread: Network attack?
Next by Thread: Re: Network attack?
Indexes:

Home | Main Index | Thread Index | Old Index