Date: Wed, 4 Feb 2015 12:02:33 -0800
From: Brian Buhrow <buhrow%nfbcal.org@localhost>
To: Christos Zoulas <christos%zoulas.com@localhost>,
6bone%6bone.informatik.uni-leipzig.de@localhost
Cc: current-users%NetBSD.org@localhost, buhrow%nfbcal.org@localhost
Subject: Re: DoS attack against TCP services
Hello. The output from the sample netstat indicates that some process
on the machine from which this output was taken is opening up a bunch of
connections to remote sites on port 53. I think it would be interesting to
know if all of these connections are generated from the same process or
not. I'm pretty sure you can get this behavior if a process fails to
close(2) a file descriptor after the connection has terminated. I wonder
if there's some rogue process running on this machine that's been badly
coded to give itself away by engaging in this bad behavior. Knowing
nothing else, I'd be concerned about a potential security breech on this
machine.
-thanks
-Brian