Re: DoS attack against TCP services

[6bone%6bone.informatik.uni-leipzig.de@localhost]

Hello,

the process is the named (version: bind-9.10.1pl1). The outgoing 
connections are normal. stopping the named do not remove the TIME_WAIT 
connections.

there existist also other TIME_WAIT connections (maybe from ssh probes)

tcp        0      0  139.18.25.33.22        115.239.228.35.38653   TIME_WAIT

Killing the sshd does not remove the connections.


Regards
Uwe


On Wed, 4 Feb 2015, Brian Buhrow wrote:

> Date: Wed, 4 Feb 2015 12:02:33 -0800
> From: Brian Buhrow <buhrow%nfbcal.org@localhost>
> To: Christos Zoulas <christos%zoulas.com@localhost>,
>     6bone%6bone.informatik.uni-leipzig.de@localhost
> Cc: current-users%NetBSD.org@localhost, buhrow%nfbcal.org@localhost
> Subject: Re: DoS attack against TCP services
>
> 	Hello.  The output from the sample netstat indicates that some process
> on the machine from which this output was taken is opening up  a bunch of
> connections to remote sites on port 53.  I think it would be interesting to
> know if all of these connections are generated from the same process or
> not.  I'm pretty sure you can get this behavior if a process fails to
> close(2) a file descriptor after the connection has terminated.  I wonder
> if there's some rogue process running on this machine that's been badly
> coded to give itself away by engaging in this bad behavior.  Knowing
> nothing else, I'd be concerned about a potential security  breech on this
> machine.
> -thanks
> -Brian