Current-Users archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: DoS attack against TCP services



Hello,

the process is the named (version: bind-9.10.1pl1). The outgoing connections are normal. stopping the named do not remove the TIME_WAIT connections.

there existist also other TIME_WAIT connections (maybe from ssh probes)

tcp        0      0  139.18.25.33.22        115.239.228.35.38653   TIME_WAIT

Killing the sshd does not remove the connections.


Regards
Uwe


On Wed, 4 Feb 2015, Brian Buhrow wrote:

Date: Wed, 4 Feb 2015 12:02:33 -0800
From: Brian Buhrow <buhrow%nfbcal.org@localhost>
To: Christos Zoulas <christos%zoulas.com@localhost>,
    6bone%6bone.informatik.uni-leipzig.de@localhost
Cc: current-users%NetBSD.org@localhost, buhrow%nfbcal.org@localhost
Subject: Re: DoS attack against TCP services

	Hello.  The output from the sample netstat indicates that some process
on the machine from which this output was taken is opening up  a bunch of
connections to remote sites on port 53.  I think it would be interesting to
know if all of these connections are generated from the same process or
not.  I'm pretty sure you can get this behavior if a process fails to
close(2) a file descriptor after the connection has terminated.  I wonder
if there's some rogue process running on this machine that's been badly
coded to give itself away by engaging in this bad behavior.  Knowing
nothing else, I'd be concerned about a potential security  breech on this
machine.
-thanks
-Brian



Home | Main Index | Thread Index | Old Index