Quickly

I collected the following with ipmon and suspect a DoS attack because my
machine kept crashing before I installed the firewall.  Does anyone
recognize this?
28/03/1999 00:29:10.674507             ppp0 @0:12 b 210.163.57.33 -> 208.0.35.33 PR icmp len 20 28 icmp 8/0
28/03/1999 00:29:54.962483             ppp0 @0:18 b 210.163.57.33 -> 208.0.35.49 PR icmp len 20 28 icmp 8/0
28/03/1999 00:30:30.084935             ppp0 @0:16 b 210.163.57.33,58164 -> 208.0.35.49,38690 PR tcp len 20 60 -S
28/03/1999 00:30:30.205236             ppp0 @0:18 b 210.163.57.33,58153 -> 208.0.35.49,38690 PR udp len 20 328 
28/03/1999 00:30:31.218290             ppp0 @0:16 b 210.163.57.33,58164 -> 208.0.35.49,38690 PR tcp len 20 60 -S
28/03/1999 00:30:31.304707             ppp0 @0:18 b 210.163.57.33,58153 -> 208.0.35.49,38690 PR udp len 20 328 
28/03/1999 00:30:34.235615             ppp0 @0:16 b 210.163.57.33,58164 -> 208.0.35.49,43679 PR tcp len 20 60 -S
28/03/1999 00:30:34.356417             ppp0 @0:18 b 210.163.57.33,58153 -> 208.0.35.49,43679 PR udp len 20 328 
28/03/1999 00:30:35.462830             ppp0 @0:16 b 210.163.57.33,58164 -> 208.0.35.49,43679 PR tcp len 20 60 -S
28/03/1999 00:30:35.634651             ppp0 @0:18 b 210.163.57.33,58153 -> 208.0.35.49,43679 PR udp len 20 328 
28/03/1999 00:30:38.701609             ppp0 @0:18 b 210.163.57.33,58153 -> 208.0.35.49,41183 PR udp len 20 328 
28/03/1999 00:30:41.847063             ppp0 @0:16 b 210.163.57.33,58164 -> 208.0.35.49,41183 PR tcp len 20 60 -S
28/03/1999 00:30:41.933290             ppp0 @0:18 b 210.163.57.33,58153 -> 208.0.35.49,41183 PR udp len 20 328 


All The Boring Details

I have a SPARCstation 1 running current-19990312 that loses network
connectivity about two hours after it comes up, and it stays lost until a
reboot.  AFAIK it does not fully crash.  This has happened about ten times
over the last week.  The problem started suddenly, and i didn't make any
changes to software before it happened--this is my ``stable'' machine and
i leave it alone unless it breaks.

When the problem started, I installed a current-19990312 kernel, but not
userland.  i've been trying to install the userland but the box is tended
only by an army of switch-flipping-soldiers, so it needs to upgrade over
the 'net, and it won't stay up long enough to sup off my development box.

I have theories:  it's behind a 24/7 dialup link that's been tricky in the
past, so maybe something happened at the ISP.  SPARC 1's are old, and it
has a hot disk in it, so maybe it's hardware failure.

my leading theory is a DoS attack, since this would be the fourth such
i've had in the last two years.  i'm lucky enough to sysadmin for IRC
addicts.  based on this suspicion, i installed the following firewall:

ipf -A -E -F a -f - << EOF
pass in quick proto udp from any port = domain to any port > 1024 keep frags
pass in quick proto tcp from any to 204.183.93.14/32 port = smtp keep frags
pass in quick proto tcp from any to 204.183.93.14/32 port = telnet keep frags
block in log body quick proto tcp from any to 204.183.93.14/32 flags S/SA
pass in quick proto tcp from any to 204.183.93.14/32
block in log body from any to 204.183.93.14/32
[..duplicate for two more interfaces, 208.0.35.33 and 208.0.35.49..]
EOF

pardon my crudity, but i am inexperienced, and as i said i was racing
the clock.

the first time i put up this firewall, the machine crashed shortly
afterwords.  the second time was today--it stayed up, and thus i'm able to
write you.

i collected the ipmon output above from this firewall, and would like to
know, is it likely to be the source of my problem, or is it an artifact of
this elaborate fantasy-world i've constructed for myself?  do you all
think i should check myself into a hospital (be honest, please!)?  if i'm
not doomed, how can i gather more data?

-- 
Miles Nordin / 1-888-857-2723
555 Bryant Street #182 / Palo Alto, CA 94301-1700