[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: DoS attack against TCP services
On Feb 4, 7:44pm, 6bone%6bone.informatik.uni-leipzig.de@localhost (6bone%6bone.informatik.uni-leipzig.de@localhost) wrote:
-- Subject: Re: DoS attack against TCP services
| Now the server has over 5000 TIME_WAIT connections.
| netstat -a -n | grep TIME_WAIT
| tcp 0 0 188.8.131.52.59256 184.108.40.206.53 TIME_WAIT
| tcp 0 0 220.127.116.11.59257 18.104.22.168.53 TIME_WAIT
| tcp 0 0 22.214.171.124.59258 126.96.36.199.53 TIME_WAIT
| tcp 0 0 188.8.131.52.59259 184.108.40.206.53 TIME_WAIT
| tcp 0 0 220.127.116.11.59260 18.104.22.168.53 TIME_WAIT
| tcp 0 0 22.214.171.124.59261 126.96.36.199.53 TIME_WAIT
| tcp 0 0 188.8.131.52.59262 184.108.40.206.53 TIME_WAIT
| tcp 0 0 220.127.116.11.59263 18.104.22.168.53 TIME_WAIT
| tcp 0 0 22.214.171.124.59264 126.96.36.199.53 TIME_WAIT
| It seems to be a result of the named. lsof shows that the connections are
| not owned by named. lsof doesn't show any of the TIME_WAIT connections. So
| stopping and restarting named doesn't delete the connections.
| Any more things that could be interessing for a problem report?
I'd start a tcpdump to record all traffic from your local machine going to port
53 on the appropriate interface...
I'd also look at the open descriptors of the named process (although they
should be closed at this time, since TIME_WAIT means closed on this side,
and waiting for the 4 minutes to expire before killing the connection)...
Also I'd record that information every minute or so to see how many
connections are added and how many are going away.
Perhaps there is some bug triggered in the tcp stack and somehow connections
are not being GC'ed?
Main Index |
Thread Index |