[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: DoS attack against TCP services
hello. I'd suggest capturing the output of netstat -An. The first
column of that output should be the address of the socket associated with
each of the connections. For each connection in time_wait state, you
should be able to perform an fstat |grep for the address in column 1 of the
netstat -An output. This should tell you which process or processes all
of these connections are tied to.
Active Internet connections
PCB Proto Recv-Q Send-Q Local Address Foreign Address State
c6b9602c tcp 0 0 x.x.230.11.993 x.x.59.250.23892 ESTABL
%fstat |grep c6b9602c
buhrow imapd 26858 0* internet stream tcp c6b9602c x.x.230.11:993 <-> x.x.59.250:23892
buhrow imapd 26858 1* internet stream tcp c6b9602c x.x.230.11:993 <-> x.x.59.250:23892
The bug could be as simple as the daemon that's responsible for these
connections failing to close the sockets once the connections terminate.
On Feb 4, 7:44pm, 6bone%6bone.informatik.uni-leipzig.de@localhost wrote:
} Subject: Re: DoS attack against TCP services
} Now the server has over 5000 TIME_WAIT connections.
} netstat -a -n | grep TIME_WAIT
} tcp 0 0 18.104.22.168.59256 22.214.171.124.53 TIME_WAIT
} tcp 0 0 126.96.36.199.59257 188.8.131.52.53 TIME_WAIT
} tcp 0 0 184.108.40.206.59258 220.127.116.11.53 TIME_WAIT
} tcp 0 0 18.104.22.168.59259 22.214.171.124.53 TIME_WAIT
} tcp 0 0 126.96.36.199.59260 188.8.131.52.53 TIME_WAIT
} tcp 0 0 184.108.40.206.59261 220.127.116.11.53 TIME_WAIT
} tcp 0 0 18.104.22.168.59262 22.214.171.124.53 TIME_WAIT
} tcp 0 0 126.96.36.199.59263 188.8.131.52.53 TIME_WAIT
} tcp 0 0 184.108.40.206.59264 220.127.116.11.53 TIME_WAIT
} It seems to be a result of the named. lsof shows that the connections are
} not owned by named. lsof doesn't show any of the TIME_WAIT connections. So
} stopping and restarting named doesn't delete the connections.
} Any more things that could be interessing for a problem report?
} On Wed, 4
} 2015, Christos Zoulas wrote:
} > Date: Wed, 4 Feb 2015 15:40:00 +0000 (UTC)
} > From: Christos Zoulas <christos%astron.com@localhost>
} > To: current-users%netbsd.org@localhost
} > Subject: Re: DoS attack against TCP services
} > In article <Pine.NEB.4.64.1502041602460.812%6bone.informatik.uni-leipzig.de@localhost>,
} > <6bone%6bone.informatik.uni-leipzig.de@localhost> wrote:
} >> Hello,
} >> The problem occurred again. The kernel has over 3,000 connections in
} >> TIME_WAIT state. The compounds are after an hour wait not disappeared.
} >> There are more and more connections in the TIME_WAIT state. My settings
} >> are:
} >> net.inet.tcp.mslt.enable = 1
} >> net.inet.tcp.mslt.loopback = 2
} >> net.inet.tcp.mslt.local = 10
} >> net.inet.tcp.mslt.remote = 60
} >> net.inet.tcp.mslt.remote_threshold = 6
} >> The last few times I have restarted the server in order to solve the
} >> problem. Frequent reboots but very inconvenient for a server.
} >> Does anyone have instructions what information I can still gather to post
} >> a bug report? The statement "connections in the TIME_WAIT status are not
} >> degraded" are probably not sufficient to find the problem.
} >> Thank you for your efforts
} > Can you find what daemon/process is being connected to and from where?
} > christos
>-- End of excerpt from 6bone%6bone.informatik.uni-leipzig.de@localhost
Main Index |
Thread Index |