Current-Users archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: DoS attack against TCP services


the process is the named (version: bind-9.10.1pl1). The outgoing connections are normal. stopping the named do not remove the TIME_WAIT connections.

there existist also other TIME_WAIT connections (maybe from ssh probes)

tcp        0      0   TIME_WAIT

Killing the sshd does not remove the connections.


On Wed, 4 Feb 2015, Brian Buhrow wrote:

Date: Wed, 4 Feb 2015 12:02:33 -0800
From: Brian Buhrow <>
To: Christos Zoulas <>,
Subject: Re: DoS attack against TCP services

	Hello.  The output from the sample netstat indicates that some process
on the machine from which this output was taken is opening up  a bunch of
connections to remote sites on port 53.  I think it would be interesting to
know if all of these connections are generated from the same process or
not.  I'm pretty sure you can get this behavior if a process fails to
close(2) a file descriptor after the connection has terminated.  I wonder
if there's some rogue process running on this machine that's been badly
coded to give itself away by engaging in this bad behavior.  Knowing
nothing else, I'd be concerned about a potential security  breech on this

Home | Main Index | Thread Index | Old Index