At ~07:40 (UTC-4:00) this morning our gateway host lost its WAN Ethernet
adaptor. Subsequent to recovery, which required a reboot, the following
entries were find in /var/log/messages:
Jun 6 07:39:50 gway02 kernel: PING_FLOOD: IN=eth0 OUT= MAC=00:25:90:61:74:c0:00
:24:14:2b:f2:80:08:00 SRC=74.205.112.125 DST=216.185.71.33 LEN=64 TOS=0x00
PREC0x00 TTL=50 ID=30954 PROTO=ICMP TYPE=8 CODE=0 ID=25496 SEQ=0
Jun 6 07:39:53 gway02 kernel: PROBE_BLACKIST: IN=eth0 OUT=eth1 SRC=122.235.101.
24 DST=216.185.71.249 LEN=52 TOS=0x08 PREC=0x20 TTL=45 ID=26123 DF PROTO=TCP SPT
=54197 DPT=445 WINDOW=8192 RES=0x00 SYN URGP=0
Jun 6 07:40:49 gway02 kernel: PROBE_BLACKIST: IN=eth0 OUT=eth1 SRC=183.179.211.
126 DST=216.185.71.132 LEN=48 TOS=0x08 PREC=0x40 TTL=111 ID=14994 PROTO=UDP
SPT35947 DPT=49591 LEN=28
Jun 6 07:40:49 gway02 kernel: pciehp 0000:00:1c.4:pcie04: Card not present on
Slot(0-1)
Jun 6 07:40:49 gway02 kernel: e1000e 0000:02:00.0: eth0: removed PHC
Jun 6 07:40:49 gway02 kernel: pciehp 0000:00:1c.4:pcie04: Card present on
Slot(0-1)
Jun 6 07:40:50 gway02 kernel: e1000e 0000:02:00.0: eth0: Timesync Tx Control
register not set as expected
Jun 6 07:40:50 gway02 kernel: e1000e 0000:02:00.0: PCI INT A disabled
Jun 6 07:40:51 gway02 ntpd[1238]: Deleting interface #67 eth0,
fe80::225:90ff:fe61:74c0#123, interface stats: received=0, sent=0, dropped=0,
active_time=229449 secs
Jun 6 07:40:51 gway02 ntpd[1238]: Deleting interface #57 eth0,
216.185.64.54#123, interface stats: received=1122, sent=1122, dropped=0,
active_time=229449 secs
Jun 6 07:40:51 gway02 ntpd[1238]: 24.72.103.44 interface 216.185.64.54 ->
(none)
lspci -tv # provides this device tree
-[0000:00]-+-00.0 Intel Corporation Atom Processor D4xx/D5xx/N4xx/N5xx DMI
Bridge
. . .
+-1c.0-[01]--
+-1c.4-[02]----00.0 Intel Corporation 82574L Gigabit Network
Connection
+-1c.5-[03]----00.0 Intel Corporation 82574L Gigabit Network
Connection
. . .
lspci -v -nn -k -qq -D # provides this information:
. . .
0000:02:00.0 Ethernet controller [0200]: Intel Corporation 82574L Gigabit
Network Connection [8086:10d3]
Subsystem: Super Micro Computer Inc Device [15d9:10d3]
Physical Slot: 0-1
Flags: bus master, fast devsel, latency 0, IRQ 16
Memory at fe9e0000 (32-bit, non-prefetchable) [size=128K]
I/O ports at dc00 [size=32]
Memory at fe9dc000 (32-bit, non-prefetchable) [size=16K]
Capabilities: [c8] Power Management version 2
Capabilities: [d0] MSI: Enable- Count=1/1 Maskable- 64bit+
Capabilities: [e0] Express Endpoint, MSI 00
Capabilities: [a0] MSI-X: Enable+ Count=5 Masked-
Capabilities: [100] Advanced Error Reporting
Capabilities: [140] Device Serial Number 00-25-90-ff-ff-61-74-c0
Kernel driver in use: e1000e
Kernel modules: e1000e
. . .
I have never run into this before. Can anyone cast any light on what might be
going on? Is this an incipient hardware failure with one of the on-board PCI
Ethernet adaptors? Is there any relationship with the syn flood that was
blacklisted immediately before the failure? I do not thinks so but I need to
ask.
Thanks,
--
*** E-Mail is NOT a SECURE channel ***
James B. Byrne mailto:ByrneJB at Harte-Lyne.ca
Harte & Lyne Limited http://www.harte-lyne.ca
9 Brockley Drive vox: +1 905 561 1241
Hamilton, Ontario fax: +1 905 561 0757
Canada L8E 3C3
James B. Byrne wrote:> At ~07:40 (UTC-4:00) this morning our gateway host lost its WAN Ethernet > adaptor. Subsequent to recovery, which required a reboot, the following > entries were find in /var/log/messages: > > Jun 6 07:39:50 gway02 kernel: PING_FLOOD: IN=eth0 OUT> MAC=00:25:90:61:74:c0:00 > :24:14:2b:f2:80:08:00 SRC=74.205.112.125 DST=216.185.71.33 LEN=64 TOS=0x00 > PREC> 0x00 TTL=50 ID=30954 PROTO=ICMP TYPE=8 CODE=0 ID=25496 SEQ=0 > Jun 6 07:39:53 gway02 kernel: PROBE_BLACKIST: IN=eth0 OUT=eth1 > SRC=122.235.101.24Well, let's start with you being probed/attacked from China: whois 122.235.101.24 <snip> inetnum: 122.235.0.0 - 122.235.127.255 netname: CHINANET-ZJ-HZ country: CN descr: CHINANET-ZJ Hangzhou node network descr: Zhejiang Telecom <...> role: CHINANET-ZJ Hangzhou address: No.352 Tiyuchang Road,Hangzhou,Zhejiang.310003 country: CN phone: +86-571-85157929 fax-no: +86-571-85102776 e-mail: anti_spam at mail.hz.zj.cn remarks: send spam reports to anti_spam at mail.hz.zj.cn remarks: and abuse reports to anti_spam at mail.hz.zj.cn> DST=216.185.71.249 LEN=52 TOS=0x08 PREC=0x20 TTL=45 ID=26123 DF > PROTO=TCP SPT > =54197 DPT=445 WINDOW=8192 RES=0x00 SYN URGP=0 > Jun 6 07:40:49 gway02 kernel: PROBE_BLACKIST: IN=eth0 OUT=eth1 > SRC=183.179.211.126And whois reports the puppy above is not only from Hong Kong, but remarks: -+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+ remarks: This object can only be updated by APNIC hostmasters. remarks: To update this object, please contact APNIC remarks: hostmasters and include your organisation's account remarks: name in the subject line. remarks: -+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+ which suggests that the IP or range or domain is an ex.... <snip> So, next question is, is the card working again? If so, then this is an attack I've not heard of, that affects what's this, layer 0? mark
Am 06.06.2014 14:50, schrieb James B. Byrne:> At ~07:40 (UTC-4:00) this morning our gateway host lost its WAN Ethernet > adaptor. Subsequent to recovery, which required a reboot, the following[ ... ]> lspci -tv # provides this device tree > > -[0000:00]-+-00.0 Intel Corporation Atom Processor D4xx/D5xx/N4xx/N5xx DMI > Bridge > . . . > +-1c.0-[01]-- > +-1c.4-[02]----00.0 Intel Corporation 82574L Gigabit Network > Connection > +-1c.5-[03]----00.0 Intel Corporation 82574L Gigabit Network > Connection > . . . > > > > lspci -v -nn -k -qq -D # provides this information: > > . . . > 0000:02:00.0 Ethernet controller [0200]: Intel Corporation 82574L Gigabit > Network Connection [8086:10d3] > Subsystem: Super Micro Computer Inc Device [15d9:10d3] > Physical Slot: 0-1 > Flags: bus master, fast devsel, latency 0, IRQ 16 > Memory at fe9e0000 (32-bit, non-prefetchable) [size=128K] > I/O ports at dc00 [size=32] > Memory at fe9dc000 (32-bit, non-prefetchable) [size=16K] > Capabilities: [c8] Power Management version 2 > Capabilities: [d0] MSI: Enable- Count=1/1 Maskable- 64bit+ > Capabilities: [e0] Express Endpoint, MSI 00 > Capabilities: [a0] MSI-X: Enable+ Count=5 Masked- > Capabilities: [100] Advanced Error Reporting > Capabilities: [140] Device Serial Number 00-25-90-ff-ff-61-74-c0 > Kernel driver in use: e1000e > Kernel modules: e1000e > . . . > > I have never run into this before. Can anyone cast any light on what might be > going on? Is this an incipient hardware failure with one of the on-board PCI > Ethernet adaptors? Is there any relationship with the syn flood that was > blacklisted immediately before the failure? I do not thinks so but I need to > ask. > > Thanks,https://isc.sans.edu/forums/diary/Intel+Network+Card+82574L+Packet+of+Death/15109 http://www.itwalker3.com/2013/02/packet-of-death-attack-a-deadly-dos-against-intel-nics/ Worth to verify in your case. Alexander
On 06/06/2014 08:50 AM, James B. Byrne wrote:> At ~07:40 (UTC-4:00) this morning our gateway host lost its WAN Ethernet > adaptor. Subsequent to recovery, which required a reboot, the following > entries were find in /var/log/messages: > > Jun 6 07:39:50 gway02 kernel: PING_FLOOD: IN=eth0 OUT= MAC=00:25:90:61:74:c0:00 > :24:14:2b:f2:80:08:00 SRC=74.205.112.125 DST=216.185.71.33 LEN=64 TOS=0x00 PREC> 0x00 TTL=50 ID=30954 PROTO=ICMP TYPE=8 CODE=0 ID=25496 SEQ=0 > Jun 6 07:39:53 gway02 kernel: PROBE_BLACKIST: IN=eth0 OUT=eth1 SRC=122.235.101. > 24 DST=216.185.71.249 LEN=52 TOS=0x08 PREC=0x20 TTL=45 ID=26123 DF PROTO=TCP SPT > =54197 DPT=445 WINDOW=8192 RES=0x00 SYN URGP=0 > Jun 6 07:40:49 gway02 kernel: PROBE_BLACKIST: IN=eth0 OUT=eth1 SRC=183.179.211. > 126 DST=216.185.71.132 LEN=48 TOS=0x08 PREC=0x40 TTL=111 ID=14994 PROTO=UDP SPT> 35947 DPT=49591 LEN=28 > Jun 6 07:40:49 gway02 kernel: pciehp 0000:00:1c.4:pcie04: Card not present on > Slot(0-1) > Jun 6 07:40:49 gway02 kernel: e1000e 0000:02:00.0: eth0: removed PHC > Jun 6 07:40:49 gway02 kernel: pciehp 0000:00:1c.4:pcie04: Card present on > Slot(0-1) > Jun 6 07:40:50 gway02 kernel: e1000e 0000:02:00.0: eth0: Timesync Tx Control > register not set as expected > Jun 6 07:40:50 gway02 kernel: e1000e 0000:02:00.0: PCI INT A disabled > Jun 6 07:40:51 gway02 ntpd[1238]: Deleting interface #67 eth0, > fe80::225:90ff:fe61:74c0#123, interface stats: received=0, sent=0, dropped=0, > active_time=229449 secs > Jun 6 07:40:51 gway02 ntpd[1238]: Deleting interface #57 eth0, > 216.185.64.54#123, interface stats: received=1122, sent=1122, dropped=0, > active_time=229449 secs > Jun 6 07:40:51 gway02 ntpd[1238]: 24.72.103.44 interface 216.185.64.54 -> (none) > > > > lspci -tv # provides this device tree > > -[0000:00]-+-00.0 Intel Corporation Atom Processor D4xx/D5xx/N4xx/N5xx DMI > Bridge > . . . > +-1c.0-[01]-- > +-1c.4-[02]----00.0 Intel Corporation 82574L Gigabit Network > Connection > +-1c.5-[03]----00.0 Intel Corporation 82574L Gigabit Network > Connection > . . . > > > > lspci -v -nn -k -qq -D # provides this information: > > . . . > 0000:02:00.0 Ethernet controller [0200]: Intel Corporation 82574L Gigabit > Network Connection [8086:10d3] > Subsystem: Super Micro Computer Inc Device [15d9:10d3] > Physical Slot: 0-1 > Flags: bus master, fast devsel, latency 0, IRQ 16 > Memory at fe9e0000 (32-bit, non-prefetchable) [size=128K] > I/O ports at dc00 [size=32] > Memory at fe9dc000 (32-bit, non-prefetchable) [size=16K] > Capabilities: [c8] Power Management version 2 > Capabilities: [d0] MSI: Enable- Count=1/1 Maskable- 64bit+ > Capabilities: [e0] Express Endpoint, MSI 00 > Capabilities: [a0] MSI-X: Enable+ Count=5 Masked- > Capabilities: [100] Advanced Error Reporting > Capabilities: [140] Device Serial Number 00-25-90-ff-ff-61-74-c0 > Kernel driver in use: e1000e > Kernel modules: e1000e > . . . > > I have never run into this before. Can anyone cast any light on what might be > going on? Is this an incipient hardware failure with one of the on-board PCI > Ethernet adaptors? Is there any relationship with the syn flood that was > blacklisted immediately before the failure? I do not thinks so but I need to > ask. > > Thanks, >Hi, We ran into this problem also - the interface would disappear. There is newer e1000e driver that fixes it or you could add pcie_aspm=off to your kernel command line. HTH, Steve -- Stephen Clark *NetWolves Managed Services, LLC.* Director of Technology Phone: 813-579-3200 Fax: 813-882-0209 Email: steve.clark at netwolves.com http://www.netwolves.com