Ok, I have a recurring problem with my webserver. Once a day or so it gets locked into a loop with some random server usually somewhere in my ISP. When it does this, it spends all of its time spitting out packets and getting FIN, ACKs back. Shutting down the HTTP server doesn't stop the traffic. I have to create firewall rules to block the outgoing traffic to stop it. Wiping the disk and reinstalling from the CD didn't help either. This host is behind a NAT (A D-Link DI-604 router). Is this a bad packet injection attack, a bug, or has my box been compromised? This problem has persisted from when the box was 5.4 all the way to it's current 6.0 life. Sadly, I cannot upgrade it beyond 6.0 Release at the moment because it has a proprietary vendor binary kernel module for the RAID array, and the newest version they have is for 6.0. Here's a short tcpdump of the traffic when it happens, these packets are going out at a rate of thousands per second. The 192.168.42.2 is the local host and 192.76.86.83 is the apparently random victim: 09:36:51.056914 IP (tos 0x0, ttl 64, id 57273, offset 0, flags [DF], proto: TCP (6), length: 52) 192.168.42.2.80 > 192.76.86.83.22929: ., cksum 0xd1b3 (correct), 0:0(0) ack 0 win 33120 <nop,nop,timestamp 147178754 27589156> 09:36:51.059404 IP (tos 0x0, ttl 51, id 61707, offset 0, flags [none], proto: TCP (6), length: 52) 192.76.86.83.22929 > 192.168.42.2.80: F, cksum 0x5331 (correct), 0:0(0) ack 1 win 65535 <nop,nop,timestamp 27589156 147178723> 09:36:51.059469 IP (tos 0x0, ttl 64, id 57274, offset 0, flags [DF], proto: TCP (6), length: 52) 192.168.42.2.80 > 192.76.86.83.22929: ., cksum 0xd1b0 (correct), 0:0(0) ack 0 win 33120 <nop,nop,timestamp 147178757 27589156> 09:36:51.060004 IP (tos 0x0, ttl 51, id 61709, offset 0, flags [none], proto: TCP (6), length: 52) 192.76.86.83.22929 > 192.168.42.2.80: F, cksum 0x5331 (correct), 0:0(0) ack 1 win 65535 <nop,nop,timestamp 27589156 147178723>
On Oct 18, 2006, at 1:07 PM, Andresen, Jason R. wrote:> Ok, I have a recurring problem with my webserver. Once a day or so it > gets locked into a loop with some random server usually somewhere > in my > ISP. When it does this, it spends all of its time spitting out > packets > and getting FIN, ACKs back. > > Shutting down the HTTP server doesn't stop the traffic. I have to > create firewall rules to block the outgoing traffic to stop it.Frankly, this sounds more like the random remote host has been compromised, rather than your machine, and it is scanning the network for other hosts to attack. What URLs are being requested (check the http logs)?> Here's a short tcpdump of the traffic when it happens, these packets > are going out at a rate of thousands per second. The 192.168.42.2 is > the local host and 192.76.86.83 is the apparently random victim:I'd talk to verizon.com and ask them what is going on from their side with that host... -- -Chuck
On Wed, Oct 18, 2006 at 04:07:14PM -0400, Andresen, Jason R. wrote:> Ok, I have a recurring problem with my webserver. Once a day or so it > gets locked into a loop with some random server usually somewhere in my > ISP. When it does this, it spends all of its time spitting out packets > and getting FIN, ACKs back. > > Shutting down the HTTP server doesn't stop the traffic. I have to > create firewall rules to block the outgoing traffic to stop it. Wiping > the disk and reinstalling from the CD didn't help either. This host is > behind a NAT (A D-Link DI-604 router). Is this a bad packet injection > attack, a bug, or has my box been compromised?And let me guess: your DI-604 is set to port forward TCP 80 to 192.168.42.2 (rather than make 192.168.42.2 the DMZ host). I recommend removing the DI-604 from the topology and see if the problem continues. Gut feeling (based on past experience with D-Link's residential products) is the problem will disappear. You'll have to trust me on this -- no matter how reliable you think the DI-series units are ("It works fine for me!"), they aren't. There are major IP stack implementation issues with these units (same with the DI-614+). Thoroughly scan the D-Link forum on www.broadbandreports.com for details of these problems. The IP stack on those units is awful. Consider picking up a WRT54GL (which runs Linux; sure, I'd prefer they run BSD, but I'll trust Linux's IP stack over some third-party out-of-country IP stack any day of the week). Do not go with a WRT54G (because you won't know what version you get; Linux-based or VxWorks-based (which has other IP stack problems), nor a WRT54GS (same risk (Linux vs. VxWorks)). -- | Jeremy Chadwick jdc at parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, USA | | Making life hard for others since 1977. PGP: 4BD6C0CB |