[ale] Em

jj at spiderentertainment.com jj at spiderentertainment.com
Sun Oct 10 12:48:54 EDT 1999


That sounds like a good idea, but I can not do this, I can not take the
machine off line, what I am working on is a packet sniffer, I just need
some good rules to filter, as we do about 4Mb per sec. 

The thing is it does not look like they are doing any dammage(assuming
this is an attack of some sort) The server still runs, and so does
everything on it. 

Regardless, as anyone, I want this to go away, and as long as it happens,
I have to investigate it. If it is attack..... 

argh, this is giving me a real headacke. 

thx.


On Sun, 10 Oct 1999, Joe Knapka wrote:

> Does this happen consistently, every so often, just
> once, or what? Might be a good idea to just physically
> take the machine off the network, boot it, and see if
> you get the same oops. If you don't, then send it a
> SYN flood from itself. If you get the oops, then
> chances are the problem is in the syncookie code (and
> someone is really attacking your site). A quick Google
> search turned up a number of sources of SYN flood
> programs, which of course you should look at carefully
> before using.
> 
> -- Joe Knapka
> 
> Joe Steele wrote:
> > 
> > I doubt there are any IP addresses in the hex data that was dumped to the
> > log.  On the other hand, the SYN flood warnings in your log do give you
> > source IP addresses.  Those will be the only source info that's available.
> >  Unfortunately, if you were in fact subjected to a SYN attack, then the
> > attacker would likely have used a phony source address anyway, making it
> > difficult if not impossible to trace back.
> > 
> > I don't have much to suggest as far as a solution.  It's conceivable that
> > it's not even an actual attack, but is caused by something else.  As I
> > think I said before, SYN flooding may interfere with network traffic, but
> > it shouldn't cause an oops message.  Possibly a tcpdump on the network
> > interface would show something that confirms an attack.
> > 
> > You might try running your logs past the linux-net at vger.rutgers.edu mailing
> > list.  (the list can be joined by sending e-mail to
> > majordomo at vger.rutgers.edu with 'subscribe linux-net' in the body.)
> > 
> > --Joe
> > 
> > -----Original Message-----
> > From:   jj at spiderentertainment.com [SMTP:jj at spiderentertainment.com]
> > Sent:   Friday, October 08, 1999 5:25 PM
> > To:     ale at ale.org
> > Subject:        Re: [ale] Em
> > 
> > In these HEX numbers, is there an IP address I can extract ?
> 
> -- Joe Knapka
> * I speak only for myself, not for The Software Monastery,
> * which exists solely to provide an organization for which
> * I can claim not to speak.
> * http://whyme.penguinpowered.com/monastery.html
> 






More information about the Ale mailing list