On Thursday 25 October 2001 04:10 am, Steven M Bloomfield wrote:
> Hi,
> I'm webmaster of a large-ish website and yesterday the server went
> down. It is a Redhat 6.1 Linux server. All my ISP would do was press the
> 'reset' button - very kind of them (they are NT specialists).
> Inspecting my log files I found thousands of denied packets, all seem to be
> within a period of 6 hours.
> My question is, could such an attack disable my machine and crash it? Can
> anyone identify what sort of attack it was?
>
> Here's a summary below:
>
> Denied packets from modem-392.awesome.dialup.pol.co.uk (62.25.129.136).
> Port https (tcp,eth0,input): 5 packet(s).
> Total of 5 packet(s).
>
> Denied packets from 10.10.71.237.
> Port netbios-dgm (udp,eth1,input): 69 packet(s).
> Port netbios-ns (udp,eth1,input): 333 packet(s).
> Total of 402 packet(s).
>
> Denied packets from 10.10.0.4.
> Port netbios-dgm (udp,eth1,input): 496 packet(s).
> Port netbios-ns (udp,eth1,input): 2925 packet(s).
> Total of 3421 packet(s).
>
> Denied packets from userSg017.videon.wave.ca (204.112.48.37).
> Port 500 (udp,eth0,input): 6 packet(s).
> Total of 6 packet(s).
>
> Denied packets from 207.190.199.102.
> Port https (tcp,eth0,input): 11 packet(s).
> Total of 11 packet(s).
>
> Denied packets from 10.10.32.21.
> Port netbios-dgm (udp,eth1,input): 338 packet(s).
> Port netbios-ns (udp,eth1,input): 1742 packet(s).
> Total of 2080 packet(s).
>
> Denied packets from 172.17.0.18.
> Port 1434 (udp,eth1,input): 2 packet(s).
> Total of 2 packet(s).
>
> Denied packets from 10.10.1.37.
> Port netbios-dgm (udp,eth1,input): 496 packet(s).
> Port netbios-ns (udp,eth1,input): 2925 packet(s).
> Total of 3421 packet(s).
>
> Denied packets from 10.10.32.27.
> Port netbios-dgm (udp,eth1,input): 59 packet(s).
> Port netbios-ns (udp,eth1,input): 324 packet(s).
> Total of 383 packet(s).
>
> Denied packets from 10.10.32.28.
> Port netbios-dgm (udp,eth1,input): 107 packet(s).
> Port netbios-ns (udp,eth1,input): 513 packet(s).
> Total of 620 packet(s).
>
> Denied packets from 10.10.0.1.
> Port 0 (tcp,eth1,input): 3 packet(s).
> Total of 3 packet(s).
>
> Denied packets from 10.10.0.3.
> Port bootpc (udp,eth1,input): 19 packet(s).
> Port netbios-dgm (udp,eth1,input): 475 packet(s).
> Port netbios-ns (udp,eth1,input): 2259 packet(s).
> Total of 2753 packet(s).
>
>
> Thanks,
> Steve
most of those are coming from reserved ip sets (all but the ones conneting to
the https port), you might have been hit by some type of denial of service
attack but you'd need more info than that, i'm sure ther'es been some type of
DoS for a service you're likely running on that machine since rh6.1 came out,
you can search in securityfocus's vulnerability database for anything
applicable, also the reserved ip sets could be coming from your ips if you're
using those sets
