[opensuse-security] Treason uncloaked
Hello everybody, yesterday one of my webservers refused to deliver any more webpages, while reaching the server with ssh was fine and the load of the server was very low. But there were 100 apache processes, which is the configured limit on that server. Usually there are about 30 apache processes. In /var/log/messages I found some messages like this at the same time: Nov 19 14:38:12 server1 kernel: TCP: Treason uncloaked! Peer 87.160.97.54:2560/80 shrinks window 1710186274:17 10191335. Repaired. Does anyone know what this means and how it might be related to the apache processes? Ist this some kind of DoS attack? cu, Magnus -- Carl Magnus Rosenbaum M.A. Administration - Programmierung - Weiterbildung http://cmr.cx/ Tel: +49 89 70066626 Fax: +49 89 70066686 Mobil: +49 163 7006662 PGP Fingerprint: DEBC 3C99 EF1D 74F0 D4C7 EFF5 C268 3690 0EA1 7641
On Tue November 20 2007 12:55:51 pm Magnus Rosenbaum wrote:
CP: Treason uncloaked! Pee
Hi Magnus, Check the first reply in this thread: http://www.linuxquestions.org/questions/linux-networking-3/tcp-treason-unclo... All I did was Google part of your error message: "TCP Treason uncloaked! Peer" hth & regards, Carl --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
Carl Hartung wrote:
http://www.linuxquestions.org/questions/linux-networking-3/tcp-treason-unclo...
The IPs in the log messages on my server are not in BOGON networks. Most of them are from t-ipconnect.de and t-dialin.net. However the explanation sounds good and fits to my observations. I have also read some explanations that it might be kernel bug in kernel < 2.6.16 or just a defective router somewhere. But this would not explain the many apache processes. The only solution I have found is blocking the IPs with a cron job that greps dmesg and then sets iptables rules. But I guess this would be too slowly, because the attacks seem to be very short. Thank you, Magnum -- Carl Magnus Rosenbaum M.A. Administration - Programmierung - Weiterbildung http://cmr.cx/ Tel: +49 89 70066626 Fax: +49 89 70066686 Mobil: +49 163 7006662 PGP Fingerprint: DEBC 3C99 EF1D 74F0 D4C7 EFF5 C268 3690 0EA1 7641
Could we please keep the emails sent to and from the list sent to and from the list with out the TO'Charles or Fred, or whomever' and CC's as well. I am getting an exception amount of "LIST" mail that is sent to a specific person and to the LIST. I would assume that these people are already on the LIST so a TO or CC to individuals is irrelevant. Why? Email filters, I have filter to... yep you guessed it, filter my incoming email and the plethora of TO JOE and CC list does not work so well. Thanks, Frustrated LIST user who get a lot of CC and TO's that are not TO the LIST. -----Original Message----- From: Magnus Rosenbaum [mailto:cmr_lists@forestfactory.de] Sent: Tuesday, November 20, 2007 4:31 PM To: Carl Hartung Cc: opensuse-security@opensuse.org Subject: Re: [opensuse-security] Treason uncloaked Carl Hartung wrote:
http://www.linuxquestions.org/questions/linux-networking-3/tcp-treason -uncloaked-127984/
The IPs in the log messages on my server are not in BOGON networks. Most of them are from t-ipconnect.de and t-dialin.net. However the explanation sounds good and fits to my observations. I have also read some explanations that it might be kernel bug in kernel < 2.6.16 or just a defective router somewhere. But this would not explain the many apache processes. The only solution I have found is blocking the IPs with a cron job that greps dmesg and then sets iptables rules. But I guess this would be too slowly, because the attacks seem to be very short. Thank you, Magnum -- Carl Magnus Rosenbaum M.A. Administration - Programmierung - Weiterbildung http://cmr.cx/ Tel: +49 89 70066626 Fax: +49 89 70066686 Mobil: +49 163 7006662 PGP Fingerprint: DEBC 3C99 EF1D 74F0 D4C7 EFF5 C268 3690 0EA1 7641 --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Tuesday 2007-11-20 at 17:51 -0700, Ash wrote:
Could we please keep the emails sent to and from the list sent to and from the list with out the TO'Charles or Fred, or whomever' and CC's as well. I am getting an exception amount of "LIST" mail that is sent to a specific person and to the LIST. I would assume that these people are already on the LIST so a TO or CC to individuals is irrelevant. Why? Email filters, I have filter to... yep you guessed it, filter my incoming email and the plethora of TO JOE and CC list does not work so well.
If instead of using M. O. Outlook you were using plain linux programs like procmail, a very simple rule would send all those copies to /dev/null, and you wouldn't see any of them.
Frustrated LIST user who get a lot of CC and TO's that are not TO the LIST.
And I'm frustrated by top posters sending repeated emails. - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4-svn0 (GNU/Linux) Comment: Made with pgp4pine 1.76 iD8DBQFHQ4iUtTMYHG2NR9URAnAOAKCYm5OOWOBa1vFLmxJHirPKVN3HWQCeLA+P /mrqkmFDmgExDjBGG3CHYXw= =RypR -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
Ash wrote:
Could we please keep the emails sent to and from the list sent to and from the list with out the TO'Charles or Fred, or whomever' and CC's as well.
If this is so important, the list server should set a Reply-To. I know there is a feature called list reply in a few mail clients. But you will definitely never reach that all people know how to handle that.
I would assume that these people are already on the LIST so a TO or CC to individuals is irrelevant.
Well, I find it helpful to get the replies another time in my main inbox to be reminded.
Why? Email filters, I have filter to... yep you guessed it, filter my incoming email and the plethora of TO JOE and CC list does not work so well.
If your filters do not work well you might simply adjust them. My filter for this list here is "X-Mailinglist" = "opensuse-security" and it works fine.
Frustrated LIST user who get a lot of CC and TO's that are not TO the LIST.
Welcome to reality. And as long as you're quoting tofu and do not even practice yourself what you preach, nobody will take that seriously. Sorry, Magnum -- Carl Magnus Rosenbaum M.A. Administration - Programmierung - Weiterbildung http://cmr.cx/ Tel: +49 89 70066626 Fax: +49 89 70066686 Mobil: +49 163 7006662 PGP Fingerprint: DEBC 3C99 EF1D 74F0 D4C7 EFF5 C268 3690 0EA1 7641
On Tuesday 20 November 2007 06:51:08 pm Ash wrote:
Could we please keep the emails sent to and from the list sent to and from the list with out the TO'Charles or Fred, or whomever' and CC's as well. I am getting an exception amount of "LIST" mail that is sent to a specific person and to the LIST. I would assume that these people are already on the LIST so a TO or CC to individuals is irrelevant. Why? Email filters, I have filter to... yep you guessed it, filter my incoming email and the plethora of TO JOE and CC list does not work so well.
List server is set as it is. To: original poster CC: opensuse-<mail list>@opensuse.org There is nothing that we can do about it. Once upon a time there was discussion that ended with this header, and no one wants to repeat experience. Besides: - toposting, - hijacking thread, - wrong mail list for the subject is on the list of no-no according to the: http://en.opensuse.org/OpenSUSE_mailing_list_netiquette
Thanks,
Frustrated LIST user who get a lot of CC and TO's that are not TO the LIST.
Fix filters. If your client can't do it, change client. There is plethora of them. Outlook is designed for different use case and stretching it is just waste of time. -- Regards, Rajko. --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
Magnus Rosenbaum escribió:
The IPs in the log messages on my server are not in BOGON networks.
BOGONS are absolutely pointless, blacklisting BOGON networks will only provide one thing: false sense of security ;) as they represent only a very small, irrelevant segment of the IP address space.. you can ( and will) be always attaccked by the rest of the big & mighty 95% of the internet =)
But this would not explain the many apache processes.
Were you able to obtain some clue from the apache logs ?
The only solution I have found is blocking the IPs with a cron job that greps dmesg and then sets iptables rules.
If you know for sure that certain IPs are D.O.S'ing your systems, you should contact your ISP and the police to hunt them down. -- "The only thing that interferes with my learning is my education." - Albert Einstein Cristian Rodríguez R. Platform/OpenSUSE - Core Services SUSE LINUX Products GmbH Research & Development http://www.opensuse.org/ --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
Cristian Rodríguez wrote:
Were you able to obtain some clue from the apache logs ?
Nothing in error_log. But in access_log I found that someone with the same IP as in a Treason uncloaked message was surfing on our website at the same time. The user agent there is "Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11". Did the attacker try if our website was already unreachable? :-) Or is it just someone with a broken router visiting our page?
The only solution I have found is blocking the IPs with a cron job that greps dmesg and then sets iptables rules.
I have added these iptables rules now: iptables -N syn-flood iptables -A INPUT -p tcp --dport 80 --syn -j syn-flood iptables -A syn-flood -m limit --limit 15/s --limit-burst 5 -j RETURN iptables -A syn-flood -m limit --limit 3/min --limit-burst 5 -j LOG --log-prefix 'SYN-FLOOD ' iptables -A syn-flood -j DROP It makes about 2000 lines in the log per day. It seems to help, because the problem with the many apache processes did not occur anymore. But I'm afraid that it filters to much.
If you know for sure that certain IPs are D.O.S'ing your systems, you should contact your ISP and the police to hunt them down.
Yes, they already informed the police. But I can not really imagine that this will help in any way :-) -- Carl Magnus Rosenbaum M.A. Administration - Programmierung - Weiterbildung http://cmr.cx/ Tel: +49 89 70066626 Fax: +49 89 70066686 Mobil: +49 163 7006662 PGP Fingerprint: DEBC 3C99 EF1D 74F0 D4C7 EFF5 C268 3690 0EA1 7641
participants (6)
-
Ash -
Carl Hartung -
Carlos E. R. -
Cristian Rodríguez -
Magnus Rosenbaum -
Rajko M.