[ale] Em
jj at spiderentertainment.com
jj at spiderentertainment.com
Fri Oct 15 15:43:48 EDT 1999
Well, get this, the opps messages have stoped, my guess is that it was an attack.
I will take a look at the syn flooding part of it, as soon as I finish
configuring this second machine to serve as a backup. If I only saw this
attacker(s) once I would ......
I have posted this to the another linux type list, but it was pointless.
Thanks ALE folks :)
Joe Knapka wrote:
> Does this happen consistently, every so often, just
> once, or what? Might be a good idea to just physically
> take the machine off the network, boot it, and see if
> you get the same oops. If you don't, then send it a
> SYN flood from itself. If you get the oops, then
> chances are the problem is in the syncookie code (and
> someone is really attacking your site). A quick Google
> search turned up a number of sources of SYN flood
> programs, which of course you should look at carefully
> before using.
>
> -- Joe Knapka
>
> Joe Steele wrote:
> >
> > I doubt there are any IP addresses in the hex data that was dumped to the
> > log. On the other hand, the SYN flood warnings in your log do give you
> > source IP addresses. Those will be the only source info that's available.
> > Unfortunately, if you were in fact subjected to a SYN attack, then the
> > attacker would likely have used a phony source address anyway, making it
> > difficult if not impossible to trace back.
> >
> > I don't have much to suggest as far as a solution. It's conceivable that
> > it's not even an actual attack, but is caused by something else. As I
> > think I said before, SYN flooding may interfere with network traffic, but
> > it shouldn't cause an oops message. Possibly a tcpdump on the network
> > interface would show something that confirms an attack.
> >
> > You might try running your logs past the linux-net at vger.rutgers.edu mailing
> > list. (the list can be joined by sending e-mail to
> > majordomo at vger.rutgers.edu with 'subscribe linux-net' in the body.)
> >
> > --Joe
> >
> > -----Original Message-----
> > From: jj at spiderentertainment.com [SMTP:jj at spiderentertainment.com]
> > Sent: Friday, October 08, 1999 5:25 PM
> > To: ale at ale.org
> > Subject: Re: [ale] Em
> >
> > In these HEX numbers, is there an IP address I can extract ?
>
> -- Joe Knapka
> * I speak only for myself, not for The Software Monastery,
> * which exists solely to provide an organization for which
> * I can claim not to speak.
> * http://whyme.penguinpowered.com/monastery.html
More information about the Ale
mailing list