[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: another seeming attack on my server's DirPort



Hello,

On 19.12.2007, at 09:46, Scott Bennett wrote:

Is anyone else having this kind of trouble, regardless of the apparent
origin(s) of the attack(s)?

This night I some TCP attacks (?) reported by syslog. About one half on TOR's Dir Port, the rest on port , approximately also opened by TOR. All coming from these two IP addresses:

Dec 20 05:45:23 sokrates kernel: TCP: Treason uncloaked! Peer 74.130.148.96:25919/33467 shrinks window 2322119975:2322119976. Repaired.
[...]
Dec 20 06:04:39 sokrates kernel: TCP: Treason uncloaked! Peer 140.129.39.93:1031/9030 shrinks window 1242426870:1242428371. Repaired.

A few minutes later, the server's network connection went down:

Dec 20 06:41:12 sokrates kernel: NETDEV WATCHDOG: eth0: transmit timed out Dec 20 06:41:15 sokrates kernel: eth0: Transmit timeout, status 0d 0000 c07f media 10. Dec 20 06:41:15 sokrates kernel: eth0: Tx queue start entry 282389391 dirty entry 282389387.
Dec 20 06:41:15 sokrates kernel: eth0:  Tx descriptor 0 is 0008a28c.
Dec 20 06:41:15 sokrates kernel: eth0:  Tx descriptor 1 is 000805ea.
Dec 20 06:41:15 sokrates kernel: eth0:  Tx descriptor 2 is 000805ea.
Dec 20 06:41:15 sokrates kernel: eth0: Tx descriptor 3 is 000845ea. (queue head) Dec 20 06:41:15 sokrates kernel: eth0: link up, 100Mbps, full-duplex, lpa 0x45E1
[Repeated about every second until the server was rebooted]

I assume a correlation between these two events, although I wonder how (blocked) window shrinks could lead to this. My idea was to automatically search in syslog for window shrink events and then block the guilty IPs for 24 hours with iptables. But I hope that anybody understands what was there exactly going on...

Jan-Kaspar