Boston Linux & Unix (BLU) Home | Calendar | Mail Lists | List Archives | Desktop SIG | Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings
Linux Cafe | Meeting Notes | Blog | Linux Links | Bling | About BLU

BLU Discuss list archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Possible DoS attack?

We lost access to a server at work; unfortunately, the server is in New
York, and one of us is on the way to Logan to fly out there and reboot the
machine, but he probably won't even arrive there until 4:00 or so.

At this point we can ping the system, but we can't access it at all. Ssh
is apparently down, as is apache, sendmail, and inn. It responds to all
connection requests instantaneously with a "Connection refused" error,
which makes me suspect that the refusal is happening at the IP level,
before the system has a chance to look at the packet.

In the meantime, we got a report from someone that the system is pounding
their network on port 113, at roughly 50-60 request per minute. The
excerpt from their logs looks like thes (ip addresses obscured):

    Aug 25 08:00:14 avgo-br2 avgo-br2, list 101 denied tcp v2 0050.2ac2.14a0) -> yyy.yyy.yyy.yyy(113), 1 packets

Does this look familiar to anyone? Is this characteristic of any type of

Another thing that occurs to me: we had just migrated an old server to
this one last week, which included installing inn. I understand inn can be
a resource pig; could the above behavior be a side effect of inn running
out of control?

John Abreau / Executive Director, Boston Linux & Unix 
ICQ#28611923 / AIM abreauj / Email jabr at

Subcription/unsubscription/info requests: send e-mail with
"subscribe", "unsubscribe", or "info" on the first line of the
message body to discuss-request at (Subject line is ignored).

BLU is a member of BostonUserGroups
BLU is a member of BostonUserGroups
We also thank MIT for the use of their facilities.

Valid HTML 4.01! Valid CSS!

Boston Linux & Unix /