LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Networking (https://www.linuxquestions.org/questions/linux-networking-3/)
-   -   Load average of 100% in my router when connected to my Linux box (https://www.linuxquestions.org/questions/linux-networking-3/load-average-of-100-in-my-router-when-connected-to-my-linux-box-4175527873/)

perrin4869 12-10-2014 04:46 AM
Load average of 100% in my router when connected to my Linux box
 
This last 2 weeks I've been having troubles with my router (Buffalo WHR-HP-GN, running DD-WRT v24-sp2 (12/03/14) std - build 25544) stopping to work after a while of having my Linux PC on. I have two PCs connected by wire to it, my PC which is usually running Slackware 14.1, and my roommate's which is usually running Windows 7. We bought another router thinking that the old Buffalo had malfunctioned, only to find out that the problem still persisted whenever my PC was connected to it. Today looking at the status tab of the DD-WRT control panel I noticed that when running Windows, the load average stayed down at around 10%, and when I switched back to Linux, for a while it stayed that way, but after about an hour or two I noticed it had risen to 100%, and the network became useless. I switched back to Windows, and after a few minutes, the load average starting lowering (now at 15%). It actually took quite a while for it to go down from 100%.
I was wondering how I could troubleshoot this problem, now that I know the cause is something in my Linux installation. Thanks!

Nemesiz 12-10-2014 04:59 AM
Try to look at your linux network load. Try to catch some packages for analyse.

perrin4869 12-11-2014 12:01 AM
Thanks for the reply!
I used "tcpdump -i eth0" over the period of a bit over 30 minutes until the problem started. I got the results on dropbox: https://dl.dropboxusercontent.com/u/...tcpdump.log.xz
At 01:18:40.727546 (or line 528601), there is an obvious change, which is also the time when the connection started failing. I stopped the logging just a minute or so later. For the remaining minute I kept getting these kind of messages: "IP landau.40271 > 115.238.184.107.5021: tcp 64 [bad hdr length 8 - too short, < 20]", where landau is my hostname. I don't really know what to make of all this though. Thanks for the help!

rknichols 12-11-2014 01:51 PM
That 115.238.x.y address is located in China. I recommend going over to the Linux Security forum and seeing if someone there can help you clean out whatever is sending those packets.

Nemesiz 12-11-2014 02:30 PM
Do you use IRC chat ? Or your zombie bot use it. Anyway it look like your linux box become a bot. Try to look at running processes, crontab scripts, temp catalogs. Or run some antivirus or other scanner tools.

perrin4869 12-12-2014 04:58 AM
Actually I do use irc. This time the problem was triggered just as I connected to the server if I remember correctly. But that's not always the case. I took a look at the crontab scripts and there was nothing suspicious there. I guess I'll run some antivirus next. I'll also post the question in the security forum as per your suggestion. Thanks for the help!


All times are GMT -5. The time now is 02:30 AM.