LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 10-29-2005, 09:56 AM   #1
English_Man
Member
 
Registered: Feb 2004
Location: Stockholm SWEDEN
Distribution: Kubuntu 9.04
Posts: 54

Rep: Reputation: 15
Server under some form of attack


Hi there, I run a bit-torrent tracker with well over 750,000 peers, so I am used to having many connections coming into my machine.

I run a FC3 server with a 15Mbps line. The tracker itself is running on multiple ports, and all works fine.

For the past few weeks, however, the incoming traffic has been using the full 15Mbps and is bringing the tracker to a standstill.

I have been able to fins that the attack is attacking a tracker port 3434 but I am unable to find anything else. At the moment the tracker is not listening on 3434 and all is running fine. As soon as I start the tracker on 3434, it once again consumes the full 15Mbps and causes timeouts etc.

I have logged all connections to port 3434 using tcpdump. I have 3 logs, made by listening for only a few seconds as the file size soon shoots up. The logs were made with the tracker listening on the problematic port, and the bandwidth was 15Mbps when taking the logs.

The firewall has been modified so that the incoming connections are not tracked by contrack /at least I think this is the case) and SYN_flood_cookies is enabled.

I have tried to analyze these files myself using ethereal but don't really know what I am looking for. What I need to do is identify the problematic packets or IP's and block them from the server. If there is anyone who could help me with this, I would be most grateful.

The logs can be found here;

http://mongo56.org/3secs1
http://mongo56.org/3secs2
http://mongo56.org/3secs3

Thanks in advance,

English_Man
MSN: english_man_@hotmail.com
Email: mongo56@gmail.com
 
Old 10-30-2005, 02:03 PM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,561
Blog Entries: 54

Rep: Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927
The tracker itself is running on multiple ports, and all works fine. (..) attacking a tracker port 3434
Is this related to your thread Port redirecting? I mean, are you still running two trackers or did you get "REDIRECT --to-port 6969" going? if you did, could you post your firewall script?


As soon as I start the tracker on 3434, it once again consumes the full 15Mbps and causes timeouts etc.
Did you have any logged problems with iptables? Would it be possible to try this again and you logging the socketstates for the connections?


The firewall has been modified so that the incoming connections are not tracked by contrack /at least I think this is the case)
Why would you want to turn iptables into an stateless firewall?


What I need to do is identify the problematic packets or IP's and block them from the server.
Yes, cuz I saw some stupid remarks about "Mongo being under investigation for having bad torrents stuck at 99%". I ran your pcaps through Snort and inspected them with Ethereal. Nothing out of the ordinary to report except some packet data wasn't captured in full. Anyway. Here's your top-10 problematic subnets + count from pcaps:
128.108.111 247
128.108.113 130
64.62.170 99
128.108.211 98
128.108.112 80
128.108.114 60
204.11.219 14
38.113.239 12
The majority of which are on the Cogentco.com /Peak Web Hosting route in ASN33529 , which doesn't seem to have these ranges listed, which is weird.

Do clients from these ranges connect to the other tracker port?:
128.108.111 - 128.108.114, 128.108.211,
204.11.216, 204.11.217, 204.11.219, 204.11.223,
38.113.239, 38.113.245,
64.62.170, 64.62.179 .


Do you have some way to match Bittorrent client User_AGENT strings to IP addresses?
You don't have P0f running by any chance, right?
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
server crashing...under attack? sneakyimp Linux - Security 4 10-23-2005 05:37 PM
Mysql Server ...virus Attack Found ! my-unix-dream Linux - Newbie 9 05-15-2005 12:35 PM
command.php attack - has anyone seen this form before? TigerOC Linux - Security 2 04-05-2005 02:45 AM
is this a attack to my web server ohcarol Linux - Security 1 12-29-2004 09:59 AM
Server Attack...every day, help:( xmanxl Linux - Security 22 08-19-2004 03:38 PM


All times are GMT -5. The time now is 09:57 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration