LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   Server under some form of attack (https://www.linuxquestions.org/questions/linux-security-4/server-under-some-form-of-attack-378039/)

English_Man 10-29-2005 08:56 AM
Server under some form of attack
 
Hi there, I run a bit-torrent tracker with well over 750,000 peers, so I am used to having many connections coming into my machine.

I run a FC3 server with a 15Mbps line. The tracker itself is running on multiple ports, and all works fine.

For the past few weeks, however, the incoming traffic has been using the full 15Mbps and is bringing the tracker to a standstill.

I have been able to fins that the attack is attacking a tracker port 3434 but I am unable to find anything else. At the moment the tracker is not listening on 3434 and all is running fine. As soon as I start the tracker on 3434, it once again consumes the full 15Mbps and causes timeouts etc.

I have logged all connections to port 3434 using tcpdump. I have 3 logs, made by listening for only a few seconds as the file size soon shoots up. The logs were made with the tracker listening on the problematic port, and the bandwidth was 15Mbps when taking the logs.

The firewall has been modified so that the incoming connections are not tracked by contrack /at least I think this is the case) and SYN_flood_cookies is enabled.

I have tried to analyze these files myself using ethereal but don't really know what I am looking for. What I need to do is identify the problematic packets or IP's and block them from the server. If there is anyone who could help me with this, I would be most grateful.

The logs can be found here;

http://mongo56.org/3secs1
http://mongo56.org/3secs2
http://mongo56.org/3secs3

Thanks in advance,

English_Man
MSN: english_man_@hotmail.com
Email: mongo56@gmail.com

unSpawn 10-30-2005 01:03 PM
The tracker itself is running on multiple ports, and all works fine. (..) attacking a tracker port 3434
Is this related to your thread Port redirecting? I mean, are you still running two trackers or did you get "REDIRECT --to-port 6969" going? if you did, could you post your firewall script?


As soon as I start the tracker on 3434, it once again consumes the full 15Mbps and causes timeouts etc.
Did you have any logged problems with iptables? Would it be possible to try this again and you logging the socketstates for the connections?


The firewall has been modified so that the incoming connections are not tracked by contrack /at least I think this is the case)
Why would you want to turn iptables into an stateless firewall?


What I need to do is identify the problematic packets or IP's and block them from the server.
Yes, cuz I saw some stupid remarks about "Mongo being under investigation for having bad torrents stuck at 99%". I ran your pcaps through Snort and inspected them with Ethereal. Nothing out of the ordinary to report except some packet data wasn't captured in full. Anyway. Here's your top-10 problematic subnets + count from pcaps:
128.108.111 247
128.108.113 130
64.62.170 99
128.108.211 98
128.108.112 80
128.108.114 60
204.11.219 14
38.113.239 12
The majority of which are on the Cogentco.com /Peak Web Hosting route in ASN33529 , which doesn't seem to have these ranges listed, which is weird.

Do clients from these ranges connect to the other tracker port?:
128.108.111 - 128.108.114, 128.108.211,
204.11.216, 204.11.217, 204.11.219, 204.11.223,
38.113.239, 38.113.245,
64.62.170, 64.62.179 .


Do you have some way to match Bittorrent client User_AGENT strings to IP addresses?
You don't have P0f running by any chance, right?


All times are GMT -5. The time now is 02:17 AM.