|
Hi,
Jeremy Kusnetz wrote:
It just happened again!
Damn!
This time we were running with the VIPs/32, not /proc-fs tuning. I just ran
the script that does the tuning though.
Yes, you need the proc-fs tuning because you still have more than 1024
entries for potential neighbours. If you cut down your VIPs to 3, you
might not need it anymore.
We are running mrtg, monitoring the eth1 traffic. I see in the past 2 hours
8-10 HUGE spikes of traffic, the spikes keep on getting higher and higher,
starting at 6MB/second going all the way to 14MB/second.
incoming requests only?
According to MRTG the incoming traffic is running about 2-3MB/second greater
then the outgoing. Right now after running the /proc tuning, all I see is
outgoing traffic.
Someone is really hitting you badly. Maybe you should start with a httpd
proxy or mod_rewrite. Then you can drop all the malicious requests on
this box and the webservers won't be hit that badly.
I'm pretty sure this is a spam attack. Unfortunately ntop died last night,
and I just noticed it died now, so I don't have a brake down of the ports in
use, but this patter is exactly what previous patterns of spam attacks.
Ok, do you have email SPAM attacks _and_ SSL worm attacks?
We are currently doing a full tcpdump of traffic hitting the loadbalancer.
You don't need that if you configure the snort.conf correctly. You
certainly need the payload and getting the payload with tcpdump is a bit
of a pain. Also you also need the malicious traffic which is not what
you can do with tcpdump.
<shameless plug>
http://www.unixreview.com/documents/s=1234/urm0106j/0106j.htm
</shameless plug>
I caught this on the tail end, but hopefully it will have some good info in
it.
The payload will be interesting too. You need to compare the payload
with the CVE archive of pattern matchings. Mitre has opened the archive
long time ago. Find your signatures and then we might put on some
effective countermeasures.
In the mean time, here is the full output of my diag script with everything
ratz wanted me to run (the long version) Notice dmesg is FULL of Neighbour
table overflows (I've contactinated the dmesg though since they are all the
same message)
I don't think we need it anymore since the problem is obvious. But thanks.
Best regards and tell your wife that's all my fault you needed to get
out of bed again. Blame it on me, I can take it :).
Cheers,
Roberto Nibali, ratz
--
echo '[q]sa[ln0=aln256%Pln256/snlbx]sb3135071790101768542287578439snlbxq'|dc
| 