another seeming attack on my server's DirPort
Jan-Kaspar Münnich
mail at jan-muennich.de
Thu Dec 20 18:04:18 UTC 2007
Hello,
On 19.12.2007, at 09:46, Scott Bennett wrote:
> Is anyone else having this kind of trouble, regardless of the apparent
> origin(s) of the attack(s)?
This night I some TCP attacks (?) reported by syslog. About one half
on TOR's Dir Port, the rest on port , approximately also opened by
TOR. All coming from these two IP addresses:
Dec 20 05:45:23 sokrates kernel: TCP: Treason uncloaked! Peer
74.130.148.96:25919/33467 shrinks window 2322119975:2322119976.
Repaired.
[...]
Dec 20 06:04:39 sokrates kernel: TCP: Treason uncloaked! Peer
140.129.39.93:1031/9030 shrinks window 1242426870:1242428371. Repaired.
A few minutes later, the server's network connection went down:
Dec 20 06:41:12 sokrates kernel: NETDEV WATCHDOG: eth0: transmit timed
out
Dec 20 06:41:15 sokrates kernel: eth0: Transmit timeout, status 0d
0000 c07f media 10.
Dec 20 06:41:15 sokrates kernel: eth0: Tx queue start entry 282389391
dirty entry 282389387.
Dec 20 06:41:15 sokrates kernel: eth0: Tx descriptor 0 is 0008a28c.
Dec 20 06:41:15 sokrates kernel: eth0: Tx descriptor 1 is 000805ea.
Dec 20 06:41:15 sokrates kernel: eth0: Tx descriptor 2 is 000805ea.
Dec 20 06:41:15 sokrates kernel: eth0: Tx descriptor 3 is 000845ea.
(queue head)
Dec 20 06:41:15 sokrates kernel: eth0: link up, 100Mbps, full-duplex,
lpa 0x45E1
[Repeated about every second until the server was rebooted]
I assume a correlation between these two events, although I wonder how
(blocked) window shrinks could lead to this. My idea was to
automatically search in syslog for window shrink events and then block
the guilty IPs for 24 hours with iptables. But I hope that anybody
understands what was there exactly going on...
Jan-Kaspar
More information about the tor-talk
mailing list