[This followup was posted to comp.os.linux.networking and a copy was sent to the cited
author.]
In article <40c7f648$(E-Mail Removed)>,
(E-Mail Removed) says...
> run ifconfig, whats your txqueuelen (thats the total number of packets your
> network card can hold before dropping packets) ?
> maybe there are just too many packets comming in .
Here is my iconfig dump for eth0
eth0 Link encap:Ethernet HWaddr 00:02:B3:11:BC:E9
inet addr:162.113.108.69 Bcast:162.113.108.95 Mask:255.255.255.224
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:47938749 errors:0 dropped:0 overruns:0 frame:0
TX packets:45417541 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:1039590368 (991.4 Mb) TX bytes:1865549550 (1779.1 Mb)
Interrupt:18 Base address:0x5000
The server has been up for about a day, so thats the total traffic.
As hopefully a stop gap method. I turned on iptables and added the following
entries in hopes that it is some sort of attack this will drop the packets.
This server is inside a large corporate firewall, so a purposely directed attack
is unlikely. Also I noticed that kernal messages indicated it was dropping packets
from everybody's IP. This may still mean a DoS attack, I don't know. If this iptables
config is screwy let me know, this is what I threw together after reading some
newsgroup messages. For what it's worth I have not seen any kernal drop messages
today, but that doesn't mean much because they stopped before I implemented the iptables.
Thanks, Mike
filter
:FORWARD ACCEPT [0:0]
:INPUT DROP [0:0]
# Allow Pings
-A INPUT -p icmp -j ACCEPT
# Accept these IP ranges.
-A INPUT -s 127.0.0.1 -j ACCEPT
# SYN flood prevention
-A INPUT -p TCP --syn -m limit --limit 5/second -j ACCEPT
# Allow Web Access
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
# Telnet
-A INPUT -p tcp -m tcp --dport 23 -j ACCEPT
-A INPUT -p udp -m udp --dport 23 -j ACCEPT
# FTP
-A INPUT -p tcp -m tcp --dport 21 -j ACCEPT
-A INPUT -p udp -m udp --dport 21 -j ACCEPT
# SSH
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p udp -m udp --dport 22 -j ACCEPT
# LDM
-A INPUT -p tcp -m tcp --dport 388 -j ACCEPT
-A INPUT -p udp -m udp --dport 388 -j ACCEPT
# NOAAPORT PAN MESSAGES
-A INPUT -p tcp -m tcp --dport 5000 -j ACCEPT
-A INPUT -p udp -m udp --dport 5000 -j ACCEPT
# Additonal
-A INPUT -p tcp -m tcp --tcp-flags ACK ACK -j ACCEPT
-A INPUT -m state --state ESTABLISHED -j ACCEPT
-A INPUT -m state --state RELATED -j ACCEPT
COMMIT
# Completed
*mangle
:FORWARD ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
>
> Andrew
>
> ps, someone may be trying to DDoS you ... how high is your traffic ?
>
>
>
> <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
> >
> > I am running Red Hat 8.0 with the apache web server and all of the sudden
> > I am getting the following errors, tons of them every second and the
> > web server has slowed to a crawl and not responding to requests. I
> > restarted the system and no help. Does anyone know what may be going
> > on and how to fix the problem? The server is a Dual 1GHZ Intel system and
> > gets a good deal of traffic, the kernel is 2.4.18-14smp
> >
> > from /var/log/messages
> > ...
> > Jun 9 19:20:33 wxserver5 kernel: NET: 992 messages suppressed.
> > Jun 9 19:20:33 wxserver5 kernel: NET: 992 messages suppressed.
> > Jun 9 19:20:33 wxserver5 kernel: TCP: drop open request from
> > 148.134.65.180/2715
> > Jun 9 19:20:38 wxserver5 kernel: NET: 994 messages suppressed.
> > Jun 9 19:20:38 wxserver5 kernel: NET: 994 messages suppressed.
> > Jun 9 19:20:38 wxserver5 kernel: TCP: drop open request from
> > 10.232.131.94/4727
> > Jun 9 19:20:43 wxserver5 kernel: NET: 881 messages suppressed.
> > Jun 9 19:20:43 wxserver5 kernel: NET: 881 messages suppressed.
> > Jun 9 19:20:43 wxserver5 kernel: TCP: drop open request from
> > 148.134.212.54/1870
> > Jun 9 19:20:48 wxserver5 kernel: NET: 975 messages suppressed.
> > Jun 9 19:20:48 wxserver5 kernel: NET: 975 messages suppressed.
> > Jun 9 19:20:48 wxserver5 kernel: TCP: drop open request from
> > 10.250.19.205/1584
> > ....
> >
> > All of the sudden the errors stopped, but the traffic remains fairly high.
> >
> > Mike
> >
>
>
>
Similar Threads
Linear Mode
