[CentOS] Loss of Ethernet adaptor

Fri Jun 6 13:45:28 UTC 2014
m.roth at 5-cent.us <m.roth at 5-cent.us>

James B. Byrne wrote:
> At ~07:40 (UTC-4:00) this morning our gateway host lost its WAN Ethernet
> adaptor.  Subsequent to recovery, which required a reboot, the following
> entries were find in /var/log/messages:
> Jun  6 07:39:50 gway02 kernel: PING_FLOOD: IN=eth0 OUT=
> MAC=00:25:90:61:74:c0:00
> :24:14:2b:f2:80:08:00 SRC= DST= LEN=64 TOS=0x00
> 0x00 TTL=50 ID=30954 PROTO=ICMP TYPE=8 CODE=0 ID=25496 SEQ=0
> Jun  6 07:39:53 gway02 kernel: PROBE_BLACKIST: IN=eth0 OUT=eth1
> SRC=

Well, let's start with you being probed/attacked from China: whois
inetnum: -
netname:        CHINANET-ZJ-HZ
country:        CN
descr:          CHINANET-ZJ Hangzhou node network
descr:          Zhejiang Telecom
role:           CHINANET-ZJ Hangzhou
address:        No.352 Tiyuchang Road,Hangzhou,Zhejiang.310003
country:        CN
phone:          +86-571-85157929
fax-no:         +86-571-85102776
e-mail:         anti_spam at mail.hz.zj.cn
remarks:        send spam reports to anti_spam at mail.hz.zj.cn
remarks:        and abuse reports to anti_spam at mail.hz.zj.cn

> DST= LEN=52 TOS=0x08 PREC=0x20 TTL=45 ID=26123 DF
> =54197 DPT=445 WINDOW=8192 RES=0x00 SYN URGP=0
> Jun  6 07:40:49 gway02 kernel: PROBE_BLACKIST: IN=eth0 OUT=eth1
> SRC=

And whois reports the puppy above is not only from Hong Kong, but
remarks:        -+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+
remarks:        This object can only be updated by APNIC hostmasters.
remarks:        To update this object, please contact APNIC
remarks:        hostmasters and include your organisation's account
remarks:        name in the subject line.
remarks:        -+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+

which suggests that the IP or range or domain is an ex....
So, next question is, is the card working again? If so, then this is an
attack I've not heard of, that affects what's this, layer 0?