James B. Byrne wrote: > At ~07:40 (UTC-4:00) this morning our gateway host lost its WAN Ethernet > adaptor. Subsequent to recovery, which required a reboot, the following > entries were find in /var/log/messages: > > Jun 6 07:39:50 gway02 kernel: PING_FLOOD: IN=eth0 OUT= > MAC=00:25:90:61:74:c0:00 > :24:14:2b:f2:80:08:00 SRC=74.205.112.125 DST=216.185.71.33 LEN=64 TOS=0x00 > PREC= > 0x00 TTL=50 ID=30954 PROTO=ICMP TYPE=8 CODE=0 ID=25496 SEQ=0 > Jun 6 07:39:53 gway02 kernel: PROBE_BLACKIST: IN=eth0 OUT=eth1 > SRC=122.235.101.24 Well, let's start with you being probed/attacked from China: whois 122.235.101.24 <snip> inetnum: 122.235.0.0 - 122.235.127.255 netname: CHINANET-ZJ-HZ country: CN descr: CHINANET-ZJ Hangzhou node network descr: Zhejiang Telecom <...> role: CHINANET-ZJ Hangzhou address: No.352 Tiyuchang Road,Hangzhou,Zhejiang.310003 country: CN phone: +86-571-85157929 fax-no: +86-571-85102776 e-mail: anti_spam at mail.hz.zj.cn remarks: send spam reports to anti_spam at mail.hz.zj.cn remarks: and abuse reports to anti_spam at mail.hz.zj.cn > DST=216.185.71.249 LEN=52 TOS=0x08 PREC=0x20 TTL=45 ID=26123 DF > PROTO=TCP SPT > =54197 DPT=445 WINDOW=8192 RES=0x00 SYN URGP=0 > Jun 6 07:40:49 gway02 kernel: PROBE_BLACKIST: IN=eth0 OUT=eth1 > SRC=183.179.211.126 And whois reports the puppy above is not only from Hong Kong, but remarks: -+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+ remarks: This object can only be updated by APNIC hostmasters. remarks: To update this object, please contact APNIC remarks: hostmasters and include your organisation's account remarks: name in the subject line. remarks: -+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+ which suggests that the IP or range or domain is an ex.... <snip> So, next question is, is the card working again? If so, then this is an attack I've not heard of, that affects what's this, layer 0? mark