[CentOS] Loss of Ethernet adaptor
m.roth at 5-cent.us
m.roth at 5-cent.us
Fri Jun 6 13:45:28 UTC 2014
James B. Byrne wrote:
> At ~07:40 (UTC-4:00) this morning our gateway host lost its WAN Ethernet
> adaptor. Subsequent to recovery, which required a reboot, the following
> entries were find in /var/log/messages:
>
> Jun 6 07:39:50 gway02 kernel: PING_FLOOD: IN=eth0 OUT=
> MAC=00:25:90:61:74:c0:00
> :24:14:2b:f2:80:08:00 SRC=74.205.112.125 DST=216.185.71.33 LEN=64 TOS=0x00
> PREC=
> 0x00 TTL=50 ID=30954 PROTO=ICMP TYPE=8 CODE=0 ID=25496 SEQ=0
> Jun 6 07:39:53 gway02 kernel: PROBE_BLACKIST: IN=eth0 OUT=eth1
> SRC=122.235.101.24
Well, let's start with you being probed/attacked from China: whois
122.235.101.24
<snip>
inetnum: 122.235.0.0 - 122.235.127.255
netname: CHINANET-ZJ-HZ
country: CN
descr: CHINANET-ZJ Hangzhou node network
descr: Zhejiang Telecom
<...>
role: CHINANET-ZJ Hangzhou
address: No.352 Tiyuchang Road,Hangzhou,Zhejiang.310003
country: CN
phone: +86-571-85157929
fax-no: +86-571-85102776
e-mail: anti_spam at mail.hz.zj.cn
remarks: send spam reports to anti_spam at mail.hz.zj.cn
remarks: and abuse reports to anti_spam at mail.hz.zj.cn
> DST=216.185.71.249 LEN=52 TOS=0x08 PREC=0x20 TTL=45 ID=26123 DF
> PROTO=TCP SPT
> =54197 DPT=445 WINDOW=8192 RES=0x00 SYN URGP=0
> Jun 6 07:40:49 gway02 kernel: PROBE_BLACKIST: IN=eth0 OUT=eth1
> SRC=183.179.211.126
And whois reports the puppy above is not only from Hong Kong, but
remarks: -+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+
remarks: This object can only be updated by APNIC hostmasters.
remarks: To update this object, please contact APNIC
remarks: hostmasters and include your organisation's account
remarks: name in the subject line.
remarks: -+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+
which suggests that the IP or range or domain is an ex....
<snip>
So, next question is, is the card working again? If so, then this is an
attack I've not heard of, that affects what's this, layer 0?
mark
More information about the CentOS
mailing list