On Mon, May 16, 2011 at 10:27:17PM +0200, RLW wrote:
| W dniu 2011-05-16 16:29, RLW pisze:
| >Hello,
| >
| >I need help to diagnose where the problem is...
| >
| >Below you can see traceroute and ping to facebook.com but the same
| >happens with other domains.
| >
| >I restarted router, logs show no errors.
| >
| >
| >OpenBSD 4.8
| >
| >#traceroute facebook.com
| >traceroute: Warning: facebook.com has multiple addresses; using
| >69.63.189.16
| >traceroute to facebook.com (69.63.189.16), 64 hops max, 40 byte packets
| >sendto: No route to host
| >1 traceroute: wrote facebook.com 40 chars, ret=-1
| >*sendto: No route to host
| >traceroute: wrote facebook.com 40 chars, ret=-1
| >^C
| >
| ># ping facebook.com
| >PING facebook.com (69.63.189.11): 56 data bytes
| >ping: sendto: No route to host
| >ping: wrote facebook.com 64 chars, ret=-1
| >ping: sendto: No route to host
| >ping: wrote facebook.com 64 chars, ret=-1
| >64 bytes from 69.63.189.11: icmp_seq=2 ttl=244 time=113.365 ms
| >64 bytes from 69.63.189.11: icmp_seq=3 ttl=244 time=113.294 ms
| >64 bytes from 69.63.189.11: icmp_seq=4 ttl=244 time=113.567 ms
| >64 bytes from 69.63.189.11: icmp_seq=5 ttl=244 time=113.546 ms
| >64 bytes from 69.63.189.11: icmp_seq=6 ttl=244 time=113.435 ms
| >64 bytes from 69.63.189.11: icmp_seq=7 ttl=244 time=113.948 ms
| >--- facebook.com ping statistics ---
| >8 packets transmitted, 6 packets received, 25.0% packet loss
| >round-trip min/avg/max/std-dev = 113.294/113.525/113.948/0.483 ms
| >
| >
| >best regards,
| >RLW
| >
| >
|
| I see that for more than 24h inserts and removals in state table are
| higher than normal:
|
| State Table Total Rate
| current entries 8876
| searches 53632700 2157.6/s
| inserts 4318144 173.7/s
| removals 4309268 173.4/s
| Counters
| match 4673697 188.0/s
|
| There is many connections like this:
| all tcp AAA.AA.AAA.AAA:62146 (BBB.BBB.BB.B:59475) ->
| CCC.CC.CC.CCC:6667 TIME_WAIT:TIME_WAIT
| all tcp CCC.CC.CC.CCC:6667 <- BBB.BBB.BB.B:59476 TIME_WAIT:TIME_WAIT
|
| CCC.CC.CC.CCC:6667 is some SVN server...
|
| My questions are:
| 1. Does so many connections to some uknown svn server looks
| suspicious? or is it normal behaviour when connected to svn server?
| 2. could so many inserts/removals cause problems with ping and
| traceroute? and dns (problems/slow resolving) ?
| 3. what can be done to tune router and get higher inserts/removals rate?
'some SVN server' seems more like an IRC server that NATted machines
(AAA.AA.AAA.AAA) in your network are connecting to (a botnet,
perhaps ?)
So, yeah:
1. definitely suspicious
2. yes, that could be
3. well, if it is indeed local machines connecting to a botnet, you
can "tune" your network by disconnecting it from the rest of the
internet and cleaning that shit up. Do the rest of us a favour.
Don't try and provide better "service" to the (d)DoS software running
on the infected hosts on your network.
Note that this is all quite a bit of speculation. As you've not given
any details on what it is you're doing (as I suggested in my previous
reply), this is what my crystal orb came up with. It's been acting up
recently - it may be dying. If you recently received a fridge and a
car, you know I'm totally wrong here.
Paul 'WEiRD' de Weerd
--
>++++++++[<++++++++++>-]<+++++++.>+++[<------>-]<.>+++[<+
+++++++++++>-]<.>++[<------------>-]<+.--------------.[-]
http://www.weirdnet.nl/
