Network attack?

To: current-users%netbsd.org@localhost
Subject: Network attack?
From: Paul Goyette <paul%whooppee.com@localhost>
Date: Tue, 7 Jan 2014 10:44:45 -0800 (PST)

Still looking for why my machine has been crashing lately, at randomintervals. Earlier investigation shows that I might be having someissues with mbuf allocation.

After another recent episode, I took a look at netstat, and there are alot of "sessions" to/from random ports that are sitting in TIMED_WAITstate.


tcp        0      0  50.193.51.18.54799     203.117.37.103.16881   ESTABLISHED
tcp        0      0  50.193.51.18.54824     210.195.54.16.10756    ESTABLISHED
tcp        0      0  50.193.51.18.54847     177.0.114.79.16882     TIME_WAIT
tcp        0      0  50.193.51.18.54868     78.243.79.149.24781    TIME_WAIT
tcp        0      0  50.193.51.18.54902     83.47.147.216.11682    TIME_WAIT
tcp        0      0  50.193.51.18.54912     115.176.3.138.27756    TIME_WAIT
tcp        0      0  50.193.51.18.54915     61.70.209.236.24138    TIME_WAIT
tcp        0      0  50.193.51.18.54934     119.175.222.99.22961   TIME_WAIT
tcp        0      0  50.193.51.18.54957     182.169.96.14.26732    TIME_WAIT
tcp        0      0  50.193.51.18.54964     125.89.74.137.51413    TIME_WAIT
tcp        0      0  50.193.51.18.54965     218.251.60.136.8589    TIME_WAIT
tcp        0      0  50.193.51.18.55083     121.94.20.162.7227     TIME_WAIT
tcp        0      0  50.193.51.18.55251     203.117.37.106.16884   TIME_WAIT
tcp        0      0  50.193.51.18.55291     218.229.255.118.14143  TIME_WAIT
tcp        0      0  50.193.51.18.55302     94.45.177.196.11866    TIME_WAIT
tcp        0      0  50.193.51.18.55310     124.8.223.90.16884     TIME_WAIT
tcp        0      0  50.193.51.18.55324     203.140.186.130.7830   TIME_WAIT
tcp        0      0  50.193.51.18.55390     210.201.124.126.9311   TIME_WAIT
tcp        0      0  50.193.51.18.55479     190.17.176.48.25613    TIME_WAIT
tcp        0      0  50.193.51.18.55488     213.7.152.236.19578    TIME_WAIT
tcp        0      0  50.193.51.18.55510     174.97.159.182.13422   TIME_WAIT
tcp        0      0  50.193.51.18.55557     58.137.4.25.20784      TIME_WAIT
tcp        0      0  50.193.51.18.55612     124.8.223.143.16882    TIME_WAIT
tcp        0      0  50.193.51.18.55625     200.233.97.23.16882    TIME_WAIT
tcp        0      0  50.193.51.18.55710     113.252.209.81.25529   TIME_WAIT

My understanding of TIME_WAIT state is that a connection has recentlydisconnected. Which implies that the connection was previously in theESTABLISHED state.

So where the heck are all these random connections coming from? And whywould they ever have been ESTABLISHED in the first place?


:)



-------------------------------------------------------------------------
| Paul Goyette     | PGP Key fingerprint:     | E-mail addresses:       |
| Customer Service | FA29 0E3B 35AF E8AE 6651 | paul at whooppee.com    |
| Network Engineer | 0786 F758 55DE 53BA 7731 | pgoyette at juniper.net |
| Kernel Developer |                          | pgoyette at netbsd.org  |
-------------------------------------------------------------------------

Follow-Ups:
- Re: Network attack?
  - From: Manuel Bouyer

Prev by Date: Re: build installs file it then removes
Next by Date: Re: Network attack?
Previous by Thread: daily CVS update output
Next by Thread: Re: Network attack?
Indexes:

Home | Main Index | Thread Index | Old Index