[nos-bbs] Crashing every 4 days?

Gustavo Ponza g.ponza at tin.it
Fri Sep 13 05:47:57 EDT 2013 

... resend without the attached .png since email is in held

gus

----------------------start of original msg-------------------

All correct, Maiko.

However, I experienced only sporadic JNOS crashes, over the
years, probably caused by some forms of overflows, ...

The new entry attacker just booked on my 'linux-hotel' is:

xplodin.com.    39590    IN    SOA    ns1.xplodin.com. 
cocks.xplodin.com.    2012291001    28800    86400    3600000    86400
xplodin.com.    0    IN    A    123.45.67.108
xplodin.com.    0    IN    A    123.45.67.113
xplodin.com.    0    IN    A    123.45.67.49
xplodin.com.    0    IN    A    123.45.67.104
xplodin.com.    0    IN    A    123.45.67.7
xplodin.com.    0    IN    A    123.45.67.5
xplodin.com.    0    IN    A    123.45.67.20
xplodin.com.    0    IN    A    123.45.67.109
xplodin.com.    0    IN    A    123.45.67.140
xplodin.com.    0    IN    A    123.45.67.83
xplodin.com.    0    IN    A    123.45.67.71
xplodin.com.    0    IN    A    123.45.67.10
xplodin.com.    0    IN    A    123.45.67.30
xplodin.com.    0    IN    A    123.45.67.121
xplodin.com.    0    IN    A    123.45.67.90
xplodin.com.    0    IN    A    123.45.67.3
xplodin.com.    0    IN    A    123.45.67.65
xplodin.com.    0    IN    A    123.45.67.114
-------------

Generally, one address is dedicated to query (cache) on my DNS
server:

Sep 13 02:24:02 i0ojj named[3004]: client 122.136.196.117#16541: query 
(cache) 'a.packetdevil.com/A/IN' denied
Sep 13 02:28:46 i0ojj named[3004]: client 122.136.196.117#40072: query 
(cache) 'a.packetdevil.com/A/IN' denied
Sep 13 02:28:46 i0ojj named[3004]: client 122.136.196.117#53385: query 
(cache) 'a.packetdevil.com/A/IN' denied
Sep 13 04:47:09 i0ojj named[3004]: client 122.136.196.117#35704: query 
(cache) 'a.packetdevil.com/A/IN' denied
Sep 13 05:22:20 i0ojj named[3004]: client 64.236.64.139#63105: query 
(cache) 'dnsscan.shadowserver.org/A/IN' denied
Sep 13 05:23:47 i0ojj named[3004]: client 122.136.196.117#7837: query 
(cache) 'a.packetdevil.com/A/IN' denied
Sep 13 05:47:00 i0ojj named[3004]: client 122.136.196.117#60894: query 
(cache) 'a.packetdevil.com/A/IN' denied
Sep 13 06:24:09 i0ojj named[3004]: client 122.136.196.117#56131: query 
(cache) 'a.packetdevil.com/A/IN' denied
Sep 13 06:28:58 i0ojj named[3004]: client 122.136.196.117#40245: query 
(cache) 'a.packetdevil.com/A/IN' denied

Other are attempting to discover HTTP/TCP ports opened, etc.

Perhaps, the best idea of the massive attack on my hamradio
server is given by the attached mrtg graph: note some of the
very high picks photographed (occasionally) at 5 minutes
rate (i.e. the maximum possible mrtg cadence) :)

gus

Maiko Langelaar wrote:
> Hey Don,
>
>> 16:03:41.170975 IP 93.115.85.4.60946 > 192.168.1.150.53:
>
> It would seem that you have packets being directed at port 53
> of your tun0 interface (JNOS). If you lookup port 53, you will
> see it is a port used for DNS lookup requests.
>
> That in itself is normal I suppose. Perhaps JNOS is being overwhelmed
> by requests or they are badly formated requests causing JNOS to crash,
> or perhaps this is not the trace related to the crash at all. We're
> also assuming that the crash is due to network traffic ? Maybe it's
> something else.
>
> Hopefully we'll see what your GDB reports if it crashes again.
>
> Maiko
>
> _______________________________________________
> nos-bbs mailing list
> nos-bbs at tapr.org
> http://www.tapr.org/mailman/listinfo/nos-bbs
>

More information about the nos-bbs mailing list