From: "Toralf Förster" <toralf.foerster@gmx.de>
To: Linux Kernel <linux-kernel@vger.kernel.org>
Subject: network card doesn't recovered itself after a SYN flooding attack
Date: Sun, 22 Nov 2015 11:51:23 +0100 [thread overview]
Message-ID: <56519E2B.8050500@gmx.de> (raw)
At 22th of November at 21:26 UTC my server (64 bit stable Gentoo hardened) suffered from a DDoS attack.
>From the kern.log:
Nov 20 22:26:29 tor-relay kernel: [2431358.124515] TCP: request_sock_TCP: Possible SYN flooding on port 80. Sending cookies. Check SNMP counters.
Nov 20 22:26:48 tor-relay kernel: [2431377.216133] ------------[ cut here ]------------
Nov 20 22:26:48 tor-relay kernel: [2431377.216141] WARNING: CPU: 7 PID: 12421 at net/sched/sch_generic.c:303 dev_watchdog+0x272/0x280()
Nov 20 22:26:48 tor-relay kernel: [2431377.216143] NETDEV WATCHDOG: enp3s0 (r8169): transmit queue 0 timed out
Nov 20 22:26:48 tor-relay kernel: [2431377.216145] Modules linked in:
Nov 20 22:26:48 tor-relay kernel: [2431377.216148] af_packet nf_log_ipv6 nf_conntrack_ipv6 nf_defrag_ipv6 ip6table_filter ip6_tables nf_log_ipv4 nf_log_common xt_LOG xt_multiport nf_conntrack_ipv4 nf_defrag_ipv4 xt_conntrack nf_conntrack iptable_filter ip_tables i2c_i801 i2c_core tpm_tis tpm thermal processor battery atkbd x86_pkg_temp_thermal button microcode fan
Nov 20 22:26:48 tor-relay kernel: [2431377.216173] CPU: 7 PID: 12421 Comm: emerge Not tainted 4.1.7-hardened-r1 #1
Nov 20 22:26:48 tor-relay kernel: [2431377.216174] Hardware name: System manufacturer System Product Name/P8H77-M PRO, BIOS 0922 09/10/2012
Nov 20 22:26:48 tor-relay kernel: [2431377.216176] ffffffff994fa966 0000000000000000 ffffffff99bced09 ffff88041fbc3d18
Nov 20 22:26:48 tor-relay kernel: [2431377.216179] ffffffff99983e26 0000000000000000 ffff88041fbc3d68 ffff88041fbc3d58
Nov 20 22:26:48 tor-relay kernel: [2431377.216182] ffffffff9947f08a ffff88041fbc3d48 ffffffff99bced09 000000000000012f
Nov 20 22:26:48 tor-relay kernel: [2431377.216185] Call Trace:
Nov 20 22:26:48 tor-relay kernel: [2431377.216187] [] ? print_modules+0x76/0xe0
Nov 20 22:26:48 tor-relay kernel: [2431377.216198] [] dump_stack+0x45/0x5d
Nov 20 22:26:48 tor-relay kernel: [2431377.216203] [] warn_slowpath_common+0x8a/0xd0
Nov 20 22:26:48 tor-relay kernel: [2431377.216205] [] warn_slowpath_fmt+0x5a/0x70
Nov 20 22:26:48 tor-relay kernel: [2431377.216210] [] ? task_tick_fair+0x2a8/0x760
Nov 20 22:26:48 tor-relay kernel: [2431377.216213] [] dev_watchdog+0x272/0x280
Nov 20 22:26:48 tor-relay kernel: [2431377.216216] [] ? dev_deactivate_queue+0x70/0x70
Nov 20 22:26:48 tor-relay kernel: [2431377.216219] [] call_timer_fn+0x47/0x140
Nov 20 22:26:48 tor-relay kernel: [2431377.216222] [] run_timer_softirq+0x291/0x450
Nov 20 22:26:48 tor-relay kernel: [2431377.216224] [] ? dev_deactivate_queue+0x70/0x70
Nov 20 22:26:48 tor-relay kernel: [2431377.216228] [] __do_softirq+0xf8/0x290
Nov 20 22:26:48 tor-relay kernel: [2431377.216230] [] irq_exit+0x9d/0xb0
Nov 20 22:26:48 tor-relay kernel: [2431377.216235] [] smp_apic_timer_interrupt+0x55/0x70
Nov 20 22:26:48 tor-relay kernel: [2431377.216237] [] apic_timer_interrupt+0x97/0xa0
Nov 20 22:26:48 tor-relay kernel: [2431377.216239]
Nov 20 22:26:48 tor-relay kernel: [2431377.216241] ---[ end trace 93431a9382c0a11a ]---
Nov 20 22:26:48 tor-relay kernel: [2431377.237826] r8169 0000:03:00.0 enp3s0: link up
Nov 20 22:28:18 tor-relay kernel: [2431467.175659] r8169 0000:03:00.0 enp3s0: link up
Nov 20 22:28:30 tor-relay kernel: [2431479.172562] r8169 0000:03:00.0 enp3s0: link up
Nov 20 22:28:42 tor-relay kernel: [2431491.164472] r8169 0000:03:00.0 enp3s0: link up
Nov 20 22:28:54 tor-relay kernel: [2431503.170416] r8169 0000:03:00.0 enp3s0: link up
Nov 20 22:29:06 tor-relay kernel: [2431515.148333] r8169 0000:03:00.0 enp3s0: link up
Nov 20 22:29:18 tor-relay kernel: [2431527.143293] r8169 0000:03:00.0 enp3s0: link up
Nov 20 22:29:30 tor-relay kernel: [2431539.142164] r8169 0000:03:00.0 enp3s0: link up
Nov 20 22:29:42 tor-relay kernel: [2431551.124104] r8169 0000:03:00.0 enp3s0: link up
...
Nov 22 10:56:24 tor-relay kernel: [2562675.624512] r8169 0000:03:00.0 enp3s0: link up
The last line repeated and the network was down till I initiated a hardware reset.
It looks for me that the attack turned the network card into a state from which it couldn't recovered itself, or ?
Anything what I should change here at the system to avoid such a hang ?
--
Toralf, pgp key: C4EACDDE 0076E94E
next reply other threads:[~2015-11-22 10:51 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-11-22 10:51 Toralf Förster [this message]
2015-11-23 9:54 ` network card doesn't recovered itself after a SYN flooding attack Daniel Borkmann
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=56519E2B.8050500@gmx.de \
--to=toralf.foerster@gmx.de \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.