From: Daniel Borkmann <daniel@iogearbox.net>
To: romieu@fr.zoreil.com, vinschen@redhat.com
Cc: "Toralf Förster" <toralf.foerster@gmx.de>,
"Linux Kernel" <linux-kernel@vger.kernel.org>,
netdev@vger.kernel.org, nic_swsd@realtek.com
Subject: Re: network card doesn't recovered itself after a SYN flooding attack
Date: Mon, 23 Nov 2015 10:54:16 +0100 [thread overview]
Message-ID: <5652E248.2030802@iogearbox.net> (raw)
In-Reply-To: <56519E2B.8050500@gmx.de>
[ cc'ing netdev and r8169 folks ]
On 11/22/2015 11:51 AM, Toralf Förster wrote:
> At 22th of November at 21:26 UTC my server (64 bit stable Gentoo hardened) suffered from a DDoS attack.
>
> From the kern.log:
>
>
> Nov 20 22:26:29 tor-relay kernel: [2431358.124515] TCP: request_sock_TCP: Possible SYN flooding on port 80. Sending cookies. Check SNMP counters.
> Nov 20 22:26:48 tor-relay kernel: [2431377.216133] ------------[ cut here ]------------
> Nov 20 22:26:48 tor-relay kernel: [2431377.216141] WARNING: CPU: 7 PID: 12421 at net/sched/sch_generic.c:303 dev_watchdog+0x272/0x280()
> Nov 20 22:26:48 tor-relay kernel: [2431377.216143] NETDEV WATCHDOG: enp3s0 (r8169): transmit queue 0 timed out
> Nov 20 22:26:48 tor-relay kernel: [2431377.216145] Modules linked in:
> Nov 20 22:26:48 tor-relay kernel: [2431377.216148] af_packet nf_log_ipv6 nf_conntrack_ipv6 nf_defrag_ipv6 ip6table_filter ip6_tables nf_log_ipv4 nf_log_common xt_LOG xt_multiport nf_conntrack_ipv4 nf_defrag_ipv4 xt_conntrack nf_conntrack iptable_filter ip_tables i2c_i801 i2c_core tpm_tis tpm thermal processor battery atkbd x86_pkg_temp_thermal button microcode fan
> Nov 20 22:26:48 tor-relay kernel: [2431377.216173] CPU: 7 PID: 12421 Comm: emerge Not tainted 4.1.7-hardened-r1 #1
> Nov 20 22:26:48 tor-relay kernel: [2431377.216174] Hardware name: System manufacturer System Product Name/P8H77-M PRO, BIOS 0922 09/10/2012
> Nov 20 22:26:48 tor-relay kernel: [2431377.216176] ffffffff994fa966 0000000000000000 ffffffff99bced09 ffff88041fbc3d18
> Nov 20 22:26:48 tor-relay kernel: [2431377.216179] ffffffff99983e26 0000000000000000 ffff88041fbc3d68 ffff88041fbc3d58
> Nov 20 22:26:48 tor-relay kernel: [2431377.216182] ffffffff9947f08a ffff88041fbc3d48 ffffffff99bced09 000000000000012f
> Nov 20 22:26:48 tor-relay kernel: [2431377.216185] Call Trace:
> Nov 20 22:26:48 tor-relay kernel: [2431377.216187] [] ? print_modules+0x76/0xe0
> Nov 20 22:26:48 tor-relay kernel: [2431377.216198] [] dump_stack+0x45/0x5d
> Nov 20 22:26:48 tor-relay kernel: [2431377.216203] [] warn_slowpath_common+0x8a/0xd0
> Nov 20 22:26:48 tor-relay kernel: [2431377.216205] [] warn_slowpath_fmt+0x5a/0x70
> Nov 20 22:26:48 tor-relay kernel: [2431377.216210] [] ? task_tick_fair+0x2a8/0x760
> Nov 20 22:26:48 tor-relay kernel: [2431377.216213] [] dev_watchdog+0x272/0x280
> Nov 20 22:26:48 tor-relay kernel: [2431377.216216] [] ? dev_deactivate_queue+0x70/0x70
> Nov 20 22:26:48 tor-relay kernel: [2431377.216219] [] call_timer_fn+0x47/0x140
> Nov 20 22:26:48 tor-relay kernel: [2431377.216222] [] run_timer_softirq+0x291/0x450
> Nov 20 22:26:48 tor-relay kernel: [2431377.216224] [] ? dev_deactivate_queue+0x70/0x70
> Nov 20 22:26:48 tor-relay kernel: [2431377.216228] [] __do_softirq+0xf8/0x290
> Nov 20 22:26:48 tor-relay kernel: [2431377.216230] [] irq_exit+0x9d/0xb0
> Nov 20 22:26:48 tor-relay kernel: [2431377.216235] [] smp_apic_timer_interrupt+0x55/0x70
> Nov 20 22:26:48 tor-relay kernel: [2431377.216237] [] apic_timer_interrupt+0x97/0xa0
> Nov 20 22:26:48 tor-relay kernel: [2431377.216239]
> Nov 20 22:26:48 tor-relay kernel: [2431377.216241] ---[ end trace 93431a9382c0a11a ]---
> Nov 20 22:26:48 tor-relay kernel: [2431377.237826] r8169 0000:03:00.0 enp3s0: link up
> Nov 20 22:28:18 tor-relay kernel: [2431467.175659] r8169 0000:03:00.0 enp3s0: link up
> Nov 20 22:28:30 tor-relay kernel: [2431479.172562] r8169 0000:03:00.0 enp3s0: link up
> Nov 20 22:28:42 tor-relay kernel: [2431491.164472] r8169 0000:03:00.0 enp3s0: link up
> Nov 20 22:28:54 tor-relay kernel: [2431503.170416] r8169 0000:03:00.0 enp3s0: link up
> Nov 20 22:29:06 tor-relay kernel: [2431515.148333] r8169 0000:03:00.0 enp3s0: link up
> Nov 20 22:29:18 tor-relay kernel: [2431527.143293] r8169 0000:03:00.0 enp3s0: link up
> Nov 20 22:29:30 tor-relay kernel: [2431539.142164] r8169 0000:03:00.0 enp3s0: link up
> Nov 20 22:29:42 tor-relay kernel: [2431551.124104] r8169 0000:03:00.0 enp3s0: link up
> ...
> Nov 22 10:56:24 tor-relay kernel: [2562675.624512] r8169 0000:03:00.0 enp3s0: link up
>
>
>
> The last line repeated and the network was down till I initiated a hardware reset.
>
> It looks for me that the attack turned the network card into a state from which it couldn't recovered itself, or ?
> Anything what I should change here at the system to avoid such a hang ?
>
prev parent reply other threads:[~2015-11-23 9:54 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-11-22 10:51 network card doesn't recovered itself after a SYN flooding attack Toralf Förster
2015-11-23 9:54 ` Daniel Borkmann [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=5652E248.2030802@iogearbox.net \
--to=daniel@iogearbox.net \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=nic_swsd@realtek.com \
--cc=romieu@fr.zoreil.com \
--cc=toralf.foerster@gmx.de \
--cc=vinschen@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.