From: Daniel Borkmann <daniel@iogearbox.net>
To: romieu@fr.zoreil.com, vinschen@redhat.com
Cc: "Toralf Förster" <toralf.foerster@gmx.de>,
"Linux Kernel" <linux-kernel@vger.kernel.org>,
netdev@vger.kernel.org, nic_swsd@realtek.com
Subject: Re: network card doesn't recovered itself after a SYN flooding attack
Date: Mon, 23 Nov 2015 10:54:16 +0100 [thread overview]
Message-ID: <5652E248.2030802@iogearbox.net> (raw)
In-Reply-To: <56519E2B.8050500@gmx.de>
[ cc'ing netdev and r8169 folks ]
On 11/22/2015 11:51 AM, Toralf Förster wrote:
> At 22th of November at 21:26 UTC my server (64 bit stable Gentoo hardened) suffered from a DDoS attack.
>
> From the kern.log:
>
>
> Nov 20 22:26:29 tor-relay kernel: [2431358.124515] TCP: request_sock_TCP: Possible SYN flooding on port 80. Sending cookies. Check SNMP counters.
> Nov 20 22:26:48 tor-relay kernel: [2431377.216133] ------------[ cut here ]------------
> Nov 20 22:26:48 tor-relay kernel: [2431377.216141] WARNING: CPU: 7 PID: 12421 at net/sched/sch_generic.c:303 dev_watchdog+0x272/0x280()
> Nov 20 22:26:48 tor-relay kernel: [2431377.216143] NETDEV WATCHDOG: enp3s0 (r8169): transmit queue 0 timed out
> Nov 20 22:26:48 tor-relay kernel: [2431377.216145] Modules linked in:
> Nov 20 22:26:48 tor-relay kernel: [2431377.216148] af_packet nf_log_ipv6 nf_conntrack_ipv6 nf_defrag_ipv6 ip6table_filter ip6_tables nf_log_ipv4 nf_log_common xt_LOG xt_multiport nf_conntrack_ipv4 nf_defrag_ipv4 xt_conntrack nf_conntrack iptable_filter ip_tables i2c_i801 i2c_core tpm_tis tpm thermal processor battery atkbd x86_pkg_temp_thermal button microcode fan
> Nov 20 22:26:48 tor-relay kernel: [2431377.216173] CPU: 7 PID: 12421 Comm: emerge Not tainted 4.1.7-hardened-r1 #1
> Nov 20 22:26:48 tor-relay kernel: [2431377.216174] Hardware name: System manufacturer System Product Name/P8H77-M PRO, BIOS 0922 09/10/2012
> Nov 20 22:26:48 tor-relay kernel: [2431377.216176] ffffffff994fa966 0000000000000000 ffffffff99bced09 ffff88041fbc3d18
> Nov 20 22:26:48 tor-relay kernel: [2431377.216179] ffffffff99983e26 0000000000000000 ffff88041fbc3d68 ffff88041fbc3d58
> Nov 20 22:26:48 tor-relay kernel: [2431377.216182] ffffffff9947f08a ffff88041fbc3d48 ffffffff99bced09 000000000000012f
> Nov 20 22:26:48 tor-relay kernel: [2431377.216185] Call Trace:
> Nov 20 22:26:48 tor-relay kernel: [2431377.216187] [] ? print_modules+0x76/0xe0
> Nov 20 22:26:48 tor-relay kernel: [2431377.216198] [] dump_stack+0x45/0x5d
> Nov 20 22:26:48 tor-relay kernel: [2431377.216203] [] warn_slowpath_common+0x8a/0xd0
> Nov 20 22:26:48 tor-relay kernel: [2431377.216205] [] warn_slowpath_fmt+0x5a/0x70
> Nov 20 22:26:48 tor-relay kernel: [2431377.216210] [] ? task_tick_fair+0x2a8/0x760
> Nov 20 22:26:48 tor-relay kernel: [2431377.216213] [] dev_watchdog+0x272/0x280
> Nov 20 22:26:48 tor-relay kernel: [2431377.216216] [] ? dev_deactivate_queue+0x70/0x70
> Nov 20 22:26:48 tor-relay kernel: [2431377.216219] [] call_timer_fn+0x47/0x140
> Nov 20 22:26:48 tor-relay kernel: [2431377.216222] [] run_timer_softirq+0x291/0x450
> Nov 20 22:26:48 tor-relay kernel: [2431377.216224] [] ? dev_deactivate_queue+0x70/0x70
> Nov 20 22:26:48 tor-relay kernel: [2431377.216228] [] __do_softirq+0xf8/0x290
> Nov 20 22:26:48 tor-relay kernel: [2431377.216230] [] irq_exit+0x9d/0xb0
> Nov 20 22:26:48 tor-relay kernel: [2431377.216235] [] smp_apic_timer_interrupt+0x55/0x70
> Nov 20 22:26:48 tor-relay kernel: [2431377.216237] [] apic_timer_interrupt+0x97/0xa0
> Nov 20 22:26:48 tor-relay kernel: [2431377.216239]
> Nov 20 22:26:48 tor-relay kernel: [2431377.216241] ---[ end trace 93431a9382c0a11a ]---
> Nov 20 22:26:48 tor-relay kernel: [2431377.237826] r8169 0000:03:00.0 enp3s0: link up
> Nov 20 22:28:18 tor-relay kernel: [2431467.175659] r8169 0000:03:00.0 enp3s0: link up
> Nov 20 22:28:30 tor-relay kernel: [2431479.172562] r8169 0000:03:00.0 enp3s0: link up
> Nov 20 22:28:42 tor-relay kernel: [2431491.164472] r8169 0000:03:00.0 enp3s0: link up
> Nov 20 22:28:54 tor-relay kernel: [2431503.170416] r8169 0000:03:00.0 enp3s0: link up
> Nov 20 22:29:06 tor-relay kernel: [2431515.148333] r8169 0000:03:00.0 enp3s0: link up
> Nov 20 22:29:18 tor-relay kernel: [2431527.143293] r8169 0000:03:00.0 enp3s0: link up
> Nov 20 22:29:30 tor-relay kernel: [2431539.142164] r8169 0000:03:00.0 enp3s0: link up
> Nov 20 22:29:42 tor-relay kernel: [2431551.124104] r8169 0000:03:00.0 enp3s0: link up
> ...
> Nov 22 10:56:24 tor-relay kernel: [2562675.624512] r8169 0000:03:00.0 enp3s0: link up
>
>
>
> The last line repeated and the network was down till I initiated a hardware reset.
>
> It looks for me that the attack turned the network card into a state from which it couldn't recovered itself, or ?
> Anything what I should change here at the system to avoid such a hang ?
>
parent reply other threads:[~2015-11-23 9:54 UTC|newest]
Thread overview: expand[flat|nested] mbox.gz Atom feed
[parent not found: <56519E2B.8050500@gmx.de>]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=5652E248.2030802@iogearbox.net \
--to=daniel@iogearbox.net \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=nic_swsd@realtek.com \
--cc=romieu@fr.zoreil.com \
--cc=toralf.foerster@gmx.de \
--cc=vinschen@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).