[wplug] strange messages.

Mon Sep 30 16:01:12 EDT 2002

On Mon, 30 Sep 2002 @ 1:39pm (-0400), harrold at sage.che.pitt.edu wrote:

> hey.
>
> one of our computers is having some issues. its been getting really slow
> with really high loads. from top it appears as though there is enough free
> ram/cpu, and that there shouldn't be any reason to have a load of 10+. i
> was poking around in the logs and i found a lot of the following:
>
>
> Sep 29 04:08:55 computername kernel: IN=eth0 OUT=eth0 SRC=136.142.89.250 DST=61.218.206.18 LEN=257 TOS=0x00 PREC=0x00 TTL=63 ID=53115 PROTO=UDP SPT=137 DPT=1025 LEN=237

source port 137, NetBIOS and or NetBEUI
destination port 1025, the first non priv port on a NIX, or Network Blackjack (accoring to /etc/services)

> Sep 30 11:53:29 computername kernel: IN=eth0 OUT=eth0 SRC=136.142.89.250 DST=218.16.125.85 LEN=48 TOS=0x00 PREC=0x00 TTL=63 ID=7854 DF PROTO=TCP SPT=4647 DPT=80 WINDOW=6432 RES=0x00 SYN URGP=0
>

this is normal except the syn flag is set.  That's normal for the inital
packet of a TCP socket session.  As long as you're not seeing this repeatedly -- if you were you'd want to break out tcpdump(8) and look for a DoS
attack.

>
> they all seem to be originating from the same computer: 136.142.89.250 but

Oh so 136.142.89.250 is NOT the IP of the local machine?  Why is
'computername' seeing it's traffic?  Is it acting as a gateway?

> with different destinations. i believe this is output from iptables, which
> is running on this computer to do nat for the lab.

if the machine is acting as a network device, why does it matter if it's
responding slow? are you using it as a workstation as well?

did you check the interrupts? i/o statistics?

ifconfig down the interface from console and see if the load drops.

>
> can someone tell me what these mean?
>