| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20120930230345.GA9142@liondog.tnic>
Date: Mon, 1 Oct 2012 01:03:45 +0200
From: Borislav Petkov <bp@...en8.de>
To: Giuliano Pochini <pochini@...ny.it>
Cc: Alexey Vlasov <renton@...ton.name>, linux-kernel@...r.kernel.org,
netdev@...r.kernel.org
Subject: Re: Instead of IP addresses the kernel started to show zero's
+ netdev
On Sun, Sep 30, 2012 at 11:25:59PM +0200, Giuliano Pochini wrote:
> On Tue, 25 Sep 2012 14:26:07 +0400
> Alexey Vlasov <renton@...ton.name> wrote:
>
> > Hi.
> >
> > Here it writes LOG target from syslog:
> >
> > Sep 25 03:23:49 l24 kernel: ip:SYN-OUTPUT-HTTP IN= OUT=eth0
> > SRC=0000000000000000 DST=0000000000000000 LEN=60 TOS=0x00 PREC=0x00
> > TTL=64 ID=22467 DF PROTO=TCP SPT=52829 DPT=80 WINDOW=14600 RES=0x00 SYN
> > URGP=0 UID=564373 GID=155
> >
> > This is recent, here go zero's again:
> > # cat /proc/net/xt_recent/ssh-brute
> > ...
> > src=0000000000000000 ttl: 122 last_seen: 4371027622 oldest_pkt: 1
> > 4371027622
> >
> > Can it be fixed without restarting the box?
> > Thanks!
> >
> > Kernel 3.4.6.
>
> It look similar to a problem that occurred on some 3.x heavy loaded
> machines. After a while they begin to send packets with dst=0.0.0.0. We had
> to revert to 2.6 on our production machines.
>
> tcpdump output looks like this:
>
> 17:06:29.272225 IP 0.0.0.0.http > 0.0.0.0.1687: . ack 232 win 15400
> 17:06:29.272671 IP 0.0.0.0.http > 0.0.0.0.1687: P 0:511(511) ack 232 win 15400
> 17:06:29.272689 IP 0.0.0.0.http > 0.0.0.0.1687: F 511:511(0) ack 232 win 15400
> 17:06:29.273249 IP 0.0.0.0.http > 0.0.0.0.65307: . ack 62552748 win 1006 <nop,nop,timestamp 1760963 478909562>
> 17:06:29.273662 IP 0.0.0.0.http > 0.0.0.0.65307: P 0:511(511) ack 1 win 1006 <nop,nop,timestamp 1760963 478909562>
> 17:06:29.273678 IP 0.0.0.0.http > 0.0.0.0.65307: F 511:511(0) ack 1 win 1006 <nop,nop,timestamp 1760963 478909562>
> 17:06:29.278683 IP 0.0.0.0.http > 0.0.0.0.12021: . ack 1 win 12240
> 17:06:29.288707 IP 0.0.0.0.http > 0.0.0.0.28308: . ack 1049058319 win 12420
> 17:06:29.289406 IP 0.0.0.0.http > 0.0.0.0.28308: . ack 57 win 12420
> 17:06:29.289834 IP 0.0.0.0.http > 0.0.0.0.28308: P 0:487(487) ack 57 win 12420
> 17:06:29.289851 IP 0.0.0.0.http > 0.0.0.0.28308: F 487:487(0) ack 57 win 12420
> 17:06:29.291767 IP 0.0.0.0.http > 0.0.0.0.11407: P 0:472(472) ack 171 win 1275 <nop,nop,timestamp 1760982 2400635630>
> 17:06:29.292657 IP 0.0.0.0.http > 0.0.0.0.50511: . ack 1 win 14400
> 17:06:29.293502 IP 0.0.0.0.http > 0.0.0.0.12381: . ack 558 win 14960
> 17:06:29.295080 IP 0.0.0.0.http > 0.0.0.0.10980: . ack 2 win 16692
>
> When the network traffic slows down the machine recovers to normal operation.
>
> I found another report about this issue:
>
> https://bbs.archlinux.org/viewtopic.php?id=129304
Any chance you guys can try the latest Linus kernel - it is 3.6-rc7 +
100ish patches and it should be close to final release, so pretty stable
already - to check whether the issue still persists?
Thanks.
--
Regards/Gruss,
Boris.
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists