[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]

[linux-security] Re: IPMASQ and lock-up of all terminals ---- Summary and update

From: MeriwetherDJ nswccd navy mil
To: linux-security redhat com
Subject: [linux-security] Re: IPMASQ and lock-up of all terminals ---- Summary and update
Date: Wed, 15 Mar 2000 08:12:23 -0500

Well, last night, my box was hit again.. same symptoms:

All attempts to connect remotely receive a connection, but a login prompt
never comes up.
When I went to the console and turned on the monitor, I had the login
prompt, but written on to the screen was the message 
IPMASQ: Reverse ICMP: Checksum error from xxx.xxx.xxx.xxx

So, on this occasion, I thought I would post a summary of the responses I
got, and ask a few specific lingering questions.

Summary:
Some commented on having the same problem until they switched from one
distribution to another, or from one version to another. (this doesn't help
me too much as the same problem happened in two different versions 6.0 and
6.2 beta)
Some suggested I check my binaries for trojans, and other signs of attack.
I found none.
Some suggested the problem lay with syslogd locking up. Several specific
conditions that have caused this phenomenon in the past were mentioned, but
none of the circumstances fit my case.  (the machine using itself in
resolv.conf, disk full,  etc.)
Another mentioned a similar problem tied to mgetty, although the lock-up is
not as complete as on my machine, so I imagine that they are dealing with a
different phenomenon.
Another mentioned that running out of file descriptors would also lock up a
system, but they also mentioned that this is mainly a problem with web and
mail servers.  My box is running neither.
Another mentioned the possibility that a fork bomb or a DOS attack may have
caused the system to run out of processes (of which they reported the
default to be 512).   I know of no way of verifying this theory, nor do I
know of anyway to defend against such an attack.  Help in this arena would
be appreciated.

Continuing questions:

1) What exactly is a Reverse ICMP?  (That message has been on the terminal
screen 3 out of 3 times I have had this problem.)

2) Is there a way to directly test whether syslogd is the culprit?  Is there
a way I can correct it?

3) Is there a way of directly testing whether I am the victim of an
occasionally fork bomb or DOS attack?  Is there a way I can correct this?


Thank you very much for all your help.. and of course references to helpful,
germane websites is also greatly appreciated!

James Meriwether

Follow-Ups:
- [linux-security] Re: IPMASQ and lock-up of all terminals ---- Sum mary and update
  - From: Zygo Blaxell

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]