[j-nsp] DOS attack?
Matthias Gelbhardt
matthias at commy.de
Sun May 17 03:14:23 EDT 2009
Hi!
Last night we had a mysterious behaviour on our router. On a BGP
connection with Cogent we received an unexpected EOF. There were also
a great number of SSH logins (we do not have FW rules in place, but we
have a rate limit, Shortly after the router complained about low
memory and a few BGP sessions drop down (oviosly the one, which are
memory exhausting),
I wonder now, which is the event, that triggered this behavious? The
numer of ssh-logins at that time or this zbexpected EOF?
The log of that time:
May 17 04:29:24 emsdetten1 inetd[4291]: ssh from 82.165.235.170
exceeded counts/min (limit 10/min)
May 17 04:29:25 emsdetten1 last message repeated 7 times
May 17 04:29:36 emsdetten1 rpd[4303]: bgp_listen_accept: Connection
attempt from unconfigured neighbor: 91.190.xxx.xxx+40432
May 17 04:29:52 emsdetten1 rpd[4303]: bgp_recv: peer 149.6.xxx.xxx
(External AS 174): received unexpected EOF
May 17 04:30:06 emsdetten1 rpd[4303]: bgp_listen_accept: Connection
attempt from unconfigured neighbor: 91.190.xxx.xxx+43119
May 17 04:31:00 emsdetten1 /kernel: KERNEL_MEMORY_CRITICAL: System
low on free memory, notifying init (#2).
May 17 04:31:00 emsdetten1 cron[49326]: (root) CMD (adjkerntz -a)
May 17 04:31:01 emsdetten1 rpd[4303]: Received low-memory signal: BGP
Write active, 422 free pages
May 17 04:31:01 emsdetten1 rpd[4303]: Processing low memory signal
May 17 04:31:14 emsdetten1 rpd[4303]: bgp_listen_accept: Connection
attempt from unconfigured neighbor: 193.108.xxx.xxx+52139
May 17 04:31:34 emsdetten1 /kernel: KERN_ARP_ADDR_CHANGE: arp info
overwritten for 91.190.xxx.xxx from 00:00:1a:19:c1:0f to 00:00:1a:
19:c1:10
May 17 04:31:34 emsdetten1 sshd[49329]: Failed password for root from
82.165.235.170 port 56403 ssh2
May 17 04:31:34 emsdetten1 inetd[4291]: /usr/sbin/sshd[49329]:
exited, status 255
May 17 04:31:35 emsdetten1 sshd[49331]: Failed password for root from
82.165.235.170 port 47707 ssh2
May 17 04:31:35 emsdetten1 inetd[4291]: /usr/sbin/sshd[49331]:
exited, status 255
May 17 04:31:36 emsdetten1 sshd[49337]: Failed password for root from
82.165.235.170 port 57612 ssh2
May 17 04:31:36 emsdetten1 inetd[4291]: /usr/sbin/sshd[49337]:
exited, status 255
May 17 04:31:36 emsdetten1 sshd[49339]: Failed password for root from
82.165.235.170 port 49046 ssh2
May 17 04:31:36 emsdetten1 rpd[4303]: bgp_listen_accept: Connection
attempt from unconfigured neighbor: 91.190.xxx.xxx+47675
May 17 04:31:36 emsdetten1 inetd[4291]: /usr/sbin/sshd[49339]:
exited, status 255
May 17 04:31:38 emsdetten1 sshd[49335]: Failed password for root from
82.165.235.170 port 38441 ssh2
May 17 04:31:38 emsdetten1 inetd[4291]: /usr/sbin/sshd[49335]:
exited, status 255
May 17 04:31:39 emsdetten1 sshd[49330]: Failed password for root from
82.165.235.170 port 37700 ssh2
May 17 04:31:39 emsdetten1 inetd[4291]: /usr/sbin/sshd[49330]:
exited, status 255
May 17 04:31:39 emsdetten1 sshd[49345]: Failed password for root from
82.165.235.170 port 40019 ssh2
May 17 04:31:39 emsdetten1 inetd[4291]: ssh from 82.165.235.170
exceeded counts/min (limit 10/min)
May 17 04:31:40 emsdetten1 sshd[49343]: Failed password for root from
82.165.235.170 port 49411 ssh2
May 17 04:31:40 emsdetten1 inetd[4291]: /usr/sbin/sshd[49345]:
exited, status 255
May 17 04:31:40 emsdetten1 inetd[4291]: ssh from 82.165.235.170
exceeded counts/min (limit 10/min)
May 17 04:31:41 emsdetten1 sshd[49341]: Failed password for root from
82.165.235.170 port 57987 ssh2
May 17 04:31:41 emsdetten1 inetd[4291]: /usr/sbin/sshd[49341]:
exited, status 255
May 17 04:31:41 emsdetten1 inetd[4291]: ssh from 82.165.235.170
exceeded counts/min (limit 10/min)
May 17 04:31:41 emsdetten1 sshd[49347]: Failed password for root from
82.165.235.170 port 60041 ssh2
May 17 04:31:41 emsdetten1 inetd[4291]: /usr/sbin/sshd[49343]:
exited, status 255
May 17 04:31:41 emsdetten1 inetd[4291]: /usr/sbin/sshd[49347]:
exited, status 255
May 17 04:31:41 emsdetten1 inetd[4291]: ssh from 82.165.235.170
exceeded counts/min (limit 10/min)
May 17 04:31:41 emsdetten1 last message repeated 6 times
May 17 04:31:43 emsdetten1 rpd[4303]: bgp_listen_accept: Connection
attempt from unconfigured neighbor: 193.108.xxx.xxx+49573
May 17 04:31:47 emsdetten1 inetd[4291]: ssh from 82.165.235.170
exceeded counts/min (limit 10/min)
May 17 04:31:51 emsdetten1 sshd[49349]: Failed password for root from
218.26.118.106 port 49903 ssh2
May 17 04:31:52 emsdetten1 inetd[4291]: /usr/sbin/sshd[49349]:
exited, status 255
May 17 04:31:52 emsdetten1 sshd[49351]: Failed password for root from
218.26.118.106 port 49931 ssh2
May 17 04:31:52 emsdetten1 inetd[4291]: /usr/sbin/sshd[49351]:
exited, status 255
May 17 04:31:53 emsdetten1 inetd[4291]: ssh from 82.165.235.170
exceeded counts/min (limit 10/min)
May 17 04:31:53 emsdetten1 last message repeated 2 times
May 17 04:31:53 emsdetten1 rpd[4303]: Received low-memory signal:
Read peer active, 25 free pages
May 17 04:31:53 emsdetten1 rpd[4303]: Processing low memory signal
May 17 04:31:53 emsdetten1 inetd[4291]: ssh from 82.165.235.170
exceeded counts/min (limit 10/min)
May 17 04:31:54 emsdetten1 sshd[49353]: Failed password for root from
218.26.118.106 port 50028 ssh2
May 17 04:31:54 emsdetten1 sshd[49354]: Failed password for root from
218.26.118.106 port 50036 ssh2
May 17 04:31:54 emsdetten1 rpd[4303]: Received low-memory signal: no
job active, 184 free pages
May 17 04:31:55 emsdetten1 inetd[4291]: /usr/sbin/sshd[49353]:
exited, status 255
May 17 04:31:55 emsdetten1 sshd[49355]: Failed password for root from
218.26.118.106 port 50041 ssh2
May 17 04:31:55 emsdetten1 inetd[4291]: /usr/sbin/sshd[49354]:
exited, status 255
May 17 04:31:55 emsdetten1 sshd[49358]: Failed password for root from
218.26.118.106 port 50057 ssh2
May 17 04:31:55 emsdetten1 inetd[4291]: ssh from 218.26.118.106
exceeded counts/min (limit 10/min)
May 17 04:31:55 emsdetten1 inetd[4291]: /usr/sbin/sshd[49355]:
exited, status 255
May 17 04:31:55 emsdetten1 sshd[49360]: Failed password for root from
218.26.118.106 port 50069 ssh2
May 17 04:31:55 emsdetten1 inetd[4291]: ssh from 218.26.118.106
exceeded counts/min (limit 10/min)
May 17 04:31:55 emsdetten1 inetd[4291]: /usr/sbin/sshd[49358]:
exited, status 255
May 17 04:31:55 emsdetten1 sshd[49362]: Failed password for root from
218.26.118.106 port 50089 ssh2
May 17 04:31:55 emsdetten1 rpd[4303]: Processing low memory signal
May 17 04:31:56 emsdetten1 inetd[4291]: ssh from 218.26.118.106
exceeded counts/min (limit 10/min)
May 17 04:31:56 emsdetten1 inetd[4291]: /usr/sbin/sshd[49360]:
exited, status 255
May 17 04:31:56 emsdetten1 inetd[4291]: ssh from 218.26.118.106
exceeded counts/min (limit 10/min)
May 17 04:31:56 emsdetten1 inetd[4291]: /usr/sbin/sshd[49362]:
exited, status 255
May 17 04:31:56 emsdetten1 inetd[4291]: ssh from 218.26.118.106
exceeded counts/min (limit 10/min)
May 17 04:31:56 emsdetten1 last message repeated 3 times
May 17 04:31:56 emsdetten1 inetd[4291]: ssh from 82.165.235.170
exceeded counts/min (limit 10/min)
May 17 04:31:57 emsdetten1 inetd[4291]: ssh from 218.26.118.106
exceeded counts/min (limit 10/min)
May 17 04:31:57 emsdetten1 sshd[49365]: Failed password for root from
218.26.118.106 port 50143 ssh2
May 17 04:31:57 emsdetten1 inetd[4291]: ssh from 218.26.118.106
exceeded counts/min (limit 10/min)
May 17 04:31:57 emsdetten1 inetd[4291]: ssh from 218.26.118.106
exceeded counts/min (limit 10/min)
May 17 04:31:57 emsdetten1 sshd[49367]: Failed password for root from
218.26.118.106 port 50183 ssh2
May 17 04:31:57 emsdetten1 inetd[4291]: ssh from 218.26.118.106
exceeded counts/min (limit 10/min)
May 17 04:31:58 emsdetten1 inetd[4291]: /usr/sbin/sshd[49365]:
exited, status 255
May 17 04:31:58 emsdetten1 inetd[4291]: ssh from 218.26.118.106
exceeded counts/min (limit 10/min)
May 17 04:31:58 emsdetten1 inetd[4291]: ssh from 218.26.118.106
exceeded counts/min (limit 10/min)
May 17 04:31:58 emsdetten1 inetd[4291]: /usr/sbin/sshd[49367]:
exited, status 255
May 17 04:31:58 emsdetten1 inetd[4291]: ssh from 218.26.118.106
exceeded counts/min (limit 10/min)
May 17 04:31:59 emsdetten1 last message repeated 12 times
May 17 04:31:59 emsdetten1 inetd[4291]: ssh from 82.165.235.170
exceeded counts/min (limit 10/min)
May 17 04:31:59 emsdetten1 inetd[4291]: ssh from 218.26.118.106
exceeded counts/min (limit 10/min)
May 17 04:32:02 emsdetten1 last message repeated 15 times
May 17 04:32:03 emsdetten1 inetd[4291]: ssh from 82.165.235.170
exceeded counts/min (limit 10/min)
May 17 04:32:05 emsdetten1 inetd[4291]: ssh from 82.165.235.170
exceeded counts/min (limit 10/min)
May 17 04:32:06 emsdetten1 rpd[4303]: bgp_listen_accept: Connection
attempt from unconfigured neighbor: 91.190.xxx.xxx+44046
May 17 04:32:08 emsdetten1 inetd[4291]: ssh from 82.165.235.170
exceeded counts/min (limit 10/min)
May 17 04:32:34 emsdetten1 last message repeated 4 times
May 17 04:32:55 emsdetten1 last message repeated 5 times
May 17 04:33:03 emsdetten1 sshd[49370]: Failed password for root from
82.165.235.170 port 56469 ssh2
May 17 04:33:03 emsdetten1 inetd[4291]: /usr/sbin/sshd[49370]:
exited, status 255
May 17 04:33:03 emsdetten1 inetd[4291]: ssh from 82.165.235.170
exceeded counts/min (limit 10/min)
May 17 04:33:17 emsdetten1 rpd[4303]: Received low-memory signal:
Read peer active, 3 free pages
May 17 04:33:17 emsdetten1 rpd[4303]: Processing low memory signal
May 17 04:33:24 emsdetten1 rpd[4303]: Received low-memory signal: Low
memory flash update active, 736 free pages
May 17 04:33:24 emsdetten1 rpd[4303]: Processing low memory signal
May 17 04:33:26 emsdetten1 sshd[49372]: Failed password for root from
82.165.235.170 port 51447 ssh2
May 17 04:33:26 emsdetten1 rpd[4303]: Received low-memory signal: no
job active, 8322 free pages
May 17 04:33:27 emsdetten1 inetd[4291]: /usr/sbin/sshd[49372]:
exited, status 255
May 17 04:33:27 emsdetten1 inetd[4291]: ssh from 82.165.235.170
exceeded counts/min (limit 10/min)
May 17 04:33:27 emsdetten1 rpd[4303]: Processing low memory signal
May 17 04:33:36 emsdetten1 rpd[4303]: bgp_listen_accept: Connection
attempt from unconfigured neighbor: 91.190.226.227+47676
May 17 04:33:39 emsdetten1 rpd[4303]: Received low-memory signal: Low
memory flash update active, 14644 free pages
May 17 04:33:39 emsdetten1 rpd[4303]: Processing low memory signal
May 17 04:33:41 emsdetten1 sshd[49375]: Failed password for root from
82.165.235.170 port 56926 ssh2
May 17 04:33:41 emsdetten1 inetd[4291]: /usr/sbin/sshd[49375]:
exited, status 255
May 17 04:33:43 emsdetten1 rpd[4303]: bgp_listen_accept: Connection
attempt from unconfigured neighbor: 193.108.xxx.xxx+63258
May 17 04:33:43 emsdetten1 sshd[49377]: Failed password for root from
82.165.235.170 port 57735 ssh2
May 17 04:33:44 emsdetten1 inetd[4291]: /usr/sbin/sshd[49377]:
exited, status 255
May 17 04:33:46 emsdetten1 sshd[49379]: Failed password for root from
82.165.235.170 port 58578 ssh2
May 17 04:33:47 emsdetten1 inetd[4291]: /usr/sbin/sshd[49379]:
exited, status 255
May 17 04:33:49 emsdetten1 sshd[49381]: Failed password for root from
82.165.235.170 port 59658 ssh2
May 17 04:33:49 emsdetten1 inetd[4291]: /usr/sbin/sshd[49381]:
exited, status 255
May 17 04:33:49 emsdetten1 inetd[4291]: ssh from 82.165.235.170
exceeded counts/min (limit 10/min)
May 17 04:33:56 emsdetten1 sshd[49384]: Failed password for root from
82.165.235.170 port 39052 ssh2
May 17 04:33:56 emsdetten1 inetd[4291]: /usr/sbin/sshd[49384]:
exited, status 255
May 17 04:33:56 emsdetten1 inetd[4291]: ssh from 82.165.235.170
exceeded counts/min (limit 10/min)
May 17 04:34:00 emsdetten1 last message repeated 2 times
Regards,
Matthias
More information about the juniper-nsp
mailing list