[chord] RE: [Planetlab-support] UDP traffic to planetlab1.cse.nd.edu and planetlab2.cse.nd.edu

Frank Dabek fdabek at MIT.EDU
Thu Aug 14 20:23:45 EDT 2003 

Brett,

	That looks like our traffic (at least the last few packets, based on
port numbers). I've killed my processes on those nodes. uscd is running
chord as well: they may be responsible for the other packets. 

However, the processes were not setting bits in the IP header in any
deliberate way. They simply call "send" to generate UDP RPC packets.
Perhaps some of the modifications you guys made to the network stack are
causing problems again? I'll run some tests on non-planetlab nodes and
let you know what I find.

--Frank

On Thu, 2003-08-14 at 18:58, BRETT, PAUL wrote:
> The mit4 account appears to be generating UDP traffic on all planetlab
> nodes with both the IP Don't Fragment and More Fragments bits set, which
> is flooding the Intrusion Detection System at Notre Dame.  For example:
> 
> [root at planetlab1 root]# /usr/local/planetlab/bin/tcpdump -lvvvn 'ip[6:1]
> & 0x60 = 0x60'
> tcpdump: listening on eth0
> 18:48:21.066137 129.105.44.80.56210 > 129.74.50.140.30001: udp 1536
> (frag 55961:1480 at 0+) (ttl 57, len 1500)
> 18:48:21.077132 129.105.44.80.56210 > 129.74.50.140.30001: udp 1536
> (frag 55962:1480 at 0+) (ttl 57, len 1500)
> 18:48:21.092004 129.105.44.80.56210 > 129.74.50.140.30001: udp 1536
> (frag 55963:1480 at 0+) (ttl 57, len 1500)
> 18:48:58.390390 128.197.13.32.46307 > 129.74.50.140.11977: udp 1536
> (frag 34327:1480 at 0+) (ttl 53, len 1500)
> 18:48:58.428373 128.197.13.32.46307 > 129.74.50.140.11977: udp 1536
> (frag 34328:1480 at 0+) (ttl 53, len 1500)
> 18:49:33.159906 128.84.154.49.52210 > 129.74.50.140.11977: udp 1536
> (frag 24266:1480 at 0+) (ttl 51, len 1500)
> 18:49:33.223503 128.84.154.49.52210 > 129.74.50.140.11977: udp 1536
> (frag 24267:1480 at 0+) (ttl 51, len 1500)
> 18:49:33.286100 128.84.154.49.52210 > 129.74.50.140.11977: udp 1536
> (frag 24268:1480 at 0+) (ttl 51, len 1500)
> 
> Could you please discontinue use of the Notre Dame University nodes
> until this issue has been addressed.
> 
> Thanks in anticipation.  If you have any queries, please do not hesitate
> to contact me.
> 
> Paul Brett
> PlanetLab Support
> Email: paul.brett at planet-lab.org
> Tel No: +1 503 712 4520
> 
> 
> 
> |    -----Original Message-----
> |    From: Bowman, Mic 
> |    Sent: Thursday, August 14, 2003 10:11 AM
> |    To: BRETT, PAUL
> |    Cc: Surendar Chandra; planetlab-support at lists.sourceforge.net
> |    Subject: FW: [Planetlab-support] UDP traffic to 
> |    planetlab1.cse.nd.edu and planetlab2.cse.nd.edu
> |    
> |    
> |    Paul, I sent this on to you earlier in the week. Did you 
> |    make any progress?
> |    
> |    --Mic
> |    
> |    -----Original Message-----
> |    From: Surendar Chandra [mailto:surendar at nd.edu] 
> |    Sent: Thursday, August 14, 2003 09:42 AM
> |    To: Bowman, Mic
> |    Cc: planetlab-support at lists.sourceforge.net
> |    Subject: Re: [Planetlab-support] UDP traffic to 
> |    planetlab1.cse.nd.edu and planetlab2.cse.nd.edu
> |    
> |    
> |    Hello, Any further help on this traffic? The planetlab 
> |    machines are  
> |    massively triggering
> |    our local IDS system.
> |    
> |    Thanks much
> |    -S
> |    
> |    > -----Original Message-----
> |    > From: Surendar Chandra [mailto:surendar at nd.edu]
> |    > Sent: Monday, August 04, 2003 11:46 AM
> |    > To: planetlab-support at lists.sourceforge.net
> |    > Subject: [Planetlab-support] UDP traffic to 
> |    planetlab1.cse.nd.edu and 
> |    > planetlab2.cse.nd.edu
> |    >
> |    >
> |    > Our system support at Notre Dame observed a big leap in 
> |    badly formed 
> |    > traffic to both Planetlab1 and Planetlab2.  For 
> |    instance, so far this 
> |    > morning, Snort has logged 1020 \"bad frag bits\" signatures for 
> |    > Planetlab1 and 964 such events for Planetlab2 (UDP 
> |    traffic in both 
> |    > cases). Is this some traffic that we need to worry? I tried to 
> |    > directly send email using the corresponding web portal, 
> |    but it doesn't 
> |    > pick up any email address or name (of the researcher for this 
> |    > traffic).
> |    >
> |    > Thanks much
> |    > -S
> |    > --
> |    > Surendar Chandra
> |    > Asst. Professor, Computer Science & Engg., Notre Dame 
> |    > http://www.cse.nd.edu/~surendar/
> |    >
> |    >
> |    >
> |    > -------------------------------------------------------
> |    > This SF.Net email sponsored by: Free pre-built ASP.NET 
> |    sites including 
> |    > Data Reports, E-commerce, Portals, and Forums are available now. 
> |    > Download today and enter to win an XBOX or Visual Studio .NET. 
> |    > http://aspnet.click-url.com/go/psa00100003ave/
> |    > direct;at.aspnet_072303_01
> |    > /01
> |    > _______________________________________________
> |    > Planetlab-support mailing list 
> |    Planetlab-support at lists.sourceforge.net
> |    > https://lists.sourceforge.net/lists/listinfo/planetlab-support
> |    
> |

More information about the chord mailing list