[chord]
RE: [Planetlab-support] UDP traffic to planetlab1.cse.nd.edu
andplanetlab2.cse.nd.edu
Paul Brett
paul.brett at planet-lab.org
Thu Aug 14 14:30:37 EDT 2003
Frank
This traffic is also being generated my mit6, which is running chord and
lsd. I don't know of any changes in the network stack on PlanetLab
nodes that would account for this.
Surrendar
Now that we have isolated the traffic to particular research
experiments, would it be possible to modify your IDS rules to ignore
these packets?
Regards
Paul Brett
PlanetLab Support
Email: paul.brett at planet-lab.org
Tel No: +1 503 712 4520
| -----Original Message-----
| From: Frank Dabek [mailto:fdabek at MIT.EDU]
| Sent: Thursday, August 14, 2003 12:24 PM
| To: BRETT, PAUL
| Cc: mit4 at slice.planet-lab.org; Surendar Chandra;
| planetlab-support at lists.sourceforge.net;
| chord at amsterdam.lcs.mit.edu
| Subject: RE: [Planetlab-support] UDP traffic to
| planetlab1.cse.nd.edu andplanetlab2.cse.nd.edu
|
|
| Brett,
|
| That looks like our traffic (at least the last few
| packets, based on
| port numbers). I've killed my processes on those nodes.
| uscd is running
| chord as well: they may be responsible for the other packets.
|
| However, the processes were not setting bits in the IP
| header in any
| deliberate way. They simply call "send" to generate UDP
| RPC packets.
| Perhaps some of the modifications you guys made to the
| network stack are
| causing problems again? I'll run some tests on
| non-planetlab nodes and
| let you know what I find.
|
| --Frank
|
| On Thu, 2003-08-14 at 18:58, BRETT, PAUL wrote:
| > The mit4 account appears to be generating UDP traffic on
| all planetlab
| > nodes with both the IP Don't Fragment and More Fragments
| bits set, which
| > is flooding the Intrusion Detection System at Notre
| Dame. For example:
| >
| > [root at planetlab1 root]# /usr/local/planetlab/bin/tcpdump
| -lvvvn 'ip[6:1]
| > & 0x60 = 0x60'
| > tcpdump: listening on eth0
| > 18:48:21.066137 129.105.44.80.56210 >
| 129.74.50.140.30001: udp 1536
| > (frag 55961:1480 at 0+) (ttl 57, len 1500)
| > 18:48:21.077132 129.105.44.80.56210 >
| 129.74.50.140.30001: udp 1536
| > (frag 55962:1480 at 0+) (ttl 57, len 1500)
| > 18:48:21.092004 129.105.44.80.56210 >
| 129.74.50.140.30001: udp 1536
| > (frag 55963:1480 at 0+) (ttl 57, len 1500)
| > 18:48:58.390390 128.197.13.32.46307 >
| 129.74.50.140.11977: udp 1536
| > (frag 34327:1480 at 0+) (ttl 53, len 1500)
| > 18:48:58.428373 128.197.13.32.46307 >
| 129.74.50.140.11977: udp 1536
| > (frag 34328:1480 at 0+) (ttl 53, len 1500)
| > 18:49:33.159906 128.84.154.49.52210 >
| 129.74.50.140.11977: udp 1536
| > (frag 24266:1480 at 0+) (ttl 51, len 1500)
| > 18:49:33.223503 128.84.154.49.52210 >
| 129.74.50.140.11977: udp 1536
| > (frag 24267:1480 at 0+) (ttl 51, len 1500)
| > 18:49:33.286100 128.84.154.49.52210 >
| 129.74.50.140.11977: udp 1536
| > (frag 24268:1480 at 0+) (ttl 51, len 1500)
| >
| > Could you please discontinue use of the Notre Dame
| University nodes
| > until this issue has been addressed.
| >
| > Thanks in anticipation. If you have any queries, please
| do not hesitate
| > to contact me.
| >
| > Paul Brett
| > PlanetLab Support
| > Email: paul.brett at planet-lab.org
| > Tel No: +1 503 712 4520
| >
| >
| >
| > | -----Original Message-----
| > | From: Bowman, Mic
| > | Sent: Thursday, August 14, 2003 10:11 AM
| > | To: BRETT, PAUL
| > | Cc: Surendar Chandra;
| planetlab-support at lists.sourceforge.net
| > | Subject: FW: [Planetlab-support] UDP traffic to
| > | planetlab1.cse.nd.edu and planetlab2.cse.nd.edu
| > |
| > |
| > | Paul, I sent this on to you earlier in the week. Did you
| > | make any progress?
| > |
| > | --Mic
| > |
| > | -----Original Message-----
| > | From: Surendar Chandra [mailto:surendar at nd.edu]
| > | Sent: Thursday, August 14, 2003 09:42 AM
| > | To: Bowman, Mic
| > | Cc: planetlab-support at lists.sourceforge.net
| > | Subject: Re: [Planetlab-support] UDP traffic to
| > | planetlab1.cse.nd.edu and planetlab2.cse.nd.edu
| > |
| > |
| > | Hello, Any further help on this traffic? The planetlab
| > | machines are
| > | massively triggering
| > | our local IDS system.
| > |
| > | Thanks much
| > | -S
| > |
| > | > -----Original Message-----
| > | > From: Surendar Chandra [mailto:surendar at nd.edu]
| > | > Sent: Monday, August 04, 2003 11:46 AM
| > | > To: planetlab-support at lists.sourceforge.net
| > | > Subject: [Planetlab-support] UDP traffic to
| > | planetlab1.cse.nd.edu and
| > | > planetlab2.cse.nd.edu
| > | >
| > | >
| > | > Our system support at Notre Dame observed a big leap in
| > | badly formed
| > | > traffic to both Planetlab1 and Planetlab2. For
| > | instance, so far this
| > | > morning, Snort has logged 1020 \"bad frag bits\"
| signatures for
| > | > Planetlab1 and 964 such events for Planetlab2 (UDP
| > | traffic in both
| > | > cases). Is this some traffic that we need to
| worry? I tried to
| > | > directly send email using the corresponding web portal,
| > | but it doesn't
| > | > pick up any email address or name (of the
| researcher for this
| > | > traffic).
| > | >
| > | > Thanks much
| > | > -S
| > | > --
| > | > Surendar Chandra
| > | > Asst. Professor, Computer Science & Engg., Notre Dame
| > | > http://www.cse.nd.edu/~surendar/
| > | >
| > | >
| > | >
| > | > -------------------------------------------------------
| > | > This SF.Net email sponsored by: Free pre-built ASP.NET
| > | sites including
| > | > Data Reports, E-commerce, Portals, and Forums are
| available now.
| > | > Download today and enter to win an XBOX or Visual
| Studio .NET.
| > | > http://aspnet.click-url.com/go/psa00100003ave/
| > | > direct;at.aspnet_072303_01
| > | > /01
| > | > _______________________________________________
| > | > Planetlab-support mailing list
| > | Planetlab-support at lists.sourceforge.net
| > | >
| https://lists.sourceforge.net/lists/listinfo/planetlab-supp
ort
> |
> |
More information about the chord
mailing list