[chord] RE: [Planetlab-support] UDP traffic to
planetlab1.cse.nd.edu andplanetlab2.cse.nd.edu
Michael Walfish
mwalfish at lcs.mit.edu
Thu Aug 14 17:50:46 EDT 2003
I should have read more carefully -- the 30001 port packets (mit6) are my
fault. I've killed lsd on the nd.edu planetlab nodes.
| Date: Thu, 14 Aug 2003 13:30:37 -0700
| From: Paul Brett <paul.brett at planet-lab.org>
| To: 'Frank Dabek' <fdabek at mit.edu>, Surendar Chandra <surendar at nd.edu>
| Cc: chord at amsterdam.lcs.mit.edu, planetlab-support at lists.sourceforge.net,
| mit6 at slice.planet-lab.org, mit4 at slice.planet-lab.org
| Subject: [chord] RE: [Planetlab-support] UDP traffic to
| planetlab1.cse.nd.edu andplanetlab2.cse.nd.edu
|
| Frank
|
| This traffic is also being generated my mit6, which is running chord and
| lsd. I don't know of any changes in the network stack on PlanetLab
| nodes that would account for this.
|
| Surrendar
|
| Now that we have isolated the traffic to particular research
| experiments, would it be possible to modify your IDS rules to ignore
| these packets?
|
| Regards
|
| Paul Brett
| PlanetLab Support
| Email: paul.brett at planet-lab.org
| Tel No: +1 503 712 4520
|
|
|
| | -----Original Message-----
| | From: Frank Dabek [mailto:fdabek at MIT.EDU]
| | Sent: Thursday, August 14, 2003 12:24 PM
| | To: BRETT, PAUL
| | Cc: mit4 at slice.planet-lab.org; Surendar Chandra;
| | planetlab-support at lists.sourceforge.net;
| | chord at amsterdam.lcs.mit.edu
| | Subject: RE: [Planetlab-support] UDP traffic to
| | planetlab1.cse.nd.edu andplanetlab2.cse.nd.edu
| |
| |
| | Brett,
| |
| | That looks like our traffic (at least the last few
| | packets, based on
| | port numbers). I've killed my processes on those nodes.
| | uscd is running
| | chord as well: they may be responsible for the other packets.
| |
| | However, the processes were not setting bits in the IP
| | header in any
| | deliberate way. They simply call "send" to generate UDP
| | RPC packets.
| | Perhaps some of the modifications you guys made to the
| | network stack are
| | causing problems again? I'll run some tests on
| | non-planetlab nodes and
| | let you know what I find.
| |
| | --Frank
| |
| | On Thu, 2003-08-14 at 18:58, BRETT, PAUL wrote:
| | > The mit4 account appears to be generating UDP traffic on
| | all planetlab
| | > nodes with both the IP Don't Fragment and More Fragments
| | bits set, which
| | > is flooding the Intrusion Detection System at Notre
| | Dame. For example:
| | >
| | > [root at planetlab1 root]# /usr/local/planetlab/bin/tcpdump
| | -lvvvn 'ip[6:1]
| | > & 0x60 = 0x60'
| | > tcpdump: listening on eth0
| | > 18:48:21.066137 129.105.44.80.56210 >
| | 129.74.50.140.30001: udp 1536
| | > (frag 55961:1480 at 0+) (ttl 57, len 1500)
| | > 18:48:21.077132 129.105.44.80.56210 >
| | 129.74.50.140.30001: udp 1536
| | > (frag 55962:1480 at 0+) (ttl 57, len 1500)
| | > 18:48:21.092004 129.105.44.80.56210 >
| | 129.74.50.140.30001: udp 1536
| | > (frag 55963:1480 at 0+) (ttl 57, len 1500)
| | > 18:48:58.390390 128.197.13.32.46307 >
| | 129.74.50.140.11977: udp 1536
| | > (frag 34327:1480 at 0+) (ttl 53, len 1500)
| | > 18:48:58.428373 128.197.13.32.46307 >
| | 129.74.50.140.11977: udp 1536
| | > (frag 34328:1480 at 0+) (ttl 53, len 1500)
| | > 18:49:33.159906 128.84.154.49.52210 >
| | 129.74.50.140.11977: udp 1536
| | > (frag 24266:1480 at 0+) (ttl 51, len 1500)
| | > 18:49:33.223503 128.84.154.49.52210 >
| | 129.74.50.140.11977: udp 1536
| | > (frag 24267:1480 at 0+) (ttl 51, len 1500)
| | > 18:49:33.286100 128.84.154.49.52210 >
| | 129.74.50.140.11977: udp 1536
| | > (frag 24268:1480 at 0+) (ttl 51, len 1500)
| | >
| | > Could you please discontinue use of the Notre Dame
| | University nodes
| | > until this issue has been addressed.
| | >
| | > Thanks in anticipation. If you have any queries, please
| | do not hesitate
| | > to contact me.
| | >
| | > Paul Brett
| | > PlanetLab Support
| | > Email: paul.brett at planet-lab.org
| | > Tel No: +1 503 712 4520
| | >
| | >
| | >
| | > | -----Original Message-----
| | > | From: Bowman, Mic
| | > | Sent: Thursday, August 14, 2003 10:11 AM
| | > | To: BRETT, PAUL
| | > | Cc: Surendar Chandra;
| | planetlab-support at lists.sourceforge.net
| | > | Subject: FW: [Planetlab-support] UDP traffic to
| | > | planetlab1.cse.nd.edu and planetlab2.cse.nd.edu
| | > |
| | > |
| | > | Paul, I sent this on to you earlier in the week. Did you
| | > | make any progress?
| | > |
| | > | --Mic
| | > |
| | > | -----Original Message-----
| | > | From: Surendar Chandra [mailto:surendar at nd.edu]
| | > | Sent: Thursday, August 14, 2003 09:42 AM
| | > | To: Bowman, Mic
| | > | Cc: planetlab-support at lists.sourceforge.net
| | > | Subject: Re: [Planetlab-support] UDP traffic to
| | > | planetlab1.cse.nd.edu and planetlab2.cse.nd.edu
| | > |
| | > |
| | > | Hello, Any further help on this traffic? The planetlab
| | > | machines are
| | > | massively triggering
| | > | our local IDS system.
| | > |
| | > | Thanks much
| | > | -S
| | > |
| | > | > -----Original Message-----
| | > | > From: Surendar Chandra [mailto:surendar at nd.edu]
| | > | > Sent: Monday, August 04, 2003 11:46 AM
| | > | > To: planetlab-support at lists.sourceforge.net
| | > | > Subject: [Planetlab-support] UDP traffic to
| | > | planetlab1.cse.nd.edu and
| | > | > planetlab2.cse.nd.edu
| | > | >
| | > | >
| | > | > Our system support at Notre Dame observed a big leap in
| | > | badly formed
| | > | > traffic to both Planetlab1 and Planetlab2. For
| | > | instance, so far this
| | > | > morning, Snort has logged 1020 \"bad frag bits\"
| | signatures for
| | > | > Planetlab1 and 964 such events for Planetlab2 (UDP
| | > | traffic in both
| | > | > cases). Is this some traffic that we need to
| | worry? I tried to
| | > | > directly send email using the corresponding web portal,
| | > | but it doesn't
| | > | > pick up any email address or name (of the
| | researcher for this
| | > | > traffic).
| | > | >
| | > | > Thanks much
| | > | > -S
| | > | > --
| | > | > Surendar Chandra
| | > | > Asst. Professor, Computer Science & Engg., Notre Dame
| | > | > http://www.cse.nd.edu/~surendar/
| | > | >
| | > | >
| | > | >
| | > | > -------------------------------------------------------
| | > | > This SF.Net email sponsored by: Free pre-built ASP.NET
| | > | sites including
| | > | > Data Reports, E-commerce, Portals, and Forums are
| | available now.
| | > | > Download today and enter to win an XBOX or Visual
| | Studio .NET.
| | > | > http://aspnet.click-url.com/go/psa00100003ave/
| | > | > direct;at.aspnet_072303_01
| | > | > /01
| | > | > _______________________________________________
| | > | > Planetlab-support mailing list
| | > | Planetlab-support at lists.sourceforge.net
| | > | >
| | https://lists.sourceforge.net/lists/listinfo/planetlab-supp
| ort
| > |
| > |
|
|
| _______________________________________________
| chord mailing list
| chord at amsterdam.lcs.mit.edu
| https://amsterdam.lcs.mit.edu/mailman/listinfo/chord
|
More information about the chord
mailing list