[chord] Re: [Planetlab-support] UDP traffic to planetlab1.cse.nd.edu andplanetlab2.cse.nd.edu

Surendar Chandra surendar at nd.edu
Thu Aug 14 16:45:39 EDT 2003 

Okay, I will tell out support folks to ignore these packets.

Thanks much
-S

> Frank
>
> This traffic is also being generated my mit6, which is running chord 
> and
> lsd.  I don't know of any changes in the network stack on PlanetLab
> nodes that would account for this.
>
> Surrendar
>
> Now that we have isolated the traffic to particular research
> experiments, would it be possible to modify your IDS rules to ignore
> these packets?
>
> Regards
>
> Paul Brett
> PlanetLab Support
> Email: paul.brett at planet-lab.org
> Tel No: +1 503 712 4520
>
>
>
> |    -----Original Message-----
> |    From: Frank Dabek [mailto:fdabek at MIT.EDU]
> |    Sent: Thursday, August 14, 2003 12:24 PM
> |    To: BRETT, PAUL
> |    Cc: mit4 at slice.planet-lab.org; Surendar Chandra;
> |    planetlab-support at lists.sourceforge.net;
> |    chord at amsterdam.lcs.mit.edu
> |    Subject: RE: [Planetlab-support] UDP traffic to
> |    planetlab1.cse.nd.edu andplanetlab2.cse.nd.edu
> |
> |
> |    Brett,
> |
> |    	That looks like our traffic (at least the last few
> |    packets, based on
> |    port numbers). I've killed my processes on those nodes.
> |    uscd is running
> |    chord as well: they may be responsible for the other packets.
> |
> |    However, the processes were not setting bits in the IP
> |    header in any
> |    deliberate way. They simply call "send" to generate UDP
> |    RPC packets.
> |    Perhaps some of the modifications you guys made to the
> |    network stack are
> |    causing problems again? I'll run some tests on
> |    non-planetlab nodes and
> |    let you know what I find.
> |
> |    --Frank
> |
> |    On Thu, 2003-08-14 at 18:58, BRETT, PAUL wrote:
> |    > The mit4 account appears to be generating UDP traffic on
> |    all planetlab
> |    > nodes with both the IP Don't Fragment and More Fragments
> |    bits set, which
> |    > is flooding the Intrusion Detection System at Notre
> |    Dame.  For example:
> |    >
> |    > [root at planetlab1 root]# /usr/local/planetlab/bin/tcpdump
> |    -lvvvn 'ip[6:1]
> |    > & 0x60 = 0x60'
> |    > tcpdump: listening on eth0
> |    > 18:48:21.066137 129.105.44.80.56210 >
> |    129.74.50.140.30001: udp 1536
> |    > (frag 55961:1480 at 0+) (ttl 57, len 1500)
> |    > 18:48:21.077132 129.105.44.80.56210 >
> |    129.74.50.140.30001: udp 1536
> |    > (frag 55962:1480 at 0+) (ttl 57, len 1500)
> |    > 18:48:21.092004 129.105.44.80.56210 >
> |    129.74.50.140.30001: udp 1536
> |    > (frag 55963:1480 at 0+) (ttl 57, len 1500)
> |    > 18:48:58.390390 128.197.13.32.46307 >
> |    129.74.50.140.11977: udp 1536
> |    > (frag 34327:1480 at 0+) (ttl 53, len 1500)
> |    > 18:48:58.428373 128.197.13.32.46307 >
> |    129.74.50.140.11977: udp 1536
> |    > (frag 34328:1480 at 0+) (ttl 53, len 1500)
> |    > 18:49:33.159906 128.84.154.49.52210 >
> |    129.74.50.140.11977: udp 1536
> |    > (frag 24266:1480 at 0+) (ttl 51, len 1500)
> |    > 18:49:33.223503 128.84.154.49.52210 >
> |    129.74.50.140.11977: udp 1536
> |    > (frag 24267:1480 at 0+) (ttl 51, len 1500)
> |    > 18:49:33.286100 128.84.154.49.52210 >
> |    129.74.50.140.11977: udp 1536
> |    > (frag 24268:1480 at 0+) (ttl 51, len 1500)
> |    >
> |    > Could you please discontinue use of the Notre Dame
> |    University nodes
> |    > until this issue has been addressed.
> |    >
> |    > Thanks in anticipation.  If you have any queries, please
> |    do not hesitate
> |    > to contact me.
> |    >
> |    > Paul Brett
> |    > PlanetLab Support
> |    > Email: paul.brett at planet-lab.org
> |    > Tel No: +1 503 712 4520
> |    >
> |    >
> |    >
> |    > |    -----Original Message-----
> |    > |    From: Bowman, Mic
> |    > |    Sent: Thursday, August 14, 2003 10:11 AM
> |    > |    To: BRETT, PAUL
> |    > |    Cc: Surendar Chandra;
> |    planetlab-support at lists.sourceforge.net
> |    > |    Subject: FW: [Planetlab-support] UDP traffic to
> |    > |    planetlab1.cse.nd.edu and planetlab2.cse.nd.edu
> |    > |
> |    > |
> |    > |    Paul, I sent this on to you earlier in the week. Did you
> |    > |    make any progress?
> |    > |
> |    > |    --Mic
> |    > |
> |    > |    -----Original Message-----
> |    > |    From: Surendar Chandra [mailto:surendar at nd.edu]
> |    > |    Sent: Thursday, August 14, 2003 09:42 AM
> |    > |    To: Bowman, Mic
> |    > |    Cc: planetlab-support at lists.sourceforge.net
> |    > |    Subject: Re: [Planetlab-support] UDP traffic to
> |    > |    planetlab1.cse.nd.edu and planetlab2.cse.nd.edu
> |    > |
> |    > |
> |    > |    Hello, Any further help on this traffic? The planetlab
> |    > |    machines are
> |    > |    massively triggering
> |    > |    our local IDS system.
> |    > |
> |    > |    Thanks much
> |    > |    -S
> |    > |
> |    > |    > -----Original Message-----
> |    > |    > From: Surendar Chandra [mailto:surendar at nd.edu]
> |    > |    > Sent: Monday, August 04, 2003 11:46 AM
> |    > |    > To: planetlab-support at lists.sourceforge.net
> |    > |    > Subject: [Planetlab-support] UDP traffic to
> |    > |    planetlab1.cse.nd.edu and
> |    > |    > planetlab2.cse.nd.edu
> |    > |    >
> |    > |    >
> |    > |    > Our system support at Notre Dame observed a big leap in
> |    > |    badly formed
> |    > |    > traffic to both Planetlab1 and Planetlab2.  For
> |    > |    instance, so far this
> |    > |    > morning, Snort has logged 1020 \"bad frag bits\"
> |    signatures for
> |    > |    > Planetlab1 and 964 such events for Planetlab2 (UDP
> |    > |    traffic in both
> |    > |    > cases). Is this some traffic that we need to
> |    worry? I tried to
> |    > |    > directly send email using the corresponding web portal,
> |    > |    but it doesn't
> |    > |    > pick up any email address or name (of the
> |    researcher for this
> |    > |    > traffic).
> |    > |    >
> |    > |    > Thanks much
> |    > |    > -S
> |    > |    > --
> |    > |    > Surendar Chandra
> |    > |    > Asst. Professor, Computer Science & Engg., Notre Dame
> |    > |    > http://www.cse.nd.edu/~surendar/
> |    > |    >
> |    > |    >
> |    > |    >
> |    > |    > -------------------------------------------------------
> |    > |    > This SF.Net email sponsored by: Free pre-built ASP.NET
> |    > |    sites including
> |    > |    > Data Reports, E-commerce, Portals, and Forums are
> |    available now.
> |    > |    > Download today and enter to win an XBOX or Visual
> |    Studio .NET.
> |    > |    > http://aspnet.click-url.com/go/psa00100003ave/
> |    > |    > direct;at.aspnet_072303_01
> |    > |    > /01
> |    > |    > _______________________________________________
> |    > |    > Planetlab-support mailing list
> |    > |    Planetlab-support at lists.sourceforge.net
> |    > |    >
> |    https://lists.sourceforge.net/lists/listinfo/planetlab-supp
> ort
>> |
>> |
>

More information about the chord mailing list