DOS attacks on linux computers

There are some of us in an office who have been noticing lock-ups on
our computers on a weekly basis. We are using linux as our desktop.

We have snort monitoring traffic from our firewall. Snort it not
showing anything targeting these computers. So my current conclusion
is that someway somehow one of the internal computers is causing the
denial of service.

This started out sporadically over the last few weeks (1 per week out
of 30), then in the last 24 hours 3 computers have had to be rebooted.
They are usually just locked up and can't be accessed via ssh or gnome.
When I have checked, I can ping the computer.

Log /var/log/message doesn't seem to indicate anything is going on, it
just stops whenever the computer locks up.

I've thought there might be a bug somewhere in CentOS4 that is causing
this, but haven't seen any postings indicating such. But we do have
systems with the same distro version and they don't seem to be affected
by this. I thought maybe it was something we were doing on the
desktop, but when the file server started having problems also, I
started wondering if maybe there was a problem another computer was
causing.
I am looking for a way to find why systems are hanging and if this is
being caused by an attack on the linux boxes. Is there some cute way
that script kiddy could be DOS'ing our computers (What would be the
most likely point of attack?). Is there someway to monitor this
without DOS'ing ourselves.

On Thu, 15 Jun 2006 06:03:42 -0700, jim_patterson wrote:

> There are some of us in an office who have been noticing lock-ups on
> our computers on a weekly basis. We are using linux as our desktop.
>

I would start out by eliminating the simplest possibilities first. Are
all the machines running X? Does the problem persist if all the machines
boot into character mode?

jim_patterson@comcast.net (06-06-15 06:03:42):

> I am looking for a way to find why systems are hanging and if this is
> being caused by an attack on the linux boxes. Is there some cute way
> that script kiddy could be DOS'ing our computers (What would be the
> most likely point of attack?). Is there someway to monitor this
> without DOS'ing ourselves.

First check the privileges. Does everybody have the privilege to
contact every other computer in the network? What kind of access (NFS,
FTP, SSH, ...) do your users have to the fileserver? If they cannot run
code on the fileserver (e.g. using SSH), then this may be a network
level problem. In that case, install a wiretap somewhere, running on
another distribution than your current one (so it's not affected as
well). If the computer behind the wiretap locks up, then check to
packet log of the wiretap immediately to find out, what was causing
this.

All in all, this really sounds like a Linux bug. Two critical
vulnerabilities have been fixed in the kernel recently (in terms of a
few months), one of them being remotely, the other one locally
exploitable. If your distribution uses old Linux versions, upgrade now.
If it doesn't upgrade to at least 2.4.32 or 2.6.14.6, then it looks like
you're going to build one on your own.


Regards,
E.S.

On Thu, 15 Jun 2006 06:03:42 -0700, jim_patterson wrote:

> There are some of us in an office who have been noticing lock-ups on our
> computers on a weekly basis. We are using linux as our desktop.

Have you thought of overheating processors as a possible cause? When was
the last time these cases were blown out?

jim_patterson@comcast.net wrote:
> There are some of us in an office who have been noticing lock-ups on
> our computers on a weekly basis. We are using linux as our desktop.
>
> We have snort monitoring traffic from our firewall. Snort it not
> showing anything targeting these computers. So my current conclusion
> is that someway somehow one of the internal computers is causing the
> denial of service.
>
> This started out sporadically over the last few weeks (1 per week out
> of 30), then in the last 24 hours 3 computers have had to be rebooted.
> They are usually just locked up and can't be accessed via ssh or gnome.
> When I have checked, I can ping the computer.
>
> Log /var/log/message doesn't seem to indicate anything is going on, it
> just stops whenever the computer locks up.
>
> I've thought there might be a bug somewhere in CentOS4 that is causing
> this, but haven't seen any postings indicating such. But we do have
> systems with the same distro version and they don't seem to be affected
> by this. I thought maybe it was something we were doing on the
> desktop, but when the file server started having problems also, I
> started wondering if maybe there was a problem another computer was
> causing.
> I am looking for a way to find why systems are hanging and if this is
> being caused by an attack on the linux boxes. Is there some cute way
> that script kiddy could be DOS'ing our computers (What would be the
> most likely point of attack?). Is there someway to monitor this
> without DOS'ing ourselves.
Systems which went down yesterday were
-One system which went down yesterday is strictly a smb server. This
system has not gone down since it was brought up in Oct of last year.
-The other two are smb server/clients and nfs clients and both are
running vmware.

Last month I had one server that hadn't gone down in 3 years go down
once during 3 straight weeks. It has now been up for 2 straight weeks.

Thanks for the replies. I have downloaded the latest stable kernel and
changed my sysctl settings
echo 1 > /proc/sys/kernel/sysrq

# /etc/sysctl.conf
kernel.sysrq=1

Hopefully I'll either fix the problem or find the problem.
I am concerned that this setting will adversely effect performance, but
I'll give it a shot for now.
I currently do not have another system to use as a tap, so I'll have
to wait on doing that. I'll also double check whether any of these
systems are unnecessarily booting into X.

Good point. One is currently in a hepa environment, another I looked
at and still appears to be clean (7months in service). The other two,
I should probably check. I'm a little superstitious about cleaning a
computer. I have had them quit working after blowing them. I think I
tilted the can on one occasion and got moisture on the system and on
another something got loosened up. The later eventually started
working again.
prodigal1 wrote:
> On Thu, 15 Jun 2006 06:03:42 -0700, jim_patterson wrote:
>
> > There are some of us in an office who have been noticing lock-ups on our
> > computers on a weekly basis. We are using linux as our desktop.
>
> Have you thought of overheating processors as a possible cause? When was
> the last time these cases were blown out?

On Thu, 15 Jun 2006 11:55:51 -0700, jim_patterson wrote:

> Good point. One is currently in a hepa environment, another I looked at
> and still appears to be clean (7months in service). The other two, I
> should probably check. I'm a little superstitious about cleaning a
> computer. I have had them quit working after blowing them. I think I
> tilted the can on one occasion and got moisture on the system and on
> another something got loosened up. The later eventually started working
> again.

My technique is not for the faint of heart. I take the filthy beasts out
onto my back porch, fire up my Toro electric leaf blower, and wail the
living tar out of the insides of the box. Full blast! Watch those dust
bunnies blow up real good. I have yet to wreck one yet. But I digress...