bogus packet size. did I get DoSed?

To: debian-security@lists.debian.org
Subject: bogus packet size. did I get DoSed?
From: Miquel Mart?n L?pez <miquel@casal.upc.es>
Date: Tue, 5 Jun 2001 02:05:58 +0200
Message-id: <[🔎] 20010605020558.A10730@casal.upc.es>

Hi all,
Without no apparent reason, I started receiving thousands of packets to one
of the interfaces. The network card is an rtl8029, and I logged between 70 and
80.000 packacges per second. They all where too big to be ethernet packets,
and they were reported by the kernel as:

Jun  4 12:20:15 nebula kernel: eth0: bogus packet size: 65312, status=0x0
nxpg=0x0.

Now, is the kernel reporting the size of an ethernet package? or is it
something else?

The system was getting so many packages it was DoSed, now the funny thing is
it all stopped when we rebooted, so it was probably something running
locally. I tried bringing the interface down, unplugging and replugging and
nothing worked. The only processes running that took a significant amount of
cpu usage where syslogd and klogd, that were busy reporting the packet storm.
Moreover, no other computer in the network saw those packages.

The ethernet is well used and has never given any similar problem. Of course
it might be getting old... The point is it was not some strange change (At
least not by me) that made the thing start

So I'm left with few options:
a) hardware problem with the ethernet card
b) local user starting some wicked loop
c) strange packet got in the interface and persuaded the system to generate
this crazy storm.

Any other options? What do you think it was? I'm just worried that whatever
happened happens again :(

Any help appreciated!

Miquel Martín

Reply to:

Prev by Date: Re: MASQUERADE problem
Next by Date: Re: 'locate' does not check permissions
Previous by thread: Re: Web Server firewall help
Next by thread: potential buffer overflow in xinetd-2.1.8.9pre11-1 (fwd)
Index(es):
- Date
- Thread