Re: strange traffic from Solaris systems showing up on IDS

From: Crist J. Clark (cristjc@earthlink.net)
Date: 10/22/01


Date: Mon, 22 Oct 2001 01:09:55 -0700
From: "Crist J. Clark" <cristjc@earthlink.net>
To: Ben Tetu-Pappas <bpappas@totality.com>
Subject: Re: strange traffic from Solaris systems showing up on IDS
Message-ID: <20011022010955.A332@blossom.cjclark.org>

On Fri, Oct 19, 2001 at 05:12:18PM -0700, Ben Tetu-Pappas wrote:
> I've been seeing some traffic on one of our IDS systems that has me puzzled.
> All of the hosts that generate this traffic are Ultra5 systems running
> Solaris 7 or 8.
>
> Traffic looks like this:
> Source Addr: 192.168.105.239
> Source Port: 38847 <---- source ports are
> always above 30,000
> Dest Addr: 0.0.0.0 <---- destination
> address is always 0.0.0.0
> Dest Port: 0 <---- destination
> port is always 0
> TCP/UDP: TCP <---- traffic is always
> TCP
> TCP Flags: rst ack <---- TCP flags are
> always rst ack
>
> As best as I can determine the only correlation that I can come up with is
> that the systems that cause this traffic seem to be starting various
> /usr/dt/bin/* processes when I see the traffic. So what are Solaris and/or
> DT up to that create this seemingly odd traffic?

When I first set up an IDS box on a network with Solaris boxen, I saw
a _ton_ of these. 0.0.0.0 is not a valid destination address for IP
traffic. Nor is 0 a valid TCP port. (That is, these are totally broken
packets.) It is a Solaris kernel bug. Apply a recent "Recommened &
Security Patches" set. I don't have the exact patch number or bug
number handy. Sun support can find that for you rather quickly if you
have a contract.

-- 
Crist J. Clark                     |     cjclark@alum.mit.edu
                                   |     cjclark@jhu.edu
http://people.freebsd.org/~cjc/    |     cjc@freebsd.org



Relevant Pages

  • Re: Slow Raid 5 Disk maybe, where to start?
    ... Priority aging is a concern on Solaris, ... Just set 'NOAGE 1' in your ONCONFIG file and IDS ... testing you system cache speed which is not the speed at which IDS ... If it did not your data would not be safe after a checkpoint. ...
    (comp.databases.informix)
  • Re: IDS 11.10.xC2 on Solaris 10
    ... We have an multi-database installation of IDS 10.0.UC4 on Solaris 9 (Sun ... have much space for it's private heap before it runs into SHMBASE ...
    (comp.databases.informix)
  • Re: IDS 11.10.xC2 on Solaris 10
    ... Notes for the IDS 11.10.FC2 distribution - curiously there is no mention ... 11.10.FCx appears to be far too close to the address that Solaris ... have much space for it's private heap before it runs into SHMBASE ...
    (comp.databases.informix)
  • Resource Controls for IDS 11.5 in Solaris 10?
    ... IDS 10.0FC1 ... Informix supplied the values in the machine notes, ... I think things have changed with resource controls. ... I still have to do some homework on Solaris resource ...
    (comp.databases.informix)
  • Re: Migrating
    ... Dbimport then errors, because the it interprets this is a null value, and the column is defined with "not null". ... While your vendor could create the view/trigger, IDS 7.xx used to add several levels of parenthesis to the definitions when it stored them. ... Then dbschema/dbexport create a schema file for you it includes these extraneous parenthesis levels which blow up the size of the view until it exceeds 64K and so cannot be successfully transmitted back to the engine to recreate the view. ... under SOlaris 9. ...
    (comp.databases.informix)