Re: strange traffic from Solaris systems showing up on IDS

From: Crist J. Clark (cristjc@earthlink.net)
Date: 10/22/01


Date: Mon, 22 Oct 2001 01:09:55 -0700
From: "Crist J. Clark" <cristjc@earthlink.net>
To: Ben Tetu-Pappas <bpappas@totality.com>
Subject: Re: strange traffic from Solaris systems showing up on IDS
Message-ID: <20011022010955.A332@blossom.cjclark.org>

On Fri, Oct 19, 2001 at 05:12:18PM -0700, Ben Tetu-Pappas wrote:
> I've been seeing some traffic on one of our IDS systems that has me puzzled.
> All of the hosts that generate this traffic are Ultra5 systems running
> Solaris 7 or 8.
>
> Traffic looks like this:
> Source Addr: 192.168.105.239
> Source Port: 38847 <---- source ports are
> always above 30,000
> Dest Addr: 0.0.0.0 <---- destination
> address is always 0.0.0.0
> Dest Port: 0 <---- destination
> port is always 0
> TCP/UDP: TCP <---- traffic is always
> TCP
> TCP Flags: rst ack <---- TCP flags are
> always rst ack
>
> As best as I can determine the only correlation that I can come up with is
> that the systems that cause this traffic seem to be starting various
> /usr/dt/bin/* processes when I see the traffic. So what are Solaris and/or
> DT up to that create this seemingly odd traffic?

When I first set up an IDS box on a network with Solaris boxen, I saw
a _ton_ of these. 0.0.0.0 is not a valid destination address for IP
traffic. Nor is 0 a valid TCP port. (That is, these are totally broken
packets.) It is a Solaris kernel bug. Apply a recent "Recommened &
Security Patches" set. I don't have the exact patch number or bug
number handy. Sun support can find that for you rather quickly if you
have a contract.

-- 
Crist J. Clark                     |     cjclark@alum.mit.edu
                                   |     cjclark@jhu.edu
http://people.freebsd.org/~cjc/    |     cjc@freebsd.org



Relevant Pages

  • Re: Slow Raid 5 Disk maybe, where to start?
    ... Priority aging is a concern on Solaris, ... Just set 'NOAGE 1' in your ONCONFIG file and IDS ... testing you system cache speed which is not the speed at which IDS ... If it did not your data would not be safe after a checkpoint. ...
    (comp.databases.informix)
  • Re: IDS 11.10.xC2 on Solaris 10
    ... We have an multi-database installation of IDS 10.0.UC4 on Solaris 9 (Sun ... have much space for it's private heap before it runs into SHMBASE ...
    (comp.databases.informix)
  • Re: IDS 11.10.xC2 on Solaris 10
    ... Notes for the IDS 11.10.FC2 distribution - curiously there is no mention ... 11.10.FCx appears to be far too close to the address that Solaris ... have much space for it's private heap before it runs into SHMBASE ...
    (comp.databases.informix)
  • Resource Controls for IDS 11.5 in Solaris 10?
    ... IDS 10.0FC1 ... Informix supplied the values in the machine notes, ... I think things have changed with resource controls. ... I still have to do some homework on Solaris resource ...
    (comp.databases.informix)
  • Re: IDS i/o and Solaris
    ... The customer's SysAdmin has seen great results on Oracle using Solaris 10 Direct i/o onto file system containers, and really wants to try same on the Informix database. ... Direct IO is a mount option for the whole filesystem, so all I/O to files on this filesystem bypass the buffer chache of the OS. ... No problem for the informix data as there is the cache of IDS, but other file IO will suffer. ...
    (comp.databases.informix)