Re: Could this be a sign of break-in

From: Newsbox (newsbox_at_MAPS_ON_customers-of-adelphia.org)
Date: 12/02/03

  • Next message: Newsbox: "Re: Could this be a sign of break-in" 
    Date: Mon, 01 Dec 2003 22:35:12 -0500

    On Mon, 01 Dec 2003 09:55:15 -0500, Tim Haynes wrote:

    > Ian Amuhton <abuse@msn.com> writes:
    >
    >> My web server (behind a dedicated firewall that forwards port 80 only
    >> to the server which is placed in a separate network aka DMZ) crashed on
    >> the weekend. When I examined the logs this morning I could not find the
    >> reason, the only suspicious thing I found were lines like this:
    >>
    >> Nov 29 03:56:21 www kernel: NETDEV WATCHDOG: eth0: transmit timed out
    >> Nov 29 03:56:21 www kernel: eth0: Transmit timed out, status 0000, PHY
    >> status 786d, resetting...
    >>
    >> This repeated 15 times, then I had a few normal cron messages at Nov 29
    >> 04:01:00, then nothing more the machine froze after that.
    >>
    >> Could this be a sign of a break-in or just a simple hardware failure ?
    >> Sorry if I sound paranoid, but the "Promiscuous mode" made me
    >> nervous...
    >
    > Well, you should know about promiscuous mode - running tcpdump, snort,
    > iptraf or ntop would normally enable it, so if you're not running one of
    > those, what is it doing going promisc?
    >
    > The `transmit timed out' normally means you have an inferior network
    > card and/or driver - in practice, via-rhine and some 3com chipsets have
    > been known to give that, worse under intense UDP and high temperatures.
    > IMNSHO you should get an intel etherpro100 in there if you're relying on
    > it for anything slightly serious.
    >
    > ~Tim
     
    Tim,

    I'd like to pick your brain for whatever details you can give me on the
    via-rhine drivers and/or the chipsets they run on, with respect to
    specific or reproducible flaws. I have looked into this before, and I'm
    not saying that your advice to the OP is anything less than the best, at
    least in the short term. And I know that it's not a big expense or a big
    deal to replace a NIC (if needed). I have several D-Link DFE-530TX+ cards
    running, and would rather not replace them without knowing a reason to do
    so, or seeing if D-Link will underwrite the repair.

    Over the past year I have had a number of connection issues (now mostly
    resolved) between my home network and my ISPs'. During that time I must
    say that I have had a number of suggestions and rationales offered, and I
    have run several wild goose chases. Some of these have cost me
    substantial time and effort, and some have clearly been ruses and lies to
    avoid admissions of problems on their end. (At no time did I encounter
    errors like the OP reported.) One suggestion was to replace my D-Link
    cards, and I did some extensive searching on the subject, but found little
    if anything that was applicable. And that suggestion was in response to
    an issue connected to what was clearly on their end, the Cisco router IOS
    upgrade in July 2003. So I haven't changed my cards. During this period
    I called D-Link tech support, and they denied knowledge of any flaws,
    asked me to get back with any details, and offered to fix or replace
    anything defective.

    I was new to *nix when I bought my first D-Link NIC, and got it after
    researching and finding recommendations that this was standards compliant
    and worked with *nix, whereas some others were not and did not. I have
    thoroughly load tested these cards on my LANs and found no errors,
    problems or dropped packets whatsoever, on my LANs, with D-Link cards
    talking to D-Link cards. Under light and intermittent loads, my tests
    show approximately a couple of dozen dropped packets at irregular
    intervals during any 24 hour day, while connected to the ISP's Cisco
    router. ... Minor, perhaps. But I still have questions. And I have no
    reason (other than your (venerable, NSH) opinion) to say for sure that it
    is on the D-Link end of the connection and not either something else in
    between, or the Cisco router. Again, if the intel Etherpro100 works today
    talking to Cisco routers, that may be reason enough to say that your
    suggestion is nothing less than the best, at least in the short term. Now,
    if I can go back to D-Link with something solid, I can send them a
    wagon-load of cards and CDs that they can make good to me for.

    Some specific requests, if you would, Please, Sir:
    > The `transmit timed out' normally means you have an inferior network
    > card and/or driver - in practice, via-rhine and some 3com chipsets have
    > been known to give that,

    I haven't encountered anything of this type. But if you or others can
    give me references, I will take it to the manufacturer for credits.

    > worse under intense UDP and high temperatures.

    Sorry for gaps in fundamental knowledge. But, if you would please: UDP
    (User Datagram Protocol?)
    Is there some particular way to simulate the problem(s) on my (or
    D-Link's) test LANs by creating "intense UDP"? How would I intentionally
    create "intense UDP" on a test LAN? What specific conditions might be
    needed or expected to occur on a public network to create problems for a
    connected D-Link card? Are you talking about an intentional DDOS attack?

    Many transistors exhibit higher leakage currents and lower breakdown
    voltages, as well as higher (and sometimes destructive) power dissipation,
    at increased temperatures. This is probably true (AFAIK) for all
    semiconductors. Defective power supplies and even unfiltered power line
    transients can probably, in most cases, produce almost any kind of similar
    failures. Would you think an intel card would be more resistant to common
    external sources of circuit breakdowns? And if problems are encountered
    as a result of abnormally high temperatures, why wouldn't D-Link be
    correct in saying that the solution was to lower the temperature.

    Thanks and Best wishes. Appreciate any light you could share in this
    issue.

    ps. Hope you understand that I'm just asking, have no personal interest
    in D-Link, and do consider myself and my uses and users slightly serious.
    Thanks again !!

    pps. That's a neat approach to the return e-mail address ! Very clever. 

    -- 
Remove the backwards _NO_SPAM for e-mail
	... Trying to cut down on the backwards NEWS virus mail
Thanks !!
  • Next message: Newsbox: "Re: Could this be a sign of break-in"