Pls help: Stonebeat can't boot due to local "attack" ?
From: ST Wong (st-wong_at_alumni.cuhk.net)
Date: 12 Sep 2004 23:11:38 -0700
We've around 20 machines protected by firewall in DMZ. There are 2
firewall machines with HA configuration (Checkpoint firewall-1 FP3
(Feature Pack 3), Stonebeat FullCluster version 3.0 SP 3-6 on
Solaris). Recently we're under attack that made the firewall fail to
start. Some findings follow:
- the firewall machines hangs up and failed to reboot. The boot
process hanged when starting Stonebeat.
- the firewall machines could be reboot if the internal network cable
is not connected.
- no suspected traffic found in firewall log before the event
- no information logged in IDS due to some system problems.
- not much incoming traffic when the problem was detected.
- most of the systems within DMZ are running properly, except 2, with
large traffic rate.
The firewall machines could be restarted after disconnecting the 2
systems with large traffic volume. It's strange as these 2 systems
are of small capacity when compared with the 2 firewal systems when
there is no trace of hacking activities can be found on these 2
systems. Meanwhile one of these systems seemed to hang up.
I've no idea about what kind of attack we suffered from, due to
limited information. Did anyone meet similar issue before?
Sorry for the newbie question.
Thanks a lot.