[9fans] Cleaning up the IP tables

[9fans] Cleaning up the IP tables

[lucio]

I'm not sure how long it's been building up, but there are more than
4000 "Closed" TCP connections on a web accessible Plan 9 server,
according to netstat.  Is there a simple way to clean up and delete
all these entries or does one have to do something dramatic?  I can't
drop the network, the server is a long way from here :-)

I don't like rebooting, but I don't like 4000-odd netstat entries
either.

Hm, many are local "ticket" connections, you'd think they'd go away
once dealt with.  The kernel is a little less than two years old, I'll
have to consider an upgrade.

++L

Re: [9fans] Cleaning up the IP tables

[erik quanstrom]

On Sat Jun 26 12:24:30 EDT 2010, lucio@proxima.alt.za wrote:
> I'm not sure how long it's been building up, but there are more than
> 4000 "Closed" TCP connections on a web accessible Plan 9 server,
> according to netstat.  Is there a simple way to clean up and delete
> all these entries or does one have to do something dramatic?  I can't
> drop the network, the server is a long way from here :-)
>
> I don't like rebooting, but I don't like 4000-odd netstat entries
> either.
>
> Hm, many are local "ticket" connections, you'd think they'd go away
> once dealt with.  The kernel is a little less than two years old, I'll
> have to consider an upgrade.

closed connections are not garbage collected.  they wait
for a fresh open.  since they take very little memory, it's
an elegant design that eliminates a number of potential
locking problems.

- erik

Re: [9fans] Cleaning up the IP tables

[andrey mirtchovski]

Further to what Erik said, the closed connections don't accumulate
over time, they're the result of a single attack or a portscan.
subsecuent attacks only reuse them without increasing their number.
you'll notice that most of the connections were made from the same IP.

On 9grid there are 500+ connections in the "closed" state, all from
the same IP which, it appears from the logs, ran an automated scanner
for vulnerable websites:

clf:131.94.130.46 - - [03/Jun/2010:06:24:47 +0000] "GET
/admin/lang.php HTTP/1.1" 404 0
clf:131.94.130.46 - - [03/Jun/2010:06:24:47 +0000] "GET /inc/pipe.php
HTTP/1.1" 404 0
clf:131.94.130.46 - - [03/Jun/2010:06:24:48 +0000] "GET
/include/write.php HTTP/1.1" 404 0
clf:131.94.130.46 - - [03/Jun/2010:06:24:48 +0000] "GET
/becommunity/community/index.php HTTP/1.1" 404 0
clf:131.94.130.46 - - [03/Jun/2010:06:24:48 +0000] "GET
/modules/xoopsgallery/upgrade_album.php HTTP/1.1" 404 0
clf:131.94.130.46 - - [03/Jun/2010:06:24:48 +0000] "GET
/modules/mod_mainmenu.php HTTP/1.1" 404 0
clf:131.94.130.46 - - [03/Jun/2010:06:24:49 +0000] "GET
/modules/agendax/addevent.inc.php HTTP/1.1" 404 0
clf:131.94.130.46 - - [03/Jun/2010:06:24:49 +0000] "GET
/shoutbox/expanded.php HTTP/1.1" 404 0
clf:131.94.130.46 - - [03/Jun/2010:06:24:49 +0000] "GET
/modules/xgallery/upgrade_album.php HTTP/1.1"

Re: [9fans] Cleaning up the IP tables

[erik quanstrom]

On Sat Jun 26 14:04:50 EDT 2010, mirtchovski@gmail.com wrote:
> Further to what Erik said, the closed connections don't accumulate
> over time, they're the result of a single attack or a portscan.
> subsecuent attacks only reuse them without increasing their number.
> you'll notice that most of the connections were made from the same IP.
>
> On 9grid there are 500+ connections in the "closed" state, all from
> the same IP which, it appears from the logs, ran an automated scanner
> for vulnerable websites:

i see various attacks constently.  most of them are harmless,
but a few can be pretty disruptive.  if you're not running nupas,
i think it's pretty hard to keep up with the various email attacks,
but that's largely an annoyance.  i have had to use nupas' smtpd
-k option to drop some ip addresses without even logging.
i've also found running pop3 is a bad idea.  there are a number
of pop3 attacks that are extremely aggressive.  they can take
down your machine and/or connection.  imap is a much better
option.

the only real difficulty i have right now is (caching) dns.  dns just can't
seem to deal with some of aktami's tricks.  double cname indirection
and 20 second ttls seem to give it fits.  (e.g. m.bestofmedia.com;
see incorrect fix here http://9fans.net/archive/2010/06/48)
and there appear to be a number of effective cache poisoning
algorithms in the wild.  (http://9fans.net/archive/2010/04/447)
if this is ndb/dns shooting itself in the cache or an attack is unknown.
google's ips tend to get corrupted with some frequency.  recently
i saw google look up as 127.0.0.1.

authoratitive dns, of course, works great.

- erik

Re: [9fans] Cleaning up the IP tables

[Lyndon Nerenberg]

> I'm not sure how long it's been building up, but there are more than
> 4000 "Closed" TCP connections on a web accessible Plan 9 server,
> according to netstat.

If you find the netstat output annoying:

 	/n/sources/patch/sorry/netstat-open

--lyndon