* [9fans] spam bots and Finwait2
@ 2009-11-22 19:24 erik quanstrom
0 siblings, 0 replies; only message in thread
From: erik quanstrom @ 2009-11-22 19:24 UTC (permalink / raw)
To: 9fans
i added some bits to my copy of stats(1) that allows tracking
of /net/ether0 and /net.alt/ether1 simultaneously and scales
the max by the link speed, not the number of processors.
it didn't take long for this to be useful.
this morning i noticed that there was quite a noticable load on
my dsl line (25pps) and 54 tcp connections to port 25 in
Finwait2 but no instances of smtpd running. i watched these
connections run for several hours, slowly adding connections.
examples of the packets and the tcp/*/status files
follow.
i'm not sure i know what's going on with these zombie
connections. seems like we're sending keep-alives on
these connections. ideas?
- erik
ladd# grep Finwait2 */status | sed 6q
100/status:Finwait2 qin 0 qout 0 srtt 1400 mdev 700 cwin 1462 swin 65494>>0 rwin 65535>>0 timer.start 10 timer.count 10 rerecv 0 katimer.start 200 katimer.count 54
101/status:Finwait2 qin 0 qout 0 srtt 1424 mdev 712 cwin 1462 swin 65494>>0 rwin 65535>>0 timer.start 10 timer.count 10 rerecv 0 katimer.start 200 katimer.count 24
108/status:Finwait2 qin 0 qout 0 srtt 832 mdev 416 cwin 1462 swin 65494>>0 rwin 65535>>0 timer.start 10 timer.count 10 rerecv 0 katimer.start 200 katimer.count 70
111/status:Finwait2 qin 0 qout 0 srtt 1416 mdev 708 cwin 1462 swin 65494>>0 rwin 65535>>0 timer.start 10 timer.count 10 rerecv 0 katimer.start 200 katimer.count 154
112/status:Finwait2 qin 0 qout 0 srtt 1712 mdev 856 cwin 1462 swin 65494>>0 rwin 65535>>0 timer.start 10 timer.count 10 rerecv 0 katimer.start 200 katimer.count 97
17/status:Finwait2 qin 0 qout 0 srtt -1856 mdev -928 cwin 1302 swin 65494>>0 rwin 65535>>0 timer.start 10 timer.count 10 rerecv 0 katimer.start 200 katimer.count 12
[etc]
000306 ms
ether(s=0000892b1fb8 d=001d92350045 pr=0800 ln=60)
ip(s=93.85.65.158 d=192.168.10.1 id=7847 frag=4000 ttl=109 pr=6 ln=40)
tcp(s=39550 d=25 seq=2079722094 ack=1213702870 fl=A win=65494 ck=3a37)
000373 ms
ether(s=001d92350045 d=0000892b1fb8 pr=0800 ln=60)
ip(s=192.168.10.1 d=187.39.222.189 id=7142 frag=0000 ttl=255 pr=6 ln=40)
tcp(s=25 d=3718 seq=3102550397 ack=4179254571 fl=APF win=65535 ck=03ed)
000423 ms
ether(s=001d92350045 d=0000892b1fb8 pr=0800 ln=60)
ip(s=192.168.10.1 d=195.177.121.156 id=7143 frag=0000 ttl=255 pr=6 ln=40)
tcp(s=25 d=1626 seq=2895967053 ack=3544048381 fl=APF win=65535 ck=4b3b)
000545 ms
ether(s=0000892b1fb8 d=001d92350045 pr=0800 ln=60)
ip(s=187.39.222.189 d=192.168.10.1 id=367b frag=4000 ttl=112 pr=6 ln=40)
tcp(s=3718 d=25 seq=4179254571 ack=3102550398 fl=A win=65494 ck=041e)
000602 ms
ether(s=0000892b1fb8 d=001d92350045 pr=0800 ln=60)
ip(s=195.177.121.156 d=192.168.10.1 id=9221 frag=4000 ttl=111 pr=6 ln=40)
tcp(s=1626 d=25 seq=3544048381 ack=2895967054 fl=A win=65494 ck=4b6c)
000723 ms
ether(s=001d92350045 d=0000892b1fb8 pr=0800 ln=60)
ip(s=192.168.10.1 d=200.6.105.123 id=7144 frag=0000 ttl=255 pr=6 ln=40)
tcp(s=25 d=63264 seq=3472424818 ack=3461693300 fl=APF win=65535 ck=e030)
000773 ms
ether(s=001d92350045 d=0000892b1fb8 pr=0800 ln=60)
ip(s=192.168.10.1 d=89.222.150.253 id=7145 frag=0000 ttl=255 pr=6 ln=40)
tcp(s=25 d=3573 seq=1427168658 ack=4137965364 fl=APF win=65535 ck=65bc)
000873 ms
ether(s=001d92350045 d=0000892b1fb8 pr=0800 ln=60)
ip(s=192.168.10.1 d=186.104.155.197 id=7146 frag=0000 ttl=255 pr=6 ln=40)
tcp(s=25 d=1969 seq=237671758 ack=974613881 fl=APF win=65535 ck=3c21)
000874 ms
ether(s=001d92350045 d=0000892b1fb8 pr=0800 ln=60)
ip(s=192.168.10.1 d=58.186.151.75 id=7147 frag=0000 ttl=255 pr=6 ln=40)
tcp(s=25 d=13468 seq=2341757760 ack=1103886588 fl=APF win=65535 ck=b4ca)
000921 ms
ether(s=0000892b1fb8 d=001d92350045 pr=0800 ln=60)
ip(s=200.6.105.123 d=192.168.10.1 id=8294 frag=4000 ttl=112 pr=6 ln=40)
tcp(s=63264 d=25 seq=3461693300 ack=3472424819 fl=A win=65494 ck=e061)
000924 ms
ether(s=001d92350045 d=0000892b1fb8 pr=0800 ln=60)
ip(s=192.168.10.1 d=91.203.139.111 id=7148 frag=0000 ttl=255 pr=6 ln=40)
tcp(s=25 d=62646 seq=3476647163 ack=3330713544 fl=APF win=65535 ck=5e93)
000950 ms
ether(s=0000892b1fb8 d=001d92350045 pr=0800 ln=60)
ip(s=89.222.150.253 d=192.168.10.1 id=ca89 frag=4000 ttl=115 pr=6 ln=40)
tcp(s=3573 d=25 seq=4137965364 ack=1427168659 fl=A win=65494 ck=65ed)
001077 ms
ether(s=0000892b1fb8 d=001d92350045 pr=0800 ln=60)
ip(s=186.104.155.197 d=192.168.10.1 id=e9aa frag=4000 ttl=112 pr=6 ln=40)
tcp(s=1969 d=25 seq=974613881 ack=237671759 fl=A win=65494 ck=3c52)
001097 ms
ether(s=0000892b1fb8 d=001d92350045 pr=0800 ln=60)
ip(s=91.203.139.111 d=192.168.10.1 id=aaf5 frag=4000 ttl=117 pr=6 ln=40)
tcp(s=62646 d=25 seq=3330713544 ack=3476647164 fl=A win=65494 ck=5ec4)
001166 ms
ether(s=0000892b1fb8 d=001d92350045 pr=0800 ln=60)
ip(s=58.186.151.75 d=192.168.10.1 id=09d8 frag=4000 ttl=112 pr=6 ln=40)
tcp(s=13468 d=25 seq=1103886588 ack=2341757761 fl=A win=65494 ck=b4fb)
001174 ms
ether(s=001d92350045 d=0000892b1fb8 pr=0800 ln=60)
ip(s=192.168.10.1 d=83.139.148.175 id=7149 frag=0000 ttl=255 pr=6 ln=40)
tcp(s=25 d=4598 seq=1593459648 ack=2363923346 fl=APF win=65535 ck=1fa5)
001349 ms
ether(s=0000892b1fb8 d=001d92350045 pr=0800 ln=60)
ip(s=83.139.148.175 d=192.168.10.1 id=1cae frag=4000 ttl=120 pr=6 ln=40)
tcp(s=4598 d=25 seq=2363923346 ack=1593459649 fl=A win=17639 ck=dac5)
001674 ms
ether(s=001d92350045 d=0000892b1fb8 pr=0800 ln=60)
ip(s=192.168.10.1 d=194.42.207.174 id=714a frag=0000 ttl=255 pr=6 ln=40)
tcp(s=25 d=4172 seq=1558583113 ack=2969773071 fl=APF win=65535 ck=f9a1)
001848 ms
ether(s=0000892b1fb8 d=001d92350045 pr=0800 ln=60)
ip(s=194.42.207.174 d=192.168.10.1 id=1eec frag=4000 ttl=117 pr=6 ln=40)
tcp(s=4172 d=25 seq=2969773071 ack=1558583114 fl=A win=65494 ck=f9d2)
001975 ms
ether(s=001d92350045 d=0000892b1fb8 pr=0800 ln=60)
ip(s=192.168.10.1 d=95.70.157.121 id=714b frag=0000 ttl=255 pr=6 ln=40)
tcp(s=25 d=3205 seq=162009233 ack=2161786655 fl=APF win=65535 ck=0192)
001975 ms
ether(s=001d92350045 d=0000892b1fb8 pr=0800 ln=60)
ip(s=192.168.10.1 d=87.251.152.118 id=714c frag=0000 ttl=255 pr=6 ln=40)
tcp(s=25 d=2388 seq=583664885 ack=4166844971 fl=APF win=65535 ck=c8fb)
002153 ms
ether(s=0000892b1fb8 d=001d92350045 pr=0800 ln=60)
ip(s=87.251.152.118 d=192.168.10.1 id=145e frag=4000 ttl=115 pr=6 ln=40)
tcp(s=2388 d=25 seq=4166844971 ack=583664886 fl=A win=65494 ck=c92c)
002235 ms
ether(s=0000892b1fb8 d=001d92350045 pr=0800 ln=60)
ip(s=95.70.157.121 d=192.168.10.1 id=c9b5 frag=4000 ttl=114 pr=6 ln=40)
tcp(s=3205 d=25 seq=2161786655 ack=162009234 fl=A win=65494 ck=01c3)
002325 ms
ether(s=001d92350045 d=0000892b1fb8 pr=0800 ln=60)
ip(s=192.168.10.1 d=188.54.5.22 id=714d frag=0000 ttl=255 pr=6 ln=40)
tcp(s=25 d=3646 seq=2167987698 ack=438087458 fl=APF win=65535 ck=ed14)
002525 ms
ether(s=001d92350045 d=0000892b1fb8 pr=0800 ln=60)
ip(s=192.168.10.1 d=68.55.179.48 id=714e frag=0000 ttl=255 pr=6 ln=40)
tcp(s=80 d=47955 seq=2630025585 ack=4207213011 fl=APF win=65535 ck=9f49)
002591 ms
ether(s=0000892b1fb8 d=001d92350045 pr=0800 ln=60)
ip(s=188.54.5.22 d=192.168.10.1 id=21f6 frag=4000 ttl=112 pr=6 ln=40)
tcp(s=3646 d=25 seq=438087458 ack=2167987699 fl=A win=65494 ck=ed45)
002597 ms
ether(s=0000892b1fb8 d=001d92350045 pr=0800 ln=60)
ip(s=68.55.179.48 d=192.168.10.1 id=4426 frag=4000 ttl= 46 pr=6 ln=40)
tcp(s=47955 d=80 seq=4207213011 ack=2630025586 fl=A win=413 ck=9db4)
003076 ms
ether(s=001d92350045 d=0000892b1fb8 pr=0800 ln=60)
ip(s=192.168.10.1 d=68.16.104.79 id=714f frag=0000 ttl=255 pr=6 ln=41)
tcp(s=17010 d=54820 seq=310284627 ack=2100367114 fl=AP win=65535 ck=321e)
ninep(be)
003111 ms
ether(s=0000892b1fb8 d=001d92350045 pr=0800 ln=60)
ip(s=68.16.104.79 d=192.168.10.1 id=333a frag=0000 ttl=238 pr=6 ln=40)
tcp(s=54820 d=17010 seq=2100367114 ack=310284628 fl=A win=65535 ck=f026)
003576 ms
ether(s=001d92350045 d=0000892b1fb8 pr=0800 ln=60)
ip(s=192.168.10.1 d=193.169.226.135 id=7150 frag=0000 ttl=255 pr=6 ln=40)
tcp(s=25 d=55416 seq=2095726815 ack=2779596579 fl=APF win=65535 ck=bdc4)
003676 ms
ether(s=001d92350045 d=0000892b1fb8 pr=0800 ln=60)
ip(s=192.168.10.1 d=188.52.119.92 id=7151 frag=0000 ttl=255 pr=6 ln=40)
tcp(s=25 d=3658 seq=3424953799 ack=1532911943 fl=APF win=65535 ck=749c)
003676 ms
ether(s=001d92350045 d=0000892b1fb8 pr=0800 ln=60)
ip(s=192.168.10.1 d=202.62.73.167 id=7152 frag=0000 ttl=255 pr=6 ln=40)
tcp(s=25 d=30403 seq=3169494966 ack=840413815 fl=APF win=65535 ck=1130)
003727 ms
ether(s=001d92350045 d=0000892b1fb8 pr=0800 ln=60)
ip(s=192.168.10.1 d=98.215.28.207 id=7153 frag=0000 ttl=255 pr=6 ln=40)
tcp(s=25 d=3964 seq=3755353752 ack=78255918 fl=APF win=65535 ck=33a0)
003799 ms
ether(s=0000892b1fb8 d=001d92350045 pr=0800 ln=60)
ip(s=98.215.28.207 d=192.168.10.1 id=51f6 frag=4000 ttl=111 pr=6 ln=40)
tcp(s=3964 d=25 seq=78255918 ack=3755353753 fl=A win=65494 ck=33d1)
003929 ms
ether(s=0000892b1fb8 d=001d92350045 pr=0800 ln=60)
ip(s=188.52.119.92 d=192.168.10.1 id=0482 frag=4000 ttl=111 pr=6 ln=40)
tcp(s=3658 d=25 seq=1532911943 ack=3424953800 fl=A win=65494 ck=74cd)
003977 ms
ether(s=001d92350045 d=0000892b1fb8 pr=0800 ln=60)
ip(s=192.168.10.1 d=113.255.72.57 id=7154 frag=0000 ttl=255 pr=6 ln=40)
tcp(s=25 d=1949 seq=2406404941 ack=1616791306 fl=APF win=65535 ck=190f)
003990 ms
ether(s=0000892b1fb8 d=001d92350045 pr=0800 ln=60)
ip(s=202.62.73.167 d=192.168.10.1 id=d5b1 frag=4000 ttl=114 pr=6 ln=40)
tcp(s=30403 d=25 seq=840413815 ack=3169494967 fl=A win=65494 ck=1161)
004077 ms
ether(s=001d92350045 d=0000892b1fb8 pr=0800 ln=60)
ip(s=192.168.10.1 d=80.250.0.181 id=7155 frag=0000 ttl=255 pr=6 ln=40)
tcp(s=25 d=3748 seq=2847549684 ack=3420795754 fl=APF win=65535 ck=b2b7)
004083 ms
ether(s=0000892b1fb8 d=001d92350045 pr=0800 ln=60)
ip(s=193.169.226.135 d=192.168.10.1 id=3ba1 frag=4000 ttl=115 pr=6 ln=40)
tcp(s=55416 d=25 seq=2779596579 ack=2095726816 fl=A win=65279 ck=becc)
004127 ms
ether(s=001d92350045 d=0000892b1fb8 pr=0800 ln=60)
ip(s=192.168.10.1 d=86.60.92.91 id=7156 frag=0000 ttl=255 pr=6 ln=40)
tcp(s=25 d=55665 seq=846097687 ack=1761632393 fl=APF win=65535 ck=eff0)
004249 ms
ether(s=0000892b1fb8 d=001d92350045 pr=0800 ln=60)
ip(s=113.255.72.57 d=192.168.10.1 id=6614 frag=4000 ttl=110 pr=6 ln=40)
tcp(s=1949 d=25 seq=1616791306 ack=2406404942 fl=A win=65494 ck=1940)
004253 ms
ether(s=0000892b1fb8 d=001d92350045 pr=0800 ln=60)
ip(s=80.250.0.181 d=192.168.10.1 id=2533 frag=4000 ttl=116 pr=6 ln=40)
tcp(s=3748 d=25 seq=3420795754 ack=2847549685 fl=A win=65494 ck=b2e8)
004277 ms
ether(s=001d92350045 d=0000892b1fb8 pr=0800 ln=60)
ip(s=192.168.10.1 d=77.70.13.7 id=7157 frag=0000 ttl=255 pr=6 ln=40)
tcp(s=25 d=1807 seq=4029649092 ack=1379842029 fl=APF win=65535 ck=f88c)
004377 ms
ether(s=001d92350045 d=0000892b1fb8 pr=0800 ln=60)
ip(s=192.168.10.1 d=94.45.176.29 id=7158 frag=0000 ttl=255 pr=6 ln=40)
tcp(s=25 d=17536 seq=4061542277 ack=2833699966 fl=APF win=65535 ck=eb3c)
004446 ms
ether(s=0000892b1fb8 d=001d92350045 pr=0800 ln=60)
ip(s=77.70.13.7 d=192.168.10.1 id=86b2 frag=4000 ttl=117 pr=6 ln=40)
tcp(s=1807 d=25 seq=1379842029 ack=4029649093 fl=A win=65494 ck=f8bd)
004463 ms
ether(s=0000892b1fb8 d=001d92350045 pr=0800 ln=60)
ip(s=86.60.92.91 d=192.168.10.1 id=ab3c frag=4000 ttl=112 pr=6 ln=40)
tcp(s=55665 d=25 seq=1761632393 ack=846097688 fl=A win=65494 ck=f021)
004552 ms
ether(s=0000892b1fb8 d=001d92350045 pr=0800 ln=60)
ip(s=94.45.176.29 d=192.168.10.1 id=9df9 frag=4000 ttl=116 pr=6 ln=40)
tcp(s=17536 d=25 seq=2833699966 ack=4061542278 fl=A win=65494 ck=eb6d)
004628 ms
ether(s=001d92350045 d=0000892b1fb8 pr=0800 ln=60)
ip(s=192.168.10.1 d=193.109.166.42 id=7159 frag=0000 ttl=255 pr=6 ln=40)
tcp(s=25 d=3326 seq=391071322 ack=364767033 fl=APF win=65535 ck=15d3)
004778 ms
ether(s=001d92350045 d=0000892b1fb8 pr=0800 ln=60)
ip(s=192.168.10.1 d=95.129.166.81 id=715a frag=0000 ttl=255 pr=6 ln=40)
tcp(s=25 d=3340 seq=181975549 ack=1666451866 fl=APF win=65535 ck=a066)
004831 ms
ether(s=0000892b1fb8 d=001d92350045 pr=0800 ln=60)
ip(s=193.109.166.42 d=192.168.10.1 id=b210 frag=4000 ttl=117 pr=6 ln=40)
tcp(s=3326 d=25 seq=364767033 ack=391071323 fl=A win=17639 ck=d0f3)
004978 ms
ether(s=001d92350045 d=0000892b1fb8 pr=0800 ln=60)
ip(s=192.168.10.1 d=212.174.243.30 id=715b frag=0000 ttl=255 pr=6 ln=40)
tcp(s=25 d=3779 seq=44612646 ack=1580326570 fl=APF win=65535 ck=12ce)
005028 ms
ether(s=001d92350045 d=0000892b1fb8 pr=0800 ln=60)
ip(s=192.168.10.1 d=24.197.154.222 id=715c frag=0000 ttl=255 pr=6 ln=40)
tcp(s=25 d=4941 seq=198628229 ack=4098547133 fl=APF win=65535 ck=6cb4)
005056 ms
ether(s=0000892b1fb8 d=001d92350045 pr=0800 ln=60)
ip(s=95.129.166.81 d=192.168.10.1 id=d645 frag=4000 ttl=110 pr=6 ln=40)
tcp(s=3340 d=25 seq=1666451866 ack=181975550 fl=A win=65494 ck=a097)
005082 ms
ether(s=0000892b1fb8 d=001d92350045 pr=0800 ln=60)
ip(s=24.197.154.222 d=192.168.10.1 id=47d6 frag=0000 ttl=119 pr=6 ln=40)
tcp(s=4941 d=25 seq=4098547133 ack=198628230 fl=A win=16999 ck=2a55)
005172 ms
ether(s=0000892b1fb8 d=001d92350045 pr=0800 ln=60)
ip(s=212.174.243.30 d=192.168.10.1 id=c64c frag=4000 ttl=114 pr=6 ln=40)
tcp(s=3779 d=25 seq=1580326570 ack=44612647 fl=A win=65494 ck=12ff)
005229 ms
ether(s=001d92350045 d=0000892b1fb8 pr=0800 ln=60)
ip(s=192.168.10.1 d=121.156.166.232 id=715d frag=0000 ttl=255 pr=6 ln=40)
tcp(s=25 d=1253 seq=253941807 ack=1246549403 fl=APF win=65535 ck=b865)
005279 ms
ether(s=001d92350045 d=0000892b1fb8 pr=0800 ln=60)
ip(s=192.168.10.1 d=188.49.22.21 id=715e frag=0000 ttl=255 pr=6 ln=40)
tcp(s=25 d=51513 seq=1431611595 ack=550711239 fl=APF win=65535 ck=face)
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2009-11-22 19:24 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2009-11-22 19:24 [9fans] spam bots and Finwait2 erik quanstrom
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).