[Dshield] what kind of attack is this?
areust at comcast.net
Sat Feb 14 06:52:19 GMT 2004
While many things happens when the network connection if flawless.. what
happens when the network connection has a problem and the application is
told to retry. This is "sorta" like a network card that goes rogue..
packets everywhere.. Tracking it down to the offending machine/applications
gets to be more than "overtime" is worth.. Beside what you showed, you did
not show what tools in the Resource Kit would help you with (yes, I know
hat all are not truly documented) . If you have the "offending" machine,
then what did pstat show you about the running processes. You could have a
situation that version of NAV had a memory leak that caused a loop
somewhere (in RAM). It goes like, the memory leak into a fragmented corrupt
swap file.. Yes Micro$oft does not to fix the problem. A reboot solves the
immediate problem but does not provide the ultimate answer..
For issues concerning swap files, a fixed size swap that prevents
fragmenting.. is the answer. Yes you used to be able to find the rule of
thumb the size of a fixed swap file. Over the years I have decided that
125% of the RAM size is good. Depending on the role of the machine the size
may vary. That also depends on if it is "underpowered" thus the swap is
required.. Then it becomes you selling that it needs to be upgraded.. Just
today I ran my laptop into distress.. I found that I was over 70 megabytes
into my swapfile.. Because I tell it to hibernate (when I close the lid)..
Over time it causes problems, it has held the "state" for over 3 months
with WinXp Pro.
So yes over the years I have seen while Nix servers are more resilient..
Every now and then they need a "clean" shutdown and reboot.
At 12:20 AM 2/14/2004 -0500, you wrote:
>From: Micheal Patterson [mailto:micheal at tsgincorporated.com]
>Sent: Friday, February 13, 2004 9:21 AM
>To: General DShield Discussion List
>Subject: Re: [Dshield] what kind of attack is this?
>The dest port is associated with Norton Corp Edition and the port that NavCE
>Clients talk to a parent server.
>Right, thats one use this port is put to and thats all I could find in my
>So do you think this affected server sent 12,000,000 packets yesterday to
>entire blocks of IP ranges because norton anti-virus was working properly
>and this is normal behaviour? Come on.
>list mailing list
>list at dshield.org
>To change your subscription options (or unsubscribe), see:
More information about the list