[Dshield] what kind of attack is this?

Al Reust areust at comcast.net
Sat Feb 14 06:52:19 GMT 2004


While many things happens when the network connection if flawless.. what 
happens when the network connection has a problem and the application is 
told to retry. This is "sorta" like a network card that goes rogue.. 
packets everywhere.. Tracking it down to the offending machine/applications 
gets to be more than "overtime" is worth.. Beside what you showed, you did 
not show what tools in the Resource Kit would help you with (yes, I know 
hat all are not truly documented) . If you have the "offending" machine, 
then what did pstat show you about the running processes. You could have a 
situation that version of NAV had a memory leak that caused a loop 
somewhere (in RAM). It goes like, the memory leak into a fragmented corrupt 
swap file.. Yes Micro$oft does not to fix the problem.  A reboot solves the 
immediate problem but does not provide the ultimate answer..

For issues concerning swap files, a fixed size swap that prevents 
fragmenting.. is the answer. Yes you used to be able to find the rule of 
thumb the size of a fixed swap file. Over the years I have decided that 
125% of the RAM size is good. Depending on the role of the machine the size 
may vary. That also depends on if it is "underpowered" thus the swap is 
required.. Then it becomes you selling that it needs to be upgraded.. Just 
today I ran my laptop into distress.. I found that I was over 70 megabytes 
into my swapfile.. Because I tell it to hibernate (when I close the lid).. 
Over time it causes problems, it has held the "state" for over 3 months 
with WinXp Pro.

So yes over the years I have seen while Nix servers are more resilient.. 
Every now and then they need a "clean" shutdown and reboot.


At 12:20 AM 2/14/2004 -0500, you wrote:
>-----Original Message-----
>From: Micheal Patterson [mailto:micheal at tsgincorporated.com]
>Sent: Friday, February 13, 2004 9:21 AM
>To: General DShield Discussion List
>Subject: Re: [Dshield] what kind of attack is this?
>The dest port is associated with Norton Corp Edition and the port that NavCE
>Clients talk to a parent server.
>Right, thats one use this port is put to and thats all I could find in my 
>online searching.
>So do you think this affected server sent 12,000,000 packets yesterday to 
>entire blocks of IP ranges because norton anti-virus was working properly 
>and this is normal behaviour?  Come on.
>list mailing list
>list at dshield.org
>To change your subscription options (or unsubscribe), see: 

More information about the list mailing list