Ticket #436 (closed task: fixed)

Opened 4 years ago

Last modified 4 years ago

UFL SYN attack Aug. 27, 2015

Reported by: ibaldin Owned by: ibaldin
Priority: major Milestone:
Component: External: Security Incidents Version: baseline
Keywords: Cc:

Description (last modified by ibaldin) (diff)

Source IPs look like 128.227.10.11, .13, .25, and a spoofed 10.103.0.16

I can restore access to the head node if it is not running VMs and you need to get to it. Alternatively the VPN appliance is still connected.

Matthew Collins
Senior Systems Programmer
Advanced Computing and Information Systems Lab, ECE
University of Florida
352-392-5414


From: xo-ufl-bounces@… <xo-ufl-bounces@…> on behalf of Collins, Matthew <mcollins@…>
Sent: Thursday, August 27, 2015 10:48 AM
To: xo-ufl@…
Subject: [XO-UFL] SYN scanning from EnoGENI nodes - I have disconnected cluster

I have disconnected the ExoGENI cluster. There has been a number of SYN flood incidents recently and I've finally caught one while it was going on and it appears to be comming from the uplink to the 10g ExoGENI switch.

I am pawing through the packet capture and I will try to be more fine-grained about what is causing what as soon as I can.

Matthew Collins
Senior Systems Programmer
Advanced Computing and Information Systems Lab, ECE
University of Florida
352-392-5414

Reservation 3d16c78a-a9cf-461b-962b-d527585f6a62:
3d16c78a-a9cf-461b-962b-d527585f6a62
0 UNIT:

unit.manage.ip = 128.227.10.11
shirako.save.unit.manage.ip = 128.227.10.11

Reservation c9573a6e-94f3-4ede-adce-68c96ffb513c:
c9573a6e-94f3-4ede-adce-68c96ffb513c
0 UNIT:

unit.manage.ip = 128.227.10.13
shirako.save.unit.manage.ip = 128.227.10.13

Reservation d8461fcc-6922-4a95-85f4-06b54d1a6e60:
d8461fcc-6922-4a95-85f4-06b54d1a6e60
0 UNIT:

unit.manage.ip = 128.227.10.25
shirako.save.unit.manage.ip = 128.227.10.25

xmlrpc.user.dn = [sc7cq@…, urn:publicid:IDN+ch.geni.net+user+sc7cq, urn:uuid:79dc940c-3e33-4c97-a65e-35ee4fb1cf6c]

config.image.url = https://virginia.box.com/shared/static/dlowiyuc2dbs0rp9a0t7b13czywsz600.xml

unit.slice.name = WAN-test-40nodes

Attachments

exogeni_syns_subset.pcapng (30.1 kB) - added by ibaldin 4 years ago.
Packet trace file

Change History

Changed 4 years ago by ibaldin

  • status changed from new to closed
  • resolution set to fixed
  • description modified (diff)

Slice terminated.

Changed 4 years ago by ibaldin

Packet trace file

Note: See TracTickets for help on using tickets.