What a spoofed DoS attack looks like in atop
Note the packets in/out :
pcki 115264 – pcko 100013
I feel I have a minor ethernet issue as the IRQ load should not be quite that high but that is for another post. This box is a single core P4 so its not too far off.
ATOP – firewall02 2010/10/04 09:34:23 –x— 3s elapsed
PRC | sys 3.02s | | user 0.01s | | | #proc 96 | | #zombie 0 | | clones 0 | | | #exit 0 |
CPU | sys 1% | user 1% | | irq 100% | | | idle 99% | wait 0% | | | steal 0% | | guest 0% |
cpu | sys 0% | user 0% | | irq 100% | | | idle 0% | cpu000 w 0% | | | steal 0% | | guest 0% |
cpu | sys 1% | user 0% | | irq 0% | | | idle 98% | cpu001 w 0% | | | steal 0% | | guest 0% |
CPL | avg1 1.01 | | avg5 1.05 | avg15 1.11 | | | | csw 187 | | intr 4963 | | | numcpu 2 |
MEM | tot 2.0G | free 617.6M | | cache 904.1M | dirty 0.0M | buff 127.0M | | slab 304.8M | | | | | |
SWP | tot 4.0G | free 4.0G | | | | | | | | | | vmcom 123.9M | vmlim 5.0G |
MDD | md1 | busy 0% | | read 0 | write 47 | KiB/r 0 | | KiB/w 4 | MBr/s 0.00 | MBw/s 0.06 | | avq 0.00 | avio 0.00 ms |
MDD | md3 | busy 0% | | read 0 | write 20 | KiB/r 0 | | KiB/w 4 | MBr/s 0.00 | MBw/s 0.03 | | avq 0.00 | avio 0.00 ms |
DSK | sdb | busy 5% | | read 0 | write 57 | KiB/r 0 | | KiB/w 5 | MBr/s 0.00 | MBw/s 0.10 | | avq 4.87 | avio 2.84 ms |
DSK | sda | busy 4% | | read 0 | write 57 | KiB/r 0 | | KiB/w 5 | MBr/s 0.00 | MBw/s 0.10 | | avq 6.40 | avio 2.09 ms |
NET | transport | tcpi 7 | tcpo 4 | udpi 0 | udpo 0 | tcpao 0 | | tcppo 0 | tcprs 0 | tcpie 0 | tcpor 2 | udpnp 3 | udpip 0 |
NET | network | ipi 118305 | | ipo 102606 | ipfrw 3072 | deliv 27 | | | | | | icmpi 16 | icmpo 99524 |
NET | eth2 2% | pcki 3030 | pcko 100013 | | si 881 Kbps | so 24 Mbps | coll 0 | mlti 0 | erri 0 | | erro 0 | drpi 0 | drpo 0 |
NET | eth3 1% | pcki 115264 | pcko 2578 | | si 19 Mbps | so 787 Kbps | coll 0 | mlti 2 | erri 0 | | erro 0 | drpi 208056 | drpo 0 |
PID RUID EUID THR SYSCPU USRCPU VGROW RGROW RDDSK WRDSK ST EXC S CPUNR CPU CMD 1/1
3 root root 1 2.89s 0.00s 0K 0K 0K 0K — – R 0 96% ksoftirqd/0
Found the offender via tcpdump:
10:01:51.488936 00:0b:cd:3e:c6:93 > 00:30:48:94:94:5f, ethertype IPv4 (0x0800), length 62: (tos 0x0, ttl 104, id 4711, offset 0, flags [DF], proto: TCP (6), length: 48) 118.110.xx.xx.6697 > 173.201.xx.xx.http: P, cksum 0x6196 (correct), 2735265098:2735265098(0) ack 4261832542 win 63809 <mss 1460,nop,nop,sackOK>
10:01:51.488998 00:0b:cd:3e:c6:93 > 00:30:48:94:94:5f, ethertype IPv4 (0x0800), length 62: (tos 0x0, ttl 45, id 24124, offset 0, flags [DF], proto: TCP (6), length: 48) 97.17.xx.xx.11383 > 173.201.xx.xx.h
ttp: P, cksum 0x34dd (correct), 487590775:487590775(0) ack 1325631541 win 61462 <mss 1460,nop,nop,sackOK>
None of the IPs listed above (even though they have been edited to protect all parties) are ours. I did a `ip route add blackhole` till I could turn off the switch port on the offender.
Useful sysctl commands if you want to stop this (spoofed attacks):
net.ipv4.conf.all.rp_filter = 1
Stops spoofed packets dead in their tracks ! Then you can focus on re-balancing your interrupts or better yet turning off their switch port!