Please Help Me Figure Out How to Figure This Out

Please Help Me Figure Out How to Figure This Out

Post by Mik » Thu, 20 Sep 2001 13:47:58



Here's my network setup.  DSL to router, router to linux box running
RH 7, serving as firewall.  Mixed windows and linux network behind the
firewall.  firewall is ipchains.

Late this afternoon, for no apparent reason, machines behind the
firewall can't access the web.  I can ping the internet and I can run
a windows news client behind the firewall with no problem.  Only thing
not going through seems to be www.

Here's where it's weird.  There is one web site I can reach from
behind the firewall.  Charles Schwab.  I don't know if this is because
it's a "secure" site or not.

I'm not a network guru and I don't have a clue where to start.  I run
tcpdump on the firewall and it looks like www traffic is not going
through because of some error in routing.  I see messages about udp
error host or port unreachable, tos 0xc0.  

Web access has been fine for months and this just started on it's own
late in the afternoon.  I can get other traffic past the firewall, not
web traffic, except the schwab site as mentioned.  Any suggestions on
how to troubleshoot this problem would really be appreciated.

Thanks.

 
 
 

Please Help Me Figure Out How to Figure This Out

Post by D. Stimit » Thu, 20 Sep 2001 14:10:24



> Here's my network setup.  DSL to router, router to linux box running
> RH 7, serving as firewall.  Mixed windows and linux network behind the
> firewall.  firewall is ipchains.

> Late this afternoon, for no apparent reason, machines behind the
> firewall can't access the web.  I can ping the internet and I can run
> a windows news client behind the firewall with no problem.  Only thing
> not going through seems to be www.

> Here's where it's weird.  There is one web site I can reach from
> behind the firewall.  Charles Schwab.  I don't know if this is because
> it's a "secure" site or not.

> I'm not a network guru and I don't have a clue where to start.  I run
> tcpdump on the firewall and it looks like www traffic is not going
> through because of some error in routing.  I see messages about udp
> error host or port unreachable, tos 0xc0.

> Web access has been fine for months and this just started on it's own
> late in the afternoon.  I can get other traffic past the firewall, not
> web traffic, except the schwab site as mentioned.  Any suggestions on
> how to troubleshoot this problem would really be appreciated.

> Thanks.

Just wondering if maybe it has something to do with the extreme problems
from the new Code Rainbow variant to Code Red. It's just saturating tons
of sites through port 80 (www) probes. If one of your machines being the
firewall is win and it opened a web site with Code Rainbow (there is
some other name for it as well, I forget which) while using IE, then
that machine will be infected, and will probably waste a ton of
bandwidth. Up to the point of the router or firewall, it is possible you
have a lot of bandwidth being consumed by the worm. And since this seems
to try all the IIS weaknesses, and prior attempts from Code Red brought
down several Cisco dsl routers, maybe you should reboot the router,
which might be crashed. I don't know all of the models subject to dying
under IIS worms, but I think the 675 was one. All of this started early
Tuesday morning.



 
 
 

Please Help Me Figure Out How to Figure This Out

Post by Carl Fi » Thu, 20 Sep 2001 19:46:27



Quote:>I'm not a network guru and I don't have a clue where to start.  I run
>tcpdump on the firewall and it looks like www traffic is not going
>through because of some error in routing.  I see messages about udp
>error host or port unreachable, tos 0xc0.  

Generally, when asking for help, it's good to post the *actual* message, not
a vague description of it.

It might be interesting to see some log entries from the firewall box, as
well.
--

Manager, Dueling Modems Computer Forum
<http://dm.net>

 
 
 

Please Help Me Figure Out How to Figure This Out

Post by j » Thu, 20 Sep 2001 21:03:59




>>I'm not a network guru and I don't have a clue where to start.  I run
>>tcpdump on the firewall and it looks like www traffic is not going
>>through because of some error in routing.  I see messages about udp
>>error host or port unreachable, tos 0xc0.  

>Generally, when asking for help, it's good to post the *actual* message, not
>a vague description of it.

yeah, I know, it's just that I'm posting this from home.  I'll see if
I can get some of the messages from tcpdump and put them up.

I thought the information I posted might be enough for someone to
point me in the right direction.

>It might be interesting to see some log entries from the firewall box, as
>well.
>--

>Manager, Dueling Modems Computer Forum
><http://dm.net>

 
 
 

Please Help Me Figure Out How to Figure This Out

Post by j » Thu, 20 Sep 2001 21:06:57





>> Here's my network setup.  DSL to router, router to linux box running
>> RH 7, serving as firewall.  Mixed windows and linux network behind the
>> firewall.  firewall is ipchains.

>> Late this afternoon, for no apparent reason, machines behind the
>> firewall can't access the web.  I can ping the internet and I can run
>> a windows news client behind the firewall with no problem.  Only thing
>> not going through seems to be www.

>> Here's where it's weird.  There is one web site I can reach from
>> behind the firewall.  Charles Schwab.  I don't know if this is because
>> it's a "secure" site or not.

>> I'm not a network guru and I don't have a clue where to start.  I run
>> tcpdump on the firewall and it looks like www traffic is not going
>> through because of some error in routing.  I see messages about udp
>> error host or port unreachable, tos 0xc0.

>> Web access has been fine for months and this just started on it's own
>> late in the afternoon.  I can get other traffic past the firewall, not
>> web traffic, except the schwab site as mentioned.  Any suggestions on
>> how to troubleshoot this problem would really be appreciated.

>> Thanks.

>Just wondering if maybe it has something to do with the extreme problems
>from the new Code Rainbow variant to Code Red. It's just saturating tons
>of sites through port 80 (www) probes.

I've seen tons of port 80 probes on the firewall.  That port is
closed, btw.

Quote:>If one of your machines being the
>firewall is win and it opened a web site with Code Rainbow (there is
>some other name for it as well, I forget which) while using IE, then
>that machine will be infected,

I'll check for that,

Quote:>and will probably waste a ton of
>bandwidth. Up to the point of the router or firewall, it is possible you
>have a lot of bandwidth being consumed by the worm. And since this seems
>to try all the IIS weaknesses, and prior attempts from Code Red brought
>down several Cisco dsl routers, maybe you should reboot the router,
>which might be crashed.

that's the first thing I thought of, and did reboot the router.  Also,
I'm having no bandwidth problems on the network behind the firewall.  

Quote:>I don't know all of the models subject to dying
>under IIS worms, but I think the 675 was one. All of this started early
>Tuesday morning.

a good idea and I'll check for the code rainbow variant.

- Show quoted text -

 
 
 

Please Help Me Figure Out How to Figure This Out

Post by Mik » Sat, 22 Sep 2001 08:21:29




>Just wondering if maybe it has something to do with the extreme problems
>from the new Code Rainbow variant to Code Red. It's just saturating tons
>of sites through port 80 (www) probes. If one of your machines being the
>firewall is win and it opened a web site with Code Rainbow (there is
>some other name for it as well, I forget which) while using IE, then
>that machine will be infected, and will probably waste a ton of
>bandwidth. Up to the point of the router or firewall, it is possible you
>have a lot of bandwidth being consumed by the worm. And since this seems
>to try all the IIS weaknesses, and prior attempts from Code Red brought
>down several Cisco dsl routers, maybe you should reboot the router,
>which might be crashed. I don't know all of the models subject to dying
>under IIS worms, but I think the 675 was one. All of this started early
>Tuesday morning.



Hey, guess what, you were right that the problem was cause by the
Nimbda worm, not because any of the machines on my network were
affected, but because my provider set up filters on UDP port 69 and
tcp port 80 to block web traffic.

I spent at least two hours pulling hair out of my head trying to
figure this one out.

Then my provider sends me an email more than 24 hours later explaining
what it has done!

 
 
 

Please Help Me Figure Out How to Figure This Out

Post by D. Stimit » Sat, 22 Sep 2001 08:31:43





> >Just wondering if maybe it has something to do with the extreme problems
> >from the new Code Rainbow variant to Code Red. It's just saturating tons
> >of sites through port 80 (www) probes. If one of your machines being the
> >firewall is win and it opened a web site with Code Rainbow (there is
> >some other name for it as well, I forget which) while using IE, then
> >that machine will be infected, and will probably waste a ton of
> >bandwidth. Up to the point of the router or firewall, it is possible you
> >have a lot of bandwidth being consumed by the worm. And since this seems
> >to try all the IIS weaknesses, and prior attempts from Code Red brought
> >down several Cisco dsl routers, maybe you should reboot the router,
> >which might be crashed. I don't know all of the models subject to dying
> >under IIS worms, but I think the 675 was one. All of this started early
> >Tuesday morning.


> Hey, guess what, you were right that the problem was cause by the
> Nimbda worm, not because any of the machines on my network were
> affected, but because my provider set up filters on UDP port 69 and
> tcp port 80 to block web traffic.

> I spent at least two hours pulling hair out of my head trying to
> figure this one out.

> Then my provider sends me an email more than 24 hours later explaining
> what it has done!

Perhaps you should suggest to your provider that running linux would
save money and down time :>
(you should make sure he hears snickering in the background while
suggesting it)


 
 
 

Please Help Me Figure Out How to Figure This Out

Post by Mik » Sat, 22 Sep 2001 11:50:29







>> >Just wondering if maybe it has something to do with the extreme problems
>> >from the new Code Rainbow variant to Code Red. It's just saturating tons
>> >of sites through port 80 (www) probes. If one of your machines being the
>> >firewall is win and it opened a web site with Code Rainbow (there is
>> >some other name for it as well, I forget which) while using IE, then
>> >that machine will be infected, and will probably waste a ton of
>> >bandwidth. Up to the point of the router or firewall, it is possible you
>> >have a lot of bandwidth being consumed by the worm. And since this seems
>> >to try all the IIS weaknesses, and prior attempts from Code Red brought
>> >down several Cisco dsl routers, maybe you should reboot the router,
>> >which might be crashed. I don't know all of the models subject to dying
>> >under IIS worms, but I think the 675 was one. All of this started early
>> >Tuesday morning.


>> Hey, guess what, you were right that the problem was cause by the
>> Nimbda worm, not because any of the machines on my network were
>> affected, but because my provider set up filters on UDP port 69 and
>> tcp port 80 to block web traffic.

>> I spent at least two hours pulling hair out of my head trying to
>> figure this one out.

>> Then my provider sends me an email more than 24 hours later explaining
>> what it has done!

>Perhaps you should suggest to your provider that running linux would
>save money and down time :>

The provider is concentric, or XO as they like to call themselves now.

I didn't get the impression that their servers were infected, and it's
inconceivable to me that they're running windows based servers.  What
I gleaned was that so many of their customers were infected that it
was clogging up the bandwidth.  

- Show quoted text -

>(you should make sure he hears snickering in the background while
>suggesting it)



 
 
 

1. SCSI Time Outs? Please Help.

I have a segate 2 & 4 gig SCSI II hawk dive hooked to an
Adaptec AHA-1542

I'm getting the following warning when I run fdisk:

*the number of cylinders for this disk is set to 2049
*this is larger than 1024 and may cause problems with
*software that runs at boot (e.g., lilo)
        then when I format it I get the following errors about 1/4 through the
format:

*scsi: aborting command due to timeout : pid 2276, scsi0, id0, lun0 0x0a 10
20 02 12 00
*scsi host 0 abort() timed out - resetting
*sent bus device reset to target 0
*sending did_reset for target 0
*aha1542_out failed(2): sending did_reset for target 0

I can format the whole thing in dos just fine.

If you have any suggestions or help I would greatly appreciate it.
-
Dan

2. Netscape using all available memory??

3. please help me figure this out

4. bash: Can I access the raw command line?

5. I've been hacked into, Please help me figure out how

6. Slow transmit / upload

7. Help please to figure out this laptop with preinstalled Linux 8.0

8. How do I configure my SCSI DAT?

9. Scsi host time outs -- help

10. Q: HELP: Cirrus PCMCIA IRQ Device time-outs...

11. Help RAN 16 Port Pin outs