PPP connection problem

PPP connection problem

Post by Jose Antonio C. Baduria, Jr » Wed, 09 Dec 1998 04:00:00



Good Morning!!

    We encountered hangup problem with Linux that's why we had to revert
back to NT.
I looked at the log file and it seems that 201.57.248.21 is sending
something to Linux (SYN)
that disconnects the PPP connection. Below is the log file:

Dec  4 14:43:36 tspimain kernel: CSLIP: code copyright 1989 Regents of
the University of California
Dec  4 14:43:36 tspimain kernel: PPP: version 2.2.0 (dynamic channel
allocation)
Dec  4 14:43:36 tspimain kernel: PPP Dynamic channel allocation code
copyright 1995 Caldera, Inc.
Dec  4 14:43:36 tspimain kernel: PPP line discipline registered.
Dec  4 14:43:36 tspimain kernel: registered device ppp0
Dec  4 14:43:36 tspimain pppd[462]: pppd 2.3.3 started by root, uid 0
Dec  4 14:43:37 tspimain chat[463]: timeout set to 3 seconds
Dec  4 14:43:37 tspimain chat[463]: abort on (\nBUSY\r)
Dec  4 14:43:37 tspimain chat[463]: abort on (\nNO ANSWER\r)
Dec  4 14:43:37 tspimain chat[463]: abort on
(\nRINGING\r\n\r\nRINGING\r)
Dec  4 14:43:37 tspimain chat[463]: send (rAT^M)
Dec  4 14:43:37 tspimain chat[463]: expect (OK)
Dec  4 14:43:37 tspimain chat[463]: rAT^M^M
Dec  4 14:43:37 tspimain chat[463]: OK
Dec  4 14:43:37 tspimain chat[463]:  -- got it
Dec  4 14:43:37 tspimain chat[463]: send (ATH0^M)
Dec  4 14:43:37 tspimain chat[463]: timeout set to 30 seconds
Dec  4 14:43:37 tspimain chat[463]: expect (OK)
Dec  4 14:43:37 tspimain chat[463]: ^M
Dec  4 14:43:37 tspimain chat[463]: ATH0^M^M
Dec  4 14:43:37 tspimain chat[463]: OK
Dec  4 14:43:37 tspimain chat[463]:  -- got it
Dec  4 14:43:37 tspimain chat[463]: send (ATDT634-0531^M)
Dec  4 14:43:37 tspimain chat[463]: expect (CONNECT)
Dec  4 14:43:37 tspimain chat[463]: ^M
Dec  4 14:43:54 tspimain chat[463]: ATDT634-0531^M^M
Dec  4 14:43:54 tspimain chat[463]: CONNECT
Dec  4 14:43:54 tspimain chat[463]:  -- got it
Dec  4 14:43:54 tspimain chat[463]: send (\d)
Dec  4 14:43:56 tspimain pppd[462]: Serial connection established.
Dec  4 14:43:57 tspimain pppd[462]: Using interface ppp0
Dec  4 14:43:57 tspimain pppd[462]: Connect: ppp0 <--> /dev/modem
Dec  4 14:43:57 tspimain pppd[462]: Remote message:
Dec  4 14:43:58 tspimain pppd[462]: local  IP address 201.57.248.74
Dec  4 14:43:58 tspimain pppd[462]: remote IP address 201.57.248.24
Dec  4 14:44:30 tspimain kernel: Warning: possible SYN flood from
201.57.248.21 on 201.57.248.74:25.  Sending cookies.
Dec  4 14:45:37 tspimain kernel: Warning: possible SYN flood from
201.57.248.21 on 201.57.248.74:25.  Sending cookies.
Dec  4 14:46:38 tspimain kernel: Warning: possible SYN flood from
201.57.248.21 on 201.57.248.74:25.  Sending cookies.
Dec  4 14:47:38 tspimain kernel: Warning: possible SYN flood from
201.57.248.21 on 201.57.248.74:25.  Sending cookies.
Dec  4 14:48:38 tspimain kernel: Warning: possible SYN flood from
201.57.248.21 on 201.57.248.74:25.  Sending cookies.
Dec  4 14:49:39 tspimain kernel: Warning: possible SYN flood from
201.57.248.21 on 201.57.248.74:25.  Sending cookies.
Dec  4 14:50:40 tspimain kernel: Warning: possible SYN flood from
201.57.248.21 on 201.57.248.74:25.  Sending cookies.
Dec  4 14:51:41 tspimain kernel: Warning: possible SYN flood from
201.57.248.21 on 201.57.248.74:25.  Sending cookies.
Dec  4 14:52:43 tspimain kernel: Warning: possible SYN flood from
201.57.248.21 on 201.57.248.74:25.  Sending cookies.
Dec  4 14:53:44 tspimain kernel: Warning: possible SYN flood from
201.57.248.21 on 201.57.248.74:25.  Sending cookies.
Dec  4 14:54:44 tspimain kernel: Warning: possible SYN flood from
201.57.248.21 on 201.57.248.74:25.  Sending cookies.
Dec  4 14:55:44 tspimain kernel: Warning: possible SYN flood from
201.57.248.21 on 201.57.248.74:25.  Sending cookies.
Dec  4 14:56:46 tspimain kernel: Warning: possible SYN flood from
201.57.248.21 on 201.57.248.74:25.  Sending cookies.
Dec  4 14:57:53 tspimain kernel: Warning: possible SYN flood from
201.57.248.21 on 201.57.248.74:25.  Sending cookies.
Dec  4 14:58:54 tspimain kernel: Warning: possible SYN flood from
201.57.248.21 on 201.57.248.74:25.  Sending cookies.
Dec  4 14:59:20 tspimain pppd[462]: Hangup (SIGHUP)
Dec  4 14:59:20 tspimain pppd[462]: Modem hangup
Dec  4 14:59:20 tspimain pppd[462]: Connection terminated.
Dec  4 14:59:20 tspimain pppd[462]: Exit.

    The problem I think lies with the SYN flood Linux is receiving. This
happens almost
every minute until PPP connection is disconnected. Any reason why
201.57.248.21
does this?

Thanks,
Joe-An

 
 
 

PPP connection problem

Post by Matt Kresse » Wed, 09 Dec 1998 04:00:00



Quote:

> Good Morning!!

>     We encountered hangup problem with Linux that's why we had to revert
> back to NT.
> I looked at the log file and it seems that 201.57.248.21 is sending
> something to Linux (SYN)
> that disconnects the PPP connection. Below is the log file:
> Dec  4 14:57:53 tspimain kernel: Warning: possible SYN flood from
> 201.57.248.21 on 201.57.248.74:25.  Sending cookies.
> Dec  4 14:58:54 tspimain kernel: Warning: possible SYN flood from
> 201.57.248.21 on 201.57.248.74:25.  Sending cookies.
> Dec  4 14:59:20 tspimain pppd[462]: Hangup (SIGHUP)
> Dec  4 14:59:20 tspimain pppd[462]: Modem hangup
> Dec  4 14:59:20 tspimain pppd[462]: Connection terminated.
> Dec  4 14:59:20 tspimain pppd[462]: Exit.

>     The problem I think lies with the SYN flood Linux is receiving. This
> happens almost
> every minute until PPP connection is disconnected. Any reason why
> 201.57.248.21
> does this?

SYN packets are part of the three way handshake on TCP/IP connections.  It
looks like the host 201.57.248.21 may be trying to send email through your
host (port 25), perhaps as SPAM?  I would report this to your administrator
regardless, as it may be someone doing malicious things to your machine or
just a configuration issue on their part.

-Matt

--

+---------  Northrop Grumman Corporation, Bethpage, NY ---------+
+---------  TEL: (516) 346-9101 FAX: (516) 346-9740 ------------+