Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
Re: [suse-security] HELP ! YOU-Update on SuSE 8.1 firewall did something eval to my kernel
From: Sven 'Darkman' Michels (svendarkman.de)
Date: Wed Sep 10 2003 - 05:50:10 CDT
Philipp Rusch wrote:
> Hi all,
> yesterday I updated my SuSE 8.1 system with the recommended (auto) updates
> through YOU. I noticed that there was a kernel update in the list, but I didn't mind.
> Today, when under stress, my firewall gives hundres of messages like:
> Sep 10 11:53:27 proxy1 kernel: NET: 39 messages suppressed.
> I did NOT change a thing besides those updates and rebooted.
> The firewall is done through iptables and configured with the "shorewall" script which
> have been in use for over a year now without any problems.
> Now the firewall simply stops after a certain while.
> Unfotunately I cannot log in because the SSH process is crashing as well and I am
> not on site, but I managed to get the logs via email.
> Any hint / help is appreciated very much.
This is not a kernel Bug. I would say you've some kind of worm
inside your network. Dunno which one exactly but i've seen it on
many routers in the last 3 weeks (would say blaster or sobig). The
"solution" beside removing the worm is simple:
make your arp cache table bigger to hold more arp entrys.
This can be done by:
echo 1024 > /proc/sys/net/ipv4/neigh/default/gc_thresh1
echo 2048 > /proc/sys/net/ipv4/neigh/default/gc_thresh2
echo 4096 > /proc/sys/net/ipv4/neigh/default/gc_thresh3
this should be ok for now. Hopefully your RAM isn't full at all ;)
Your Box will work ok again and the errors should be gone. After
that please check for the worm. The worm pings your local network
(any ip) and so you'll get many incomplete arp entries. You can
check that (if you have access again to the box) with the arp
command. If you want, you can track how many entries in your
cache by arp -an | wc -l (and you'll see that it increases up
to more than 1024, the old default maximum).
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-helpsuse.com
Security-related bug reports go to securitysuse.de, not here