[emanicslab] Suspicious Activity on EmanicsLab nodes host1-plb.loria.fr and host2-plb.loria.fr

Andri Lareida lareida at ifi.uzh.ch
Thu Dec 19 09:43:24 CET 2013 

Dear David,

The crawler itself does for sure not cause this behavior. The torrents 
come from a portal via RSS, so there is the possibility that some very 
popular torrents are in there. When BT clients from all over the world 
try to connect to the Inria host when there is not client running I 
imagine this could look like DDoS attack. Although, the traffic seems to 
high for that.

On the other hand there are many PlanetLab Hosts in the log.

Lets see the more detailed information. This will help a lot. In the 
meantime I can check what ports were announced.

Cheers
Andri




On 12/19/2013 09:29 AM, Juan Pablo Timpanaro wrote:
> Dear Andri,
>
> Have you used a specific node (or nodes) to announce a specific, probably popular, content (movie,...)? A crawler itself can not (should not) produce this behavior. It seems more like an old-fashined DDoS, with INRIA nodes as targets.
>
> Looking forward for further information on those flows.
>
> Best,
>
> On Dec 19, 2013, at 9:19 AM, Andri Lareida wrote:
>
>> Dear David,
>>
>> As far as I understand, the log file shows incomming connections. I'm testing a BitTorrent Tracker crawler at the moment. For that the node  announces itself to several BitTorrent Tracker to get IPs. This also means that the IP of the EmanicsLab node will be on the Tracker and other hosts might try to connect to it. Since no BitTorrent client is running on the node, no connection can be established. Therefore, I can not explain that the flows have KB sizes. The node also joins the BitTorrent DHT what might result in incomming connections.
>>
>> Some more detailed information on ports and transport protocol would help finding an answer.
>>
>> Regards
>> Andri
>>
>>
>>
>> Am 18.12.2013 18:59, schrieb David Hausheer:
>>> Dear EmanicsLab users,
>>>
>>> we have some suspicious activity ongoing on EmanicsLab nodes host1-plb.loria.fr and host2-plb.loria.fr
>>>
>>> Since those of you addressed explicitly in the Email header are running experiments including those nodes, I would like to understand if the traffic originates from any of your slices.
>>>
>>> Thus, please take a look at the attached log file, and let me know if the hostnames are familiar to you. It may also be that one of your slices has been hacked, in which case we would need to disable it.
>>>
>>> Thus, please inform me as soon as possible if
>>>
>>> a) you know that your slice IS the source of those connections
>>> b) you know that your slice is NOT the source of those connections
>>> c) you don't know (your slice may be hacked)
>>>
>>> Thanks you and best regards
>>> David
>>>
>>> On 18.12.2013 16:09, Emmanuel Nataf wrote:
>>>> Hello,
>>>>
>>>> The hosts : host1-plb.loria.fr <http://host1-plb.loria.fr/> and
>>>> host2-plb.loria.fr <http://host2-plb.loria.fr/> are down for security
>>>> reason.
>>>> Since last week a very large amount of connexions, coming from
>>>> everywhere (and probably not all registered nodes) threaten our firewall.
>>>> I join the firewal log.
>>>>
>>>>
>>>>
>>>> Regards
>>>>
>>>> E. Nataf
>>>> INRIA Nodes
>> _______________________________________________
>> emanicslab mailing list
>> emanicslab at lists.ifi.uzh.ch
>> https://lists.ifi.uzh.ch/listinfo/emanicslab

More information about the emanicslab mailing list