[emanicslab] Suspicious Activity on EmanicsLab nodes host1-plb.loria.fr and host2-plb.loria.fr

Thu Dec 19 17:04:34 CET 2013

Thanks Andri,

as soon as I will be able to login to the nodes, I may be able to get a 
better understanding as to which slice may have been the target of the 
"attack".

Best regards
David

On 19.12.2013 09:43, Andri Lareida wrote:
> Dear David,
>
> The crawler itself does for sure not cause this behavior. The torrents
> come from a portal via RSS, so there is the possibility that some very
> popular torrents are in there. When BT clients from all over the world
> try to connect to the Inria host when there is not client running I
> imagine this could look like DDoS attack. Although, the traffic seems to
> high for that.
>
> On the other hand there are many PlanetLab Hosts in the log.
>
> Lets see the more detailed information. This will help a lot. In the
> meantime I can check what ports were announced.
>
> Cheers
> Andri
>
>
>
>
> On 12/19/2013 09:29 AM, Juan Pablo Timpanaro wrote:
>> Dear Andri,
>>
>> Have you used a specific node (or nodes) to announce a specific,
>> probably popular, content (movie,...)? A crawler itself can not
>> (should not) produce this behavior. It seems more like an old-fashined
>> DDoS, with INRIA nodes as targets.
>>
>> Looking forward for further information on those flows.
>>
>> Best,
>>
>> On Dec 19, 2013, at 9:19 AM, Andri Lareida wrote:
>>
>>> Dear David,
>>>
>>> As far as I understand, the log file shows incomming connections. I'm
>>> testing a BitTorrent Tracker crawler at the moment. For that the
>>> node  announces itself to several BitTorrent Tracker to get IPs. This
>>> also means that the IP of the EmanicsLab node will be on the Tracker
>>> and other hosts might try to connect to it. Since no BitTorrent
>>> client is running on the node, no connection can be established.
>>> Therefore, I can not explain that the flows have KB sizes. The node
>>> also joins the BitTorrent DHT what might result in incomming
>>> connections.
>>>
>>> Some more detailed information on ports and transport protocol would
>>> help finding an answer.
>>>
>>> Regards
>>> Andri
>>>
>>>
>>>
>>> Am 18.12.2013 18:59, schrieb David Hausheer:
>>>> Dear EmanicsLab users,
>>>>
>>>> we have some suspicious activity ongoing on EmanicsLab nodes
>>>> host1-plb.loria.fr and host2-plb.loria.fr
>>>>
>>>> Since those of you addressed explicitly in the Email header are
>>>> running experiments including those nodes, I would like to
>>>> understand if the traffic originates from any of your slices.
>>>>
>>>> Thus, please take a look at the attached log file, and let me know
>>>> if the hostnames are familiar to you. It may also be that one of
>>>> your slices has been hacked, in which case we would need to disable it.
>>>>
>>>> Thus, please inform me as soon as possible if
>>>>
>>>> a) you know that your slice IS the source of those connections
>>>> b) you know that your slice is NOT the source of those connections
>>>> c) you don't know (your slice may be hacked)
>>>>
>>>> Thanks you and best regards
>>>> David
>>>>
>>>> On 18.12.2013 16:09, Emmanuel Nataf wrote:
>>>>> Hello,
>>>>>
>>>>> The hosts : host1-plb.loria.fr <http://host1-plb.loria.fr/> and
>>>>> host2-plb.loria.fr <http://host2-plb.loria.fr/> are down for security
>>>>> reason.
>>>>> Since last week a very large amount of connexions, coming from
>>>>> everywhere (and probably not all registered nodes) threaten our
>>>>> firewall.
>>>>> I join the firewal log.
>>>>>
>>>>>
>>>>>
>>>>> Regards
>>>>>
>>>>> E. Nataf
>>>>> INRIA Nodes
>>> _______________________________________________
>>> emanicslab mailing list
>>> emanicslab at lists.ifi.uzh.ch
>>> https://lists.ifi.uzh.ch/listinfo/emanicslab
>

-- 
Prof. Dr. David Hausheer

Technische Universitaet Darmstadt
Dept. of Electrical Engineering & Information Technology

Rundeturmstr. 10, Building S3/20, Room 225
64283 Darmstadt, Germany
Phone: +49 6151 16 4280
Fax: +49 6151 16 6152
E-Mail: hausheer at ps.tu-darmstadt.de
Web: http://www.ps.tu-darmstadt.de/