[emanicslab] Suspicious Activity on EmanicsLab nodes host1-plb.loria.fr and host2-plb.loria.fr

Juan Pablo Timpanaro jptimpanaro at gmail.com
Fri Dec 27 23:24:23 CET 2013 

Hello David,

Did you have some news regarding that "attack"?.

Best,


On 19 December 2013 17:04, David Hausheer <hausheer at ps.tu-darmstadt.de>wrote:

> Thanks Andri,
>
> as soon as I will be able to login to the nodes, I may be able to get a
> better understanding as to which slice may have been the target of the
> "attack".
>
> Best regards
> David
>
>
> On 19.12.2013 09:43, Andri Lareida wrote:
>
>> Dear David,
>>
>> The crawler itself does for sure not cause this behavior. The torrents
>> come from a portal via RSS, so there is the possibility that some very
>> popular torrents are in there. When BT clients from all over the world
>> try to connect to the Inria host when there is not client running I
>> imagine this could look like DDoS attack. Although, the traffic seems to
>> high for that.
>>
>> On the other hand there are many PlanetLab Hosts in the log.
>>
>> Lets see the more detailed information. This will help a lot. In the
>> meantime I can check what ports were announced.
>>
>> Cheers
>> Andri
>>
>>
>>
>>
>> On 12/19/2013 09:29 AM, Juan Pablo Timpanaro wrote:
>>
>>> Dear Andri,
>>>
>>> Have you used a specific node (or nodes) to announce a specific,
>>> probably popular, content (movie,...)? A crawler itself can not
>>> (should not) produce this behavior. It seems more like an old-fashined
>>> DDoS, with INRIA nodes as targets.
>>>
>>> Looking forward for further information on those flows.
>>>
>>> Best,
>>>
>>> On Dec 19, 2013, at 9:19 AM, Andri Lareida wrote:
>>>
>>>  Dear David,
>>>>
>>>> As far as I understand, the log file shows incomming connections. I'm
>>>> testing a BitTorrent Tracker crawler at the moment. For that the
>>>> node  announces itself to several BitTorrent Tracker to get IPs. This
>>>> also means that the IP of the EmanicsLab node will be on the Tracker
>>>> and other hosts might try to connect to it. Since no BitTorrent
>>>> client is running on the node, no connection can be established.
>>>> Therefore, I can not explain that the flows have KB sizes. The node
>>>> also joins the BitTorrent DHT what might result in incomming
>>>> connections.
>>>>
>>>> Some more detailed information on ports and transport protocol would
>>>> help finding an answer.
>>>>
>>>> Regards
>>>> Andri
>>>>
>>>>
>>>>
>>>> Am 18.12.2013 18:59, schrieb David Hausheer:
>>>>
>>>>> Dear EmanicsLab users,
>>>>>
>>>>> we have some suspicious activity ongoing on EmanicsLab nodes
>>>>> host1-plb.loria.fr and host2-plb.loria.fr
>>>>>
>>>>> Since those of you addressed explicitly in the Email header are
>>>>> running experiments including those nodes, I would like to
>>>>> understand if the traffic originates from any of your slices.
>>>>>
>>>>> Thus, please take a look at the attached log file, and let me know
>>>>> if the hostnames are familiar to you. It may also be that one of
>>>>> your slices has been hacked, in which case we would need to disable it.
>>>>>
>>>>> Thus, please inform me as soon as possible if
>>>>>
>>>>> a) you know that your slice IS the source of those connections
>>>>> b) you know that your slice is NOT the source of those connections
>>>>> c) you don't know (your slice may be hacked)
>>>>>
>>>>> Thanks you and best regards
>>>>> David
>>>>>
>>>>> On 18.12.2013 16:09, Emmanuel Nataf wrote:
>>>>>
>>>>>> Hello,
>>>>>>
>>>>>> The hosts : host1-plb.loria.fr <http://host1-plb.loria.fr/> and
>>>>>> host2-plb.loria.fr <http://host2-plb.loria.fr/> are down for security
>>>>>> reason.
>>>>>> Since last week a very large amount of connexions, coming from
>>>>>> everywhere (and probably not all registered nodes) threaten our
>>>>>> firewall.
>>>>>> I join the firewal log.
>>>>>>
>>>>>>
>>>>>>
>>>>>> Regards
>>>>>>
>>>>>> E. Nataf
>>>>>> INRIA Nodes
>>>>>>
>>>>> _______________________________________________
>>>> emanicslab mailing list
>>>> emanicslab at lists.ifi.uzh.ch
>>>> https://lists.ifi.uzh.ch/listinfo/emanicslab
>>>>
>>>
>>
> --
> Prof. Dr. David Hausheer
>
> Technische Universitaet Darmstadt
> Dept. of Electrical Engineering & Information Technology
>
> Rundeturmstr. 10, Building S3/20, Room 225
> 64283 Darmstadt, Germany
> Phone: +49 6151 16 4280
> Fax: +49 6151 16 6152
> E-Mail: hausheer at ps.tu-darmstadt.de
> Web: http://www.ps.tu-darmstadt.de/
>



-- 


Juan Pablo Timpanaro
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ifi.uzh.ch/pipermail/emanicslab/attachments/20131227/05127eff/attachment.html>

More information about the emanicslab mailing list