[emanicslab] Suspicious Activity on EmanicsLab nodes host1-plb.loria.fr and host2-plb.loria.fr
David Hausheer
hausheer at ifi.uzh.ch
Sat Dec 28 10:01:11 CET 2013
I already checked but could not find anything so far. Will try again to dig deeper in the next days.
Best regards
David
On Dec 27, 2013 11:24 PM, Juan Pablo Timpanaro <jptimpanaro at gmail.com> wrote:
>
> Hello David,
>
> Did you have some news regarding that "attack"?.
>
> Best,
>
>
> On 19 December 2013 17:04, David Hausheer <hausheer at ps.tu-darmstadt.de> wrote:
>>
>> Thanks Andri,
>>
>> as soon as I will be able to login to the nodes, I may be able to get a better understanding as to which slice may have been the target of the "attack".
>>
>> Best regards
>> David
>>
>>
>> On 19.12.2013 09:43, Andri Lareida wrote:
>>>
>>> Dear David,
>>>
>>> The crawler itself does for sure not cause this behavior. The torrents
>>> come from a portal via RSS, so there is the possibility that some very
>>> popular torrents are in there. When BT clients from all over the world
>>> try to connect to the Inria host when there is not client running I
>>> imagine this could look like DDoS attack. Although, the traffic seems to
>>> high for that.
>>>
>>> On the other hand there are many PlanetLab Hosts in the log.
>>>
>>> Lets see the more detailed information. This will help a lot. In the
>>> meantime I can check what ports were announced.
>>>
>>> Cheers
>>> Andri
>>>
>>>
>>>
>>>
>>> On 12/19/2013 09:29 AM, Juan Pablo Timpanaro wrote:
>>>>
>>>> Dear Andri,
>>>>
>>>> Have you used a specific node (or nodes) to announce a specific,
>>>> probably popular, content (movie,...)? A crawler itself can not
>>>> (should not) produce this behavior. It seems more like an old-fashined
>>>> DDoS, with INRIA nodes as targets.
>>>>
>>>> Looking forward for further information on those flows.
>>>>
>>>> Best,
>>>>
>>>> On Dec 19, 2013, at 9:19 AM, Andri Lareida wrote:
>>>>
>>>>> Dear David,
>>>>>
>>>>> As far as I understand, the log file shows incomming connections. I'm
>>>>> testing a BitTorrent Tracker crawler at the moment. For that the
>>>>> node announces itself to several BitTorrent Tracker to get IPs. This
>>>>> also means that the IP of the EmanicsLab node will be on the Tracker
>>>>> and other hosts might try to connect to it. Since no BitTorrent
>>>>> client is running on the node, no connection can be established.
>>>>> Therefore, I can not explain that the flows have KB sizes. The node
>>>>> also joins the BitTorrent DHT what might result in incomming
>>>>> connections.
>>>>>
>>>>> Some more detailed information on ports and transport protocol would
>>>>> help finding an answer.
>>>>>
>>>>> Regards
>>>>> Andri
>>>>>
>>>>>
>>>>>
>>>>> Am 18.12.2013 18:59, schrieb David Hausheer:
>>>>>>
>>>>>> Dear EmanicsLab users,
>>>>>>
>>>>>> we have some suspicious activity ongoing on EmanicsLab nodes
>>>>>> host1-plb.loria.fr and host2-plb.loria.fr
>>>>>>
>>>>>> Since those of you addressed explicitly in the Email header are
>>>>>> running experiments including those nodes, I would like to
>>>>>> understand if the traffic originates from any of your slices.
>>>>>>
>>>>>> Thus, please take a look at the attached log file, and let me know
>>>>>> if the hostnames are familiar to you. It may also be that one of
>>>>>> your slices has been hacked, in which case we would need to disable it.
>>>>>>
>>>>>> Thus, please inform me as soon as possible if
>>>>>>
>>>>>> a) you know that your slice IS the source of those connections
>>>>>> b) you know that your slice is NOT the source of those connections
>>>>>> c) you don't know (your slice may be hacked)
>>>>>>
>>>>>> Thanks you and best regards
>>>>>> David
>>>>>>
>>>>>> On 18.12.2013 16:09, Emmanuel Nataf wrote:
>>>>>>>
>>>>>>> Hello,
>>>>>>>
>>>>>>> The hosts : host1-plb.loria.fr <http://host1-plb.loria.fr/> and
>>>>>>> host2-plb.loria.fr <http://host2-plb.loria.fr/> are down for security
>>>>>>> reason.
>>>>>>> Since last week a very large amount of connexions, coming from
>>>>>>> everywhere (and probably not all registered nodes) threaten our
>>>>>>> firewall.
>>>>>>> I join the firewal log.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> Regards
>>>>>>>
>>>>>>> E. Nataf
>>>>>>> INRIA Nodes
>>>>>
>>>>> _______________________________________________
>>>>> emanicslab mailing list
>>>>> emanicslab at lists.ifi.uzh.ch
>>>>> https://lists.ifi.uzh.ch/listinfo/emanicslab
>>>
>>>
>>
>> --
>> Prof. Dr. David Hausheer
>>
>> Technische Universitaet Darmstadt
>> Dept. of Electrical Engineering & Information Technology
>>
>> Rundeturmstr. 10, Building S3/20, Room 225
>> 64283 Darmstadt, Germany
>> Phone: +49 6151 16 4280
>> Fax: +49 6151 16 6152
>> E-Mail: hausheer at ps.tu-darmstadt.de
>> Web: http://www.ps.tu-darmstadt.de/
>
>
>
>
> --
>
>
> Juan Pablo Timpanaro
More information about the emanicslab
mailing list