[GRLUG] Rogue packet triggering reboot!

Adam Tauno Williams awilliam at whitemice.org
Mon Oct 17 16:54:56 EDT 2016


On Mon, 2016-10-17 at 14:52 -0500, L. V. Lammert wrote:
> This SEEMS to indicate that a packet received on a public IF that has 
> no open ports triggered a reboot:
> Oct 14 17:31:36 <machine> kernel: IPv4: martian source 206.197.251.9
> from 60.24.136.201, on dev br3
> Oct 14 17:31:36 <machine> kernel: ll header: 00000000: 00 e0 81 cd 21
> b1 00 b0 c2 88 54 1c 08 00        ....!.....T...
> Oct 14 17:31:44 <machine> systemd[1]: Received SIGINT.
> <reboot in process>

A full EIGHT SECONDS later?  I would not automatically correlate these
two events.

If the interface has no open ports why not discard all inbound traffic?

Do either of those two IP addresses mean anything to you?

> OpenSuSE 42.1, .. host and five VMs.
> This server has been rebooting at random times, .. I finally got into
> BIOS and set BMC to reboot instead of shutdown (so it doesn't just go 
> to sleep, but it still is frustrating.
> Any thoughts on troubleshooting?

Increase logging to an external syslog receiver.

-- 
Adam Tauno Williams <mailto:awilliam at whitemice.org> GPG D95ED383
Systems Administrator, Python Developer, LPI / NCLA




More information about the grlug mailing list