[GRLUG] Rogue packet triggering reboot!

Michael Mol mikemol at gmail.com
Mon Oct 17 16:55:48 EDT 2016


On Monday, October 17, 2016 02:52:52 PM L. V. Lammert wrote:
> This SEEMS to indicate that a packet received on a public IF that has no
> open ports triggered a reboot:
> 
> Oct 14 17:31:36 <machine> kernel: IPv4: martian source 206.197.251.9 from
> 60.24.136.201, on dev br3 Oct 14 17:31:36 <machine> kernel: ll header:
> 00000000: 00 e0 81 cd 21 b1 00 b0 c2 88 54 1c 08 00        ....!.....T...
> Oct 14 17:31:44 <machine> systemd[1]: Received SIGINT.
> <reboot in process>
> 
> OpenSuSE 42.1, .. host and five VMs.
> 
> This server has been rebooting at random times, .. I finally got into
> BIOS and set BMC to reboot instead of shutdown (so it doesn't just go to
> sleep, but it still is frustrating.
> 
> Any thoughts on troubleshooting?

Update drivers? That sounds like something in software corrupting things.

Have a reasonably smart switch you can do port mirroring off of, driving to a 
separate capturing node for the purpose of finding if the logged packet is the 
same as what's sent on the port mirror?

-- 
:wq
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: This is a digitally signed message part.
URL: <http://shinobu.grlug.org/pipermail/grlug/attachments/20161017/dfb4a361/attachment.sig>


More information about the grlug mailing list