Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1751845AbbKVKva (ORCPT <rfc822;w@1wt.eu>);
	Sun, 22 Nov 2015 05:51:30 -0500
Received: from mout.gmx.net ([212.227.15.19]:49795 "EHLO mout.gmx.net"
	rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
	id S1751032AbbKVKv1 (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
	Sun, 22 Nov 2015 05:51:27 -0500
To: Linux Kernel <linux-kernel@vger.kernel.org>
From: =?UTF-8?Q?Toralf_F=c3=b6rster?= <toralf.foerster@gmx.de>
Subject: network card doesn't recovered itself after a SYN flooding attack
X-Enigmail-Draft-Status: N1110
Message-ID: <56519E2B.8050500@gmx.de>
Date: Sun, 22 Nov 2015 11:51:23 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101
 Thunderbird/38.3.0
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
X-Provags-ID: V03:K0:bkcks4YrHind7vok77oi5ClaXBlMimeyjenX8qZ0Zum+TCCIfG6
 x3i0uSh0hz8Fl8gUhnvO1RbFQebpqjg77+/5QsE4HfirxXnDCqxv2y3XMcyNIAg/MGwoRSF
 jq7wj7iYFt7HZuZhNdii1mvMO+AF2kh8ef4ZCuHLhN20dQLAUktaQ83QxkPpO4cMpPbNifV
 O1O6gcOtkpT658VxMVyJg==
X-UI-Out-Filterresults: notjunk:1;V01:K0:EyHgrXmOjNk=:IJIAeO7WF3Yb7iL0+pCXBT
 gXJCNk0uxWscRkCSEkCz6UHDZ9MiO7wkENE6lnHzTNAB5QwkLJbatYzMIonsBp2yfZyNCh4N9
 ah/+RSWQGdhnlqn9dyfKiVnUNAN8VULuHzHK/9CWptWXccR2yHeT8ccM9z009QgDuz/gMjJ4t
 njOakJFr/sYWFSs4mNj82dyQ7+sgwIDxmwCJ1ZKlLOT9vtE0gDagQiPC0KC/q3/IcBEKQUYgg
 cUtjQOxQx/xRy330dAgGHlHcueJ55FR5MxRpuBYUzNea+SdtGSOyuFzIk/JavkSj1UrxoOw8d
 u3ngPutietiDnmPxZpOoOZwzZjfGcQgaNjBBlTyczA7CXt5pTcxTT8ExvyFmPRn1C8yEVAsI0
 e2U/oJJURDL1LNk3wBwInwEc6mRN14TVK3pxMn/szRPnzgLOjfeUqFsEOKZUc5FwX8I6oNoFJ
 qQAUo3O8/oMdxIjq99hLUYNnYIW5rPsH1s79hwxQ++nzfyRDpuhndDC54r4LHTLXHL+12KM4z
 ENUfjgCG/fKD2V3XfzdJz3DIkYJyOemMsmugiYLDfdAa7b2JM4pCOSSgcqrpKS2uafz9KcLG8
 Urd3kDIIV8BhQCRjDgxJxhilTIvVSK3aw982TvxTh56j/1XfrNEU3kBUwh6dlA7tevPx8YOuz
 8/kDzLP4vn/q7KnzRGST9mpbDjvMtvkoQ4Lfj/uwZkBVq7F2psew1xuNwGf/7tb+mFZDZWWXJ
 jgT9zSQiLyLpoHKecoCtpU8drymocA9RobBfyuo1+3USjnU5m8RyoU0VA4EI4Hfpp9myGxFV5
 T4eB9mm
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Length: 4456
Lines: 59

At 22th of November at 21:26 UTC my server (64 bit stable Gentoo hardened) suffered from a DDoS attack. 

>From the kern.log:

	
Nov 20 22:26:29 tor-relay kernel: [2431358.124515] TCP: request_sock_TCP: Possible SYN flooding on port 80. Sending cookies.  Check SNMP counters.
Nov 20 22:26:48 tor-relay kernel: [2431377.216133] ------------[ cut here ]------------
Nov 20 22:26:48 tor-relay kernel: [2431377.216141] WARNING: CPU: 7 PID: 12421 at net/sched/sch_generic.c:303 dev_watchdog+0x272/0x280()
Nov 20 22:26:48 tor-relay kernel: [2431377.216143] NETDEV WATCHDOG: enp3s0 (r8169): transmit queue 0 timed out
Nov 20 22:26:48 tor-relay kernel: [2431377.216145] Modules linked in:
Nov 20 22:26:48 tor-relay kernel: [2431377.216148]  af_packet nf_log_ipv6 nf_conntrack_ipv6 nf_defrag_ipv6 ip6table_filter ip6_tables nf_log_ipv4 nf_log_common xt_LOG xt_multiport nf_conntrack_ipv4 nf_defrag_ipv4 xt_conntrack nf_conntrack iptable_filter ip_tables i2c_i801 i2c_core tpm_tis tpm thermal processor battery atkbd x86_pkg_temp_thermal button microcode fan
Nov 20 22:26:48 tor-relay kernel: [2431377.216173] CPU: 7 PID: 12421 Comm: emerge Not tainted 4.1.7-hardened-r1 #1
Nov 20 22:26:48 tor-relay kernel: [2431377.216174] Hardware name: System manufacturer System Product Name/P8H77-M PRO, BIOS 0922 09/10/2012
Nov 20 22:26:48 tor-relay kernel: [2431377.216176]  ffffffff994fa966 0000000000000000 ffffffff99bced09 ffff88041fbc3d18
Nov 20 22:26:48 tor-relay kernel: [2431377.216179]  ffffffff99983e26 0000000000000000 ffff88041fbc3d68 ffff88041fbc3d58
Nov 20 22:26:48 tor-relay kernel: [2431377.216182]  ffffffff9947f08a ffff88041fbc3d48 ffffffff99bced09 000000000000012f
Nov 20 22:26:48 tor-relay kernel: [2431377.216185] Call Trace:
Nov 20 22:26:48 tor-relay kernel: [2431377.216187]    [] ? print_modules+0x76/0xe0
Nov 20 22:26:48 tor-relay kernel: [2431377.216198]  [] dump_stack+0x45/0x5d
Nov 20 22:26:48 tor-relay kernel: [2431377.216203]  [] warn_slowpath_common+0x8a/0xd0
Nov 20 22:26:48 tor-relay kernel: [2431377.216205]  [] warn_slowpath_fmt+0x5a/0x70
Nov 20 22:26:48 tor-relay kernel: [2431377.216210]  [] ? task_tick_fair+0x2a8/0x760
Nov 20 22:26:48 tor-relay kernel: [2431377.216213]  [] dev_watchdog+0x272/0x280
Nov 20 22:26:48 tor-relay kernel: [2431377.216216]  [] ? dev_deactivate_queue+0x70/0x70
Nov 20 22:26:48 tor-relay kernel: [2431377.216219]  [] call_timer_fn+0x47/0x140
Nov 20 22:26:48 tor-relay kernel: [2431377.216222]  [] run_timer_softirq+0x291/0x450
Nov 20 22:26:48 tor-relay kernel: [2431377.216224]  [] ? dev_deactivate_queue+0x70/0x70
Nov 20 22:26:48 tor-relay kernel: [2431377.216228]  [] __do_softirq+0xf8/0x290
Nov 20 22:26:48 tor-relay kernel: [2431377.216230]  [] irq_exit+0x9d/0xb0
Nov 20 22:26:48 tor-relay kernel: [2431377.216235]  [] smp_apic_timer_interrupt+0x55/0x70
Nov 20 22:26:48 tor-relay kernel: [2431377.216237]  [] apic_timer_interrupt+0x97/0xa0
Nov 20 22:26:48 tor-relay kernel: [2431377.216239]  
Nov 20 22:26:48 tor-relay kernel: [2431377.216241] ---[ end trace 93431a9382c0a11a ]---
Nov 20 22:26:48 tor-relay kernel: [2431377.237826] r8169 0000:03:00.0 enp3s0: link up
Nov 20 22:28:18 tor-relay kernel: [2431467.175659] r8169 0000:03:00.0 enp3s0: link up
Nov 20 22:28:30 tor-relay kernel: [2431479.172562] r8169 0000:03:00.0 enp3s0: link up
Nov 20 22:28:42 tor-relay kernel: [2431491.164472] r8169 0000:03:00.0 enp3s0: link up
Nov 20 22:28:54 tor-relay kernel: [2431503.170416] r8169 0000:03:00.0 enp3s0: link up
Nov 20 22:29:06 tor-relay kernel: [2431515.148333] r8169 0000:03:00.0 enp3s0: link up
Nov 20 22:29:18 tor-relay kernel: [2431527.143293] r8169 0000:03:00.0 enp3s0: link up
Nov 20 22:29:30 tor-relay kernel: [2431539.142164] r8169 0000:03:00.0 enp3s0: link up
Nov 20 22:29:42 tor-relay kernel: [2431551.124104] r8169 0000:03:00.0 enp3s0: link up
...
Nov 22 10:56:24 tor-relay kernel: [2562675.624512] r8169 0000:03:00.0 enp3s0: link up
  


The last line repeated and the network was down till I initiated a hardware reset.

It looks for me that the attack turned the network card into a state from which it couldn't recovered itself, or ? 
Anything what I should change here at the system to avoid such a hang ?

-- 
Toralf, pgp key: C4EACDDE 0076E94E
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/