[BUGS] Strange NIC behavior
Callum Gibson
callumgibson at optusnet.com.au
Mon Jan 14 12:40:17 EST 2008
On 14Jan08 04:00, Jerahmy Pocott wrote:
}Jan 13 11:15:59 beastie ntpd[540]: kernel time sync enabled 6001
}Jan 13 11:33:03 beastie ntpd[540]: kernel time sync enabled 2001
}Jan 13 12:58:29 beastie ntpd[540]: kernel time sync enabled 6001
}Jan 13 13:15:33 beastie ntpd[540]: kernel time sync enabled 2001
}Jan 13 14:44:41 beastie kernel: fxp0: link state changed to DOWN
}Jan 13 14:44:43 beastie kernel: fxp0: link state changed to UP
}Jan 13 14:48:11 beastie kernel: fxp0: link state changed to DOWN
}Jan 13 14:48:12 beastie kernel: fxp0: link state changed to UP
}Jan 13 14:58:00 beastie ntpd[540]: kernel time sync enabled 6001
}Jan 13 15:15:05 beastie ntpd[540]: kernel time sync enabled 2001
}Jan 13 17:31:42 beastie ntpd[540]: kernel time sync enabled 6001
}Jan 13 17:48:47 beastie ntpd[540]: kernel time sync enabled 2001
I think the ntpd messages are harmless and I see a similar frequency
(about every 20 min or so) on my work machine (5.4-RELEASE).
}I'm not sure why the time sync keeps changing between 6001 and 2001?
You can read about it here:
http://lists.freebsd.org/pipermail/freebsd-stable/2005-April/013414.html
}It is happening constantly.. But there are also a number of these
}cases, always in pairs like you can see here where the link state
}changes to down, then to up, then to down, then back up again ALWAYS
}spaced 4 minutes apart from each other with the link coming back up
}within 1-2 seconds. This seems to be happening every 2-6 hours!
They aren't necessarily related, although if you are having network
issues (indicated by your link state UP/DOWN) when that would
obviously upset ntpd. Use "ntpq -p" to see the current state of your
ntpd link. It looks like yours is synced ok, but you could be just
experiencing a bit of jitter. Are you using a naerby timehost?
}Since it's always 4 minutes between the two up/down cycles this has to
}be some sort of programmed behavior..
}
}I'v also been experiencing a very large volume of brute force attacks
}on this machines sshd, seeming to be coming from taiwan.. Could this
}be related some how? Perhaps it's some sort of attack?
Only if someone is attacking you at regular intervals. How about the
interval between the 4 minute pair? Is that regular too? Since you have
4 minutes warning, when you see the first pair, start up some monitoring
like a tcpdump and see what happens on that interface when the interface
bounces again. Maybe some other information like "netstat -s" might tell
you if something weird is going on with the network (like excessive
dropped or error packets).
C
--
Callum Gibson @ home
http://members.optusnet.com.au/callumgibson/
More information about the BUGS
mailing list