0

I got this problem: whenever I plug a Linux-server into the intranet, the whole network slows down and then die. Every ping/ssh connection between the intranet yields time out. I unplugged it, then everything came back to normal. Searching around suggested me (note, this is my assumption, I can be wrong) it might be an internal SYN flood attack, somehow a malware got into the culprit machine and did a SYN flood attack to the router.

I can log in to the suspected machine, via direct GUI. What Linux command I should start to inspect?

Thanks

EyeQ Tech
  • 131
  • 1
  • 1
  • 6
  • why do you want to connect a unknown computer? – djdomi Sep 19 '22 at 11:14
  • @djdomi, no it's a known computer, used to work fine. Just recently, we realized the network is flooded, so we isolate one by one, and single out that suspected machine. – EyeQ Tech Sep 19 '22 at 14:34
  • then think it might be compromised. take the required steps as in your company security guidelines – djdomi Sep 19 '22 at 17:50

2 Answers2

0

Enable logging on any firewalls on the affected network. Start a packet (and frame) capture on a couple affected switches and hosts, such as either end of your test pings. Plug it back in just long enough to reproduce the problem, and remove it again.

Parse the frames and logs to understand what happened. Immediate degraded ICMP and TCP implies something that could affect both. As in, might not be too many half-open TCP connections.

If it was a broadcast storm, there would very quickly be endless broadcast or multicast packets. Check for loops between switches.

Or it could be weird TCP or UDP traffic. Find patterns in the traffic and see.

John Mahowald
  • 30,009
  • 1
  • 17
  • 32
0

I would wipe the whole machine and reinstall it. There is probably malware or rootkits on there, you can't trust that device in your network.

Another option would to put the machine in an isolated network and capture the traffic and see what it is sending.

Ace
  • 419
  • 6