This morning I noticed that logcheck is sending me huge notification emails.
There are a lot of messages from the kernel. This worries me, so I logged on to Linode's remote console.

Then I saw messages like this, scrolling very quickly on the screen:

OUT-internet:IN= OUT=eth0 SRC=66.160.141.215 DST=66.237.60.101 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=80 DPT=3078 WINDOW=6432 RES=0x00 ACK PSH FIN URGP=0

If I'm not mistaken, it means that 66.237.60.101 is putting HTTP requests to my server - but very rapidly.

Here's the whois result for 66.237.60.101

OrgName: XO Communications
OrgID: XOXO
Address: Corporate Headquarters
Address: 11111 Sunset Hills Road
City: Reston
StateProv: VA
PostalCode: 20190-5339
Country: US

ReferralServer: rwhois://rwhois.eng.xo.com:4321/

NetRange: 66.236.0.0 - 66.239.255.255
CIDR: 66.236.0.0/14
NetName: XOX1-BLK-2
NetHandle: NET-66-236-0-0-1
Parent: NET-66-0-0-0-0
NetType: Direct Allocation
NameServer: NAMESERVER1.CONCENTRIC.NET
NameServer: NAMESERVER2.CONCENTRIC.NET
NameServer: NAMESERVER3.CONCENTRIC.NET
NameServer: NAMESERVER.CONCENTRIC.NET
Comment: ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE
RegDate: 2002-02-20
Updated: 2003-08-08

OrgAbuseHandle: XCNV-ARIN
OrgAbuseName: XO Communications, Network Violations
OrgAbusePhone: +1-866-285-6208
OrgAbuseEmail: abuse@xo.com

OrgTechHandle: XCIA-ARIN
OrgTechName: XO Communications, IP Administrator
OrgTechPhone: +1-703-547-2000
OrgTechEmail: ipadmin@eng.xo.com

# ARIN WHOIS database, last updated 2004-06-07 19:15
# Enter ? for additional hints on searching ARIN's WHOIS database.

Does anyone know what's going on here ?

At the moment I'm trying to restart the server, but it's been 15 minutes and it's not even shut down yet.

Below is a more complete details from the Linode remote console.


Thanks,
Harry

OUT-internet:IN= OUT=eth0 SRC=66.160.141.215 DST=66.237.60.101 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=80 DPT=3078 WINDOW=6432 RES=0x00 ACK PSH FIN URGP=0
OUT-internet:IN= OUT=eth0 SRC=66.160.141.215 DST=66.237.60.101 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=65277 DF PROTO=TCP SPT=80 DPT=1638 WINDOW=6432 RES=0x00 ACK PSH FIN URGP=0
OUT-internet:IN= OUT=eth0 SRC=66.160.141.215 DST=66.237.60.101 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=80 DPT=1172 WINDOW=6432 RES=0x00 ACK PSH FIN URGP=0
OUT-internet:IN= OUT=eth0 SRC=66.160.141.215 DST=66.237.60.101 LEN=1500 TOS=0x00 PREC=0x00 TTL=64 ID=6273 DF PROTO=TCP SPT=80 DPT=4225 WINDOW=6432 RES=0x00 ACK PSH URGP=0
OUT-internet:IN= OUT=eth0 SRC=66.160.141.215 DST=66.237.60.101 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=17487 DF PROTO=TCP SPT=80 DPT=4768 WINDOW=6432 RES=0x00 ACK PSH FIN URGP=0
OUT-internet:IN= OUT=eth0 SRC=66.160.141.215 DST=66.237.60.101 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=65277 DF PROTO=TCP SPT=80 DPT=4687 WINDOW=6432 RES=0x00 ACK PSH FIN URGP=0
OUT-internet:IN= OUT=eth0 SRC=66.160.141.215 DST=66.237.60.101 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=63856 DF PROTO=TCP SPT=80 DPT=4668 WINDOW=6432 RES=0x00 ACK PSH FIN URGP=0
OUT-internet:IN= OUT=eth0 SRC=66.160.141.215 DST=66.237.60.101 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=80 DPT=3058 WINDOW=6432 RES=0x00 ACK PSH FIN URGP=0
OUT-internet:IN= OUT=eth0 SRC=66.160.141.215 DST=66.237.60.101 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=17487 DF PROTO=TCP SPT=80 DPT=4406 WINDOW=6432 RES=0x00 ACK PSH FIN URGP=0
OUT-internet:IN= OUT=eth0 SRC=66.160.141.215 DST=66.237.60.101 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=8279 DF PROTO=TCP SPT=80 DPT=2974 WINDOW=6432 RES=0x00 ACK PSH FIN URGP=0
OUT-internet:IN= OUT=eth0 SRC=66.160.141.215 DST=66.237.60.101 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=39887 DF PROTO=TCP SPT=80 DPT=4995 WINDOW=6432 RES=0x00 ACK PSH FIN URGP=0
OUT-internet:IN= OUT=eth0 SRC=66.160.141.215 DST=66.237.60.101 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=80 DPT=3078 WINDOW=6432 RES=0x00 ACK PSH FIN URGP=0
OUT-internet:IN= OUT=eth0 SRC=66.160.141.215 DST=66.237.60.101 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=65277 DF PROTO=TCP SPT=80 DPT=2880 WINDOW=6432 RES=0x00 ACK PSH FIN URGP=0
OUT-internet:IN= OUT=eth0 SRC=66.160.141.215 DST=66.237.60.101 LEN=1500 TOS=0x00 PREC=0x00 TTL=64 ID=6273 DF PROTO=TCP SPT=80 DPT=4225 WINDOW=6432 RES=0x00 ACK PSH URGP=0
OUT-internet:IN= OUT=eth0 SRC=66.160.141.215 DST=66.237.60.101 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=65277 DF PROTO=TCP SPT=80 DPT=4097 WINDOW=6432 RES=0x00 ACK PSH FIN URGP=0
OUT-internet:IN= OUT=eth0 SRC=66.160.141.215 DST=66.237.60.101 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=17487 DF PROTO=TCP SPT=80 DPT=4768 WINDOW=6432 RES=0x00 ACK PSH FIN URGP=0
OUT-internet:IN= OUT=eth0 SRC=66.160.141.215 DST=66.237.60.101 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=65277 DF PROTO=TCP SPT=80 DPT=4687 WINDOW=6432 RES=0x00 ACK PSH FIN URGP=0
OUT-internet:IN= OUT=eth0 SRC=66.160.141.215 DST=66.237.60.101 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=63856 DF PROTO=TCP SPT=80 DPT=4668 WINDOW=6432 RES=0x00 ACK PSH FIN URGP=0
OUT-internet:IN= OUT=eth0 SRC=66.160.141.215 DST=66.237.60.101 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=80 DPT=3078 WINDOW=6432 RES=0x00 ACK PSH FIN URGP=0
IN-internet:IN=eth0 OUT= MAC=fe:fd:42:a0:8d:d7:00:30:71:f0:1e:53:08:00 SRC=66.7.88.62 DST=66.160.141.215 LEN=48 TOS=0x00 PREC=0x00 TTL=114 ID=27493 DF PROTO=TCP SPT=2717 DPT=139 WINDOW=65535 RES=0x00 SYN URGP=0

I've had this happen to me before. I'm using Shorewall as my iptables frontend. I just added the offending IP to the dynamic block list. Shorewall will let me know how many times the IP is being blocked, so I waited until it stopped (a few days usually) then I removed the dynamic block. There is probably some software out there that will do this for you automatically, but that has certain risks as well... so as far as I know you will just have to block the IP manually.

If anyone has any better suggestions please post them.

Alright... thanks lurkus, I was worried that I did something wrong.




Yes, please do


Thanks again,
Harry