Bad net config or DOS attack?

opensuse 42.1

We had some severe Internet connection difficulties yesterday that caused much moaing an gnashing of teeth. I finally traced it to one workstation that had gotten into some sort of loop that was sending two packets back and forth as fast as our network would allow.

Some time with Wireshark provided the following.

Here is the flow:

  • A remote system is contacted by an app on the workstation; I do not know which app. That remote system then informs 69.164.223.38 (or some other host in that domain) about the contact.
  • x.38:443 (remote) then initiates a transaction with y.109 (local).
  • A secure connection is negotiated, TLSv1.2.
  • x.38 ends with “encrypted alert” packet to y.109

Here is where the DOS starts.
y.109 responds with TCP RST
x.38 sends TCP Dup ACK

Those two packets bounce back and forth as fast as our network allows.

69.164.223.38 resolves to nb-69-164-223-38.newark.nodebalancer.linode.com

If I block that IP at the firewall, another takes its place, still from the newark.nodebalancer.linode.com domain.

Does anyone recognize this as an attack?

How do I discover what app is initiating the contact?

I got that part wrong. It should be:

  • An unknown app initiates contact with x.38 on remote port 443.
  • x.38:443 (remote) initiates a secure connection with y.109.

The rest continues as previously described.

How do I discover this mysterious app?

Seen bad cards do that.

If you open a web browser to linode.com, you’ll see that it’s a Provider (cloud platform) for developers.

That suggests that the cause of your traffic is some kind of small independent app.

If you don’t know what it is,
Then you can try

  • Capturing the packets with wireshark (you may be doing that already based on what you’ve posted). What you haven’t posted is the type of protocol Wireshark thinks is being used, and the** payload**. Analyze this yourself, if you need some help inspecting the packets, upload a relevant portion of your log to something a pastebin for others to inspect.
  • Reboot to clear all running apps, then monitor what is happening as you add one app at a time to suggest what app might be associated with your unknown traffic.

It’s hard to speculate what might really be happening without gathering more info.
Could be as innocent as a mis-configuration.
Could be faulty code, it’s probably more common than actual intentional exploits.
Or, could be an exploit or something that might lead to an exploit (maybe just probing?)

Too early to jump to conclusions.

TSU

I finally tracked the faulty app. It is the OpenWeather Gnome desktop extension. The fact that the connection occurred every 10 minutes was a hint.

I delved into the security packets looking for something human readable. One contained the issuee of the certificate: <darksky.net>. Their website offers a (“scarily accurate”) weather app for mobile devices. Mentioned on the site is their source of weather data: <forecast.io>.

“Aha!” I thought. The desktop weather extension also uses <forecast.io> to obtain weather information. And <forecast.io> is hosted at <linode.com>. There does not appear to anything malicious involved; just some unfortunately poor coding.

There are still a couple aspects of the fault that are still not understood.

  • It does not occur every time the app connects to linode. Sometimes it would just end with the TCP RST, ACK.
  • I have the same app on another host with a similar configuration; no such loop has ever occurred.
  • PING indicates a 72 mS transit time. Yet when the two ends get into a loop, 100s of packets are sent and received by both ends within that time period, thoroughly saturating the connection to the Internet. I am guessing TCP pipelining is involved?
  • Why does it ignore the Proxy setting?

This is an issue for the app developer to fix.

Hah! Apparently it has been fixed already. After updating to the most recent version (66), the issue has not recurred.