FS#62134 - tracker DDOS against NFS Server

Attached to Project: Arch Linux
Opened by Jürgen Sauer (jojoax) - Monday, 25 March 2019, 07:52 GMT
Last edited by Andreas Radke (AndyRTR) - Tuesday, 15 October 2019, 16:32 GMT
Task Type Bug Report
Category Packages: Extra
Status Closed
Assigned To No-one
Architecture All
Severity Critical
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No

Details

Description:


Additional info:
* tracker 2.2.1-1 (gnome)
* standard, default configuration

Steps to reproduce:
- have gnome desktop installed, but not used. iE. Use xfce ode KDE Desktop ans standard, active.
- have /home (and other directories, i.e. /srv/projects or other) mounted via nfs from central server
- have plenty client worksations on the local net (LAN), which are using NFS
- Loginto your Desktop
- monitor serverload on your NFS Server
- wait to employees loggin in, see your server is DDOS
This task depends upon

Closed by  Andreas Radke (AndyRTR)
Tuesday, 15 October 2019, 16:32 GMT
Reason for closing:  No response
Additional comments about closing:  help offered to discuss this at our forums - no response.
Comment by Terry Tibbles (terry_tibbles) - Friday, 29 March 2019, 06:22 GMT
You know DDoS means Distributed Denial of Service? I think you mean DoS (given that it's taking place on the local network).

What happens exactly? High CPU on the server? NFS process crashes? Have you got any logs?
Comment by Jürgen Sauer (jojoax) - Friday, 29 March 2019, 07:56 GMT
Yes, indeed, this is what I think.

If there are plenty of NFS Clients are scanning every reachable nfs share from a nfs server with maximum speed, the server can't stand this.

This is a DDOS!
Distributed - mostly all company's nfs clients are involved and pulling the servers to the ground
Deny
Service -

Result server is broken, not responding any more.

it is a DDOS - q.e.d.

No Indexer, Contentscreener (either tracker nor ballo or whatever) may be allowed to index NFS and CIF mounted Servers by default.

The user in a small - self adminstrated network - may be allowed to enable it after a warning, but never, never enable this on default.


What happend exacktly:
Sunday to Monday night: the "pacman -Syu" updated every client. About 25 clients in local LAN.
Monday Morning:
08:00h employees entered company and switched on their workstations
08:05h server overload, all resources gone, load >120, io load over all limits, ram out, oom_reaper is working
08:06h clients showing up nfs-server not responding
08:07h all clients are showing "tracker" running, even if Gnome ist used or not, also KDE and XFCE4 are common here


Killing all tracker processes, removing tracker from all clients and rebooting the server fixed the problem.

Was a big waste of company resources, 25 employees each 3 hours lost.
Comment by Terry Tibbles (terry_tibbles) - Saturday, 30 March 2019, 06:39 GMT
Unless you can provide the software versions gone from and to, and any error messages that identify what the problem is, this should probably be moved to the forums to help you troubleshoot it first.

Loading...