System kills my router/network

[ckmodlmayer]

Morning folks,

Here's the gist of my problem: every time my Linux box is on, it randomly and repeatedly kills my router.

Here's the details: I installed Mandriva 2006 on an old PIII 733 so I could learn Linux. I got the network working (dynamic DHCP wired connection to my router, and from thence to the internet), and I installed Samba. Since I'm able to use my WinXP box to copy files from my Linux box, I'm assuming Samba is working (a big assumption, I know). I can browse the internet without problems, and software such as Azureus worked once I opened the port on the firewall. I used to have ports open on the router as well, but since this problem started I simply set the DMZ on my router to let my Linux box straight through. It didn't help.

Every time the Linux machine boots up, it kills the router. Additionally, it kills it randomly thereafter. I don't even have to be using it; the router simply freezes and has to be power cycled. Naturally, my WinXP boxes lose the connection as well. I can't give any technical details about my machine since I don't know Linux well enough to know what to give you, but if you ask me for something (aside from root access (: ) I'll be happy to oblige.

Sometimes I can have Azureus running all night without problems, othertimes I can't keep my router up for more than a few minutes. If the Linux box is off I don't have any problems at all, and running bandwidth-intensive software on my WinXP machines causes no problems either. I have no IP conflicts and the router itself (an SMC) is in fine shape.

Is Samba screwing with my network? Do I have an insane amount of spyware on my Linux box that's causing this? (Does spyware even exist for Linux machines?) I'd really appreciate anyone who could help. Just tell me what info you need to make a diagnosis.

I'm going away for the weekend, but I'll check back when I return.

[envirocbr]

Spyware for Linux...I do not believe there is such a thing, let alone "Viruses"!

You have both computers on the network, and you say there is no IP conflict, hmmmm thats where I stop and let the experts begin..but rest assure that Spyware and Viruses are NULL to linux boxes

[bigtomrodney]

Have you reversed the situation - start with the linux box running and then add in the XP boxes? It may just be an issue of weight. It is an ethernet connection and I'm not aware of anything that might harm the router otheer than a hardware error in your network card on the linux box or an excessive amount of traffic. Can you log into your router and get statistics as you go?

[ckmodlmayer]

Thanks for the replies, folks. The odd thing about this situation is that if the Linux box is the only one that's on, it still kills the router. I normally use enough bandwidth that I have to buy new routers every year or so, but in this case I can be running major software on my XP boxes and be okay, whereas if I have my Linux box just sitting there (and with no other machine running) the router dies. The only explanation I could come up with was spyware (and even then it would have to be a LOT of it), but you have been kind enough to assuage those fears.

Edit: bigtomrodney, sure, I can get some stats. I'll get my activity log and receive/transmit stats and put them up tonight.

Does Linux interact differently with routers? One thing I forgot to mention last time is that the Linux box doesn't show up on my router's DHCP client list. Would switching it to a static IP change anything? I suppose it's worth a try, especially if it has a different IP than current. Perhaps I'll try that after work and let you know how it goes.

One question: is there any way that Samba could be causing this? Is it possible to disable Samba and see if that helps, and if so, how?

Thanks again for your help.

[fingal]

Not easy! Spyware is virtually unknown on a Linux box. I don't know anything about Samba, but I did manage to set up my Linux net connection from scratch. It looks to me like something is slightly mis-configured.

I would try connecting using a command line. Ages since I did it, but it's a combination of using the ifconfig command and the dhcpcd command (try typing: man dhcpcd for further details). I would log in as root:

su
<your_password>

and try ifconfig eth0 up (the opposite command is ifconfig eth0 down). Then try dhcpcd -d ... I also wonder if your maximum transmission unit (MTU) settings are right for your setup. Type ifconfig by itself and see if the settings agree with those in your router.

Just some ideas. Typing ifconfig (as root) by itself should give some useful feedback. I'm not working on a *nix box now, so any inaccuracies are due to this. I think once you figure out what the correct settings are, your connection should remain stable.

[ckmodlmayer]

Okay, so I changed my IP address to a static one and the damned thing seems to be working -- for now. I booted up the machine last night while XP was running, and of course the router went down. I shut down the XP boxes, power cycled the router, and changed the Linux box to a static IP (192.168.0.165, the same as when it was dynamic), and left Azureus running overnight. By morning it was still going strong.

Now, this happens occasionally with my current problem, so I'm not certain it's been fixed (besides, it just seems too easy). I turned on my XP box this morning and I'll leave them both running all day to see how that goes.

This is the activity log for my router:

Code:

2006/08/08 07:47:52 : 192.168.0.172 login successfully
2006/08/08 07:47:45 : 192.168.0.172 login failed
2006/08/08 07:24:15 : Blocked intrusion "Smurf" from 192.168.0.165
2006/08/08 07:24:15 : **Smurf**               <ICMP> Source IP:192.168.0.165   Port:0     Dest IP: 192.168.0.255   Port:0    
2006/08/08 07:24:15 : Blocked intrusion "Smurf" from 192.168.0.165
2006/08/08 07:24:15 : **Smurf**               <ICMP> Source IP: 192.168.0.165   Port:0     Dest IP:192.168.0.0     Port:0    
2006/08/08 06:21:14 : DHCP Client : Receive Ack from 24.200.242.21, Lease time = 86400
2006/08/08 06:21:11 : DHCP Client : Send Request, Request IP = ########
2006/08/08 00:52:25 : Blocked intrusion "Smurf" from 192.168.0.165
2006/08/08 00:52:25 : **Smurf**               <ICMP> Source IP:192.168.0.165   Port:0     Dest IP:192.168.0.0     Port:0    
2006/08/07 23:36:07 : Get DNS Server IP[3] = 24.200.243.189
2006/08/07 23:36:07 : Get DNS Server IP[2] = 24.201.245.77
2006/08/07 23:36:07 : Get DNS Server IP[1] = 24.200.241.37
2006/08/07 23:36:07 : Get Gateway IP[0] = ######
2006/08/07 23:36:07 : Get WAN Subnet Mask = 255.255.255.0
2006/08/07 23:36:07 : Get WAN IP Address = ########
2006/08/07 23:36:04 : DHCP Client Lease Renewed
2006/08/07 23:36:03 : DHCP Client : Receive Ack from 24.200.242.21, Lease time = 49618
2006/08/07 23:36:03 : DHCP Client : Send Request, Request IP = ########
2006/08/07 23:36:02 : DHCP Client : Receive Offer from 24.200.242.21
2006/08/07 23:36:01 : DHCP Client : Send Discover
2006/08/07 23:35:59 : DHCP Client : Send Discover
2006/08/07 23:35:55 : WLAN TEST....................PASS
2006/08/07 23:35:55 : WAN ETHER TEST...........PASS
2006/08/07 23:35:55 : FLASH TEST....................PASS
2006/08/07 23:35:55 : DRAM TEST.....................PASS

My first thought was, "wtf is **Smurf** and why is it running on my Linux box?" Apparently it's part of a DoS attack, possibly related to a Trojan on my computer? Could that be my problem? If so, how do I deal with it, and how do I protect myself from getting it again? So many questions....

Here's the result from "ifconfig":

Code:

eth0      Link encap:Ethernet  HWaddr 00:20:78:B0:11:D7  
          inet addr:192.168.0.165  Bcast:192.168.0.255  Mask:255.255.255.0
          inet6 addr: fe80::220:78ff:feb0:11d7/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:935401 errors:0 dropped:0 overruns:0 frame:0
          TX packets:893281 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:671629526 (640.5 MiB)  TX bytes:697847755 (665.5 MiB)
          Interrupt:5 Base address:0xb800 

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:5791 errors:0 dropped:0 overruns:0 frame:0
          TX packets:5791 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:411652 (402.0 KiB)  TX bytes:411652 (402.0 KiB)

I don't really know what to make of anything there, except that there were no collisions. (What is lo, btw?)

Thanks again for all your help!

[fingal]

A trojan isn't very likely. It would probably require root access to run, and this is very unlikely to occur on a Linux box. I wrote this some time ago which should still be helpful. There's a programme called Bastille which - when installed - can severely limit an attackers ability to perform a DOS attack on you.

You might want to install and run a virus checker like Clamav, and install and run rootkit hunter. Every now and again it's a good idea to type history -c in your terminal to clear any record of your activities there.

<edit>You should install security updates too. That should keep out any system crackers.

[rcgreen]

Try running tcpdump or ethereal.
It will show all traffic in and out of the computer.
It should reveal whether or not this box is the
source of a DoS attack on your network.
If in doubt. Reinstall linux, a different distribution,
or at least from a different install medium.

It's not very likely, but your install medium could
have the trojan. It's also possible that something is
misconfigured, and the router interprets it as an attack.

[ckmodlmayer]

Thanks for all the suggestions, and especially thanks to fingal for that article. I'm going to try everything, though it will likely take a while.

In the meantime, my problem seems to be gone. It looks like the static IP fixed it. I have no idea why this would happen -- maybe the router didn't like assigning an IP to a Linux machine -- but I won't argue with what works. Thanks to everyone for your suggestions. It's nice to see that the myth about elitist Linux IT support is just that. (: