identifying source of ttloop login failures

From: Bela Lubkin <belal@sco.com>
Subject: Re: ttloop peer died
Date: Tue, 14 Oct 2003 21:31:03 GMT
References: <20031014190218.GA25824@tkrh.demon.co.uk>
<20031014210226.GA26230@tkrh.demon.co.uk> Tom Melvin wrote: > The customer is not complaining of failed login, it is a 15 user m/c I > would think the default 64 pseudo ttys are fine. Actually, just relooked > at syslog: > > Oct 13 01:57:22 cvntry telnetd[28609]: ttloop: peer died: Unknown error > Oct 13 02:08:08 cvntry telnetd[28616]: ttloop: peer died: Unknown error > Oct 13 02:20:57 cvntry telnetd[28630]: ttloop: peer died: Unknown error > Oct 13 02:32:32 cvntry telnetd[28637]: ttloop: peer died: Unknown error > Oct 13 02:43:26 cvntry telnetd[28639]: ttloop: peer died: Unknown error > Oct 13 02:54:18 cvntry telnetd[28641]: ttloop: peer died: Unknown error > Oct 13 03:05:14 cvntry telnetd[28663]: ttloop: peer died: Unknown error > Oct 13 03:16:04 cvntry telnetd[28674]: ttloop: peer died: Unknown error > Oct 13 03:27:01 cvntry telnetd[28681]: ttloop: peer died: Unknown error > Oct 13 03:38:02 cvntry telnetd[28683]: ttloop: peer died: Unknown error > Oct 13 03:48:52 cvntry telnetd[28685]: ttloop: peer died: Unknown error > Oct 13 04:00:28 cvntry telnetd[28692]: ttloop: peer died: Unknown error > Oct 13 04:10:29 cvntry telnetd[28703]: ttloop: peer died: Unknown error > Oct 13 04:18:59 cvntry telnetd[28705]: ttloop: peer died: Unknown error > Oct 13 04:27:29 cvntry telnetd[28712]: ttloop: peer died: Unknown error > Oct 13 04:35:59 cvntry telnetd[28714]: ttloop: peer died: Unknown error > Oct 13 04:44:27 cvntry telnetd[28716]: ttloop: peer died: Unknown error > Oct 13 04:52:53 cvntry telnetd[28718]: ttloop: peer died: Unknown error > Oct 13 05:02:17 cvntry telnetd[28725]: ttloop: peer died: Unknown error > Oct 13 05:11:16 cvntry telnetd[28736]: ttloop: peer died: Unknown error > > All these times are in the early am - they do not use the system over > night - those must be left over from during the day but then again, > the 13th was a monday, they also don't use the system on Sunday's > so I have no idea where those are comming from. Weird

It could be some sort of an attack; or some device (like a network
printer) wigging out.  Notice that the times are pretty evenly spaced:
about 10 minutes apart, until the last few which are about 8.5 minutes
apart.  The regularity strongly suggests some sort of automated process.

You could put in a little watcher daemon, something like:

  while :; do
    tail -0f /usr/adm/syslog | grep -q ttloop
    date >> /usr/adm/ttloop-netstat
    netstat -n -p tcp | fgrep '.23 ' >> /usr/adm/ttloop-netstat

You're looking for output that looks something like:

  Proto Recv-Q Send-Q  Local Address          Foreign Address (state)
  tcp        0      0  TIME_WAIT

Here I had done a `telnet localhost` and immediately disconnected.  Your
mystery connections will probably be from a different host, and may be
in a different state than TIME_WAIT (but probably TIME_WAIT).  The "-n"
flag skips hostname lookups, which could be slow in some cases, and
might possibly make it miss the actual lines you're interested in.  Once
you have an idea of which lines are the mystery telnets, you can look
the names up witn `ping`, `host`, `nslookup`, etc.


Wed Jun 8 00:15:47 2005: 632   davrom

Hi Guys, Could be DNS. I had this issue this morning with a site and it was /etc/resolv.conf entries causing the long telnet delays and timeoutes.

Wed Jun 8 10:08:34 2005: 633   TonyLawrence

Yes, DNS can cause long delays for telnet and ftp ( see https://www.aplawrence.com/SCOFAQ/FAQ_scotec4telnetslow.html) but this
has nothing to do with that.

