|
In your opinion could I use this
https://www.ibm.com/support/knowledgecenter/ssw_ibm_i_74/rzaiw/rzaiwdevinit.htm
to stop this DOS attack?
Rob Berendt
--
IBM Certified System Administrator - IBM i 6.1
Group Dekko
Dept 1600
Mail to: 2505 Dekko Drive
Garrett, IN 46738
Ship to: Dock 108
6928N 400E
Kendallville, IN 46755
http://www.dekko.com
-----Original Message-----
From: MIDRANGE-L <midrange-l-bounces@xxxxxxxxxxxxxxxxxx> On Behalf Of Rob
Berendt
Sent: Monday, November 18, 2019 8:29 AM
To: Midrange Systems Technical Discussion <midrange-l@xxxxxxxxxxxxxxxxxx>
Subject: RE: 5250 sessions killing the system
Ok, we think we know how this happens now.
User has a session, let's use ROBS1 for an example.
He minimizes ROBS1 and cannot find it.
So he starts it again and now has two ROBS1 sessions.
The second one cannot connect because that session is in use. However, if
you have autoconnect turned on, it never stops trying.
Wham: Denial Of Service.
Rob Berendt
--
IBM Certified System Administrator - IBM i 6.1
Group Dekko
Dept 1600
Mail to: 2505 Dekko Drive
Garrett, IN 46738
Ship to: Dock 108
6928N 400E
Kendallville, IN 46755
http://www.dekko.com
-----Original Message-----
From: MIDRANGE-L <midrange-l-bounces@xxxxxxxxxxxxxxxxxx> On Behalf Of Rob
Berendt
Sent: Friday, November 15, 2019 7:30 AM
To: Midrange Systems Technical Discussion <midrange-l@xxxxxxxxxxxxxxxxxx>
Subject: RE: 5250 sessions killing the system
I have found these scripts invaluable in tracking down the offender:
-- Some TCP connections do not spawn "jobs". Therefore we'll use a
different service.
select local_port, remote_address, count(*) as nbrconnections
from gdihq.qsys2.NS_INFO
where local_port = 23
group by local_port, remote_address
having count(*) > 10
;
-- What 5250 session is using a particular IP address?
Select job_name, authorization_name, client_ip_address
from table(active_job_info(
SUBSYSTEM_LIST_FILTER => 'QINTER',
DETAILED_INFO => 'ALL')) x
WHERE 1 IN (select 1 from gdihq.sysibm.sysdummy1)
and client_ip_address in (
select remote_address
from gdihq.qsys2.NS_INFO
where local_port = 23
group by remote_address
having count(*) > 10
)
;
-- What are their names?
select odobnm, odobtx
from table(qsys2.users()) i
where odobnm in(
Select authorization_name
from table(active_job_info(
SUBSYSTEM_LIST_FILTER => 'QINTER',
DETAILED_INFO => 'ALL')) x
WHERE 1 IN (select 1 from gdihq.sysibm.sysdummy1)
and client_ip_address in (
select remote_address
from gdihq.qsys2.NS_INFO
where local_port = 23
group by remote_address
having count(*) > 10
)
group by authorization_name)
;
-- From your DOS command prompt run
-- nslookup xxx.xxx.xxx.xxx
-- where xxx. is the offending IP address.
-- Sometimes the session name is unrelated to the device.
-- For example, ROBS1 on laptop GDL57
;
Rob Berendt
--
IBM Certified System Administrator - IBM i 6.1
Group Dekko
Dept 1600
Mail to: 2505 Dekko Drive
Garrett, IN 46738
Ship to: Dock 108
6928N 400E
Kendallville, IN 46755
http://www.dekko.com
-----Original Message-----
From: MIDRANGE-L <midrange-l-bounces@xxxxxxxxxxxxxxxxxx> On Behalf Of
midrange
Sent: Thursday, November 14, 2019 10:49 PM
To: 'Midrange Systems Technical Discussion' <midrange-l@xxxxxxxxxxxxxxxxxx
Subject: RE: 5250 sessions killing the system
CAUTION: This email originated from outside of the organization. Do not
click links or open attachments unless you recognize the sender and know
the content is safe.
I have not read every single response to this thread, but we have once or
twice a year had auto-connect or auto-reconnect of either Client Access
5250
sessions or 5250 attached printers that will swamp our system - until we
figure out the device and vary off, and appear as thousands of attempts. We
always solved it at the pc itself.
Jim Franz
-----Original Message-----
From: MIDRANGE-L [mailto:midrange-l-bounces@xxxxxxxxxxxxxxxxxx] On Behalf
Of
Rob Berendt
Sent: Thursday, November 14, 2019 2:45 PM
To: Midrange Systems Technical Discussion <midrange-l@xxxxxxxxxxxxxxxxxx>
Subject: RE: 5250 sessions killing the system
Been going on for 2-3 weeks.
Rob Berendt
--
IBM Certified System Administrator - IBM i 6.1 Group Dekko Dept 1600 Mail
to: 2505 Dekko Drive
Garrett, IN 46738
Ship to: Dock 108
6928N 400E
Kendallville, IN 46755
http://www.dekko.com
-----Original Message-----
From: MIDRANGE-L <midrange-l-bounces@xxxxxxxxxxxxxxxxxx> On Behalf Of Jeff
Crosby
Sent: Thursday, November 14, 2019 2:28 PM
To: Midrange Systems Technical Discussion <midrange-l@xxxxxxxxxxxxxxxxxx>
Subject: Re: 5250 sessions killing the system
CAUTION: This email originated from outside of the organization. Do not
click links or open attachments unless you recognize the sender and know
the
content is safe.
Did this just start today? Bizarre.
On Thu, Nov 14, 2019 at 2:15 PM Rob Berendt <rob@xxxxxxxxx> wrote:
They also said that I may want to turn off auto reconnect on thoseclients.
Rob
Rob Berendt
--
IBM Certified System Administrator - IBM i 6.1
Group Dekko
Dept 1600
Mail to: 2505 Dekko Drive
Garrett, IN 46738
Ship to: Dock 108
6928N 400E
Kendallville, IN 46755
http://www.dekko.com
-----Original Message-----
From: MIDRANGE-L <midrange-l-bounces@xxxxxxxxxxxxxxxxxx> On Behalf Of
Berendtservice
Sent: Thursday, November 14, 2019 2:06 PM
To: Midrange Systems Technical Discussion <midrange-l@xxxxxxxxxxxxxxxxxx
Subject: 5250 sessions killing the system
I have this case opened with IBM. There are certain clients attaching to
the system where it starts 10,000+ port 23 (telnet) connections to our
system. All using the same 1-3 workstation id's. Totally blows our
activity level out of the water and is quite an effective denial of
attack.on
-- Some TCP connections do not spawn "jobs". Therefore we'll use a
different service.
select local_port, remote_address, count(*) as nbrconnections
from gdihq.qsys2.NS_INFO
where local_port = 23
group by local_port, remote_address
having count(*) > 10
;
Messing with things like QAUTOCFG, QAUTOVRT has ZERO effect on stopping
this.
IBM's reply has been basically put on a patch to that version of the
deprecated Client Access or upgrade to iACS.
Since most of these are Windows 7 VM sessions our Windows admins are
leaning towards the patch. When they are ready to upgrade to Windows 10
the 'gold' image they'll upgrade to iACS.list
Rob Berendt
--
IBM Certified System Administrator - IBM i 6.1
Group Dekko
Dept 1600
Mail to: 2505 Dekko Drive
Garrett, IN 46738
Ship to: Dock 108
6928N 400E
Kendallville, IN 46755
http://www.dekko.com
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
To post a message email: MIDRANGE-L@xxxxxxxxxxxxxxxxxxlist
To subscribe, unsubscribe, or change list options,
visit: https://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxxxxxxxx
Before posting, please take a moment to review the archives
at https://archive.midrange.com/midrange-l.
Please contact support@xxxxxxxxxxxx for any subscription related
questions.
Help support midrange.com by shopping at amazon.com with our affiliate
link: https://amazon.midrange.com
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
To post a message email: MIDRANGE-L@xxxxxxxxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: https://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxxxxxxxx
Before posting, please take a moment to review the archives
at https://archive.midrange.com/midrange-l.
Please contact support@xxxxxxxxxxxx for any subscription related
questions.
Help support midrange.com by shopping at amazon.com with our affiliate
link: https://amazon.midrange.com
--
Jeff Crosby
VP Information Systems
UniPro FoodService/Dilgard
P.O. Box 13369
Ft. Wayne, IN 46868-3369
260-422-7531
direct.dilgardfoods.com
The opinions expressed are my own and not necessarily the opinion of my
company. Unless I say so.
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list
To post a message email: MIDRANGE-L@xxxxxxxxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: https://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxxxxxxxx
Before posting, please take a moment to review the archives
at https://archive.midrange.com/midrange-l.
Please contact support@xxxxxxxxxxxx for any subscription related
questions.
Help support midrange.com by shopping at amazon.com with our affiliate
link:
https://amazon.midrange.com
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list
To post a message email: MIDRANGE-L@xxxxxxxxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: https://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxxxxxxxx
Before posting, please take a moment to review the archives
at https://archive.midrange.com/midrange-l.
Please contact support@xxxxxxxxxxxx for any subscription related
questions.
Help support midrange.com by shopping at amazon.com with our affiliate
link:
https://amazon.midrange.com
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list
To post a message email: MIDRANGE-L@xxxxxxxxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: https://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxxxxxxxx
Before posting, please take a moment to review the archives
at https://archive.midrange.com/midrange-l.
Please contact support@xxxxxxxxxxxx for any subscription related
questions.
Help support midrange.com by shopping at amazon.com with our affiliate
link: https://amazon.midrange.com
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list
To post a message email: MIDRANGE-L@xxxxxxxxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: https://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxxxxxxxx
Before posting, please take a moment to review the archives
at https://archive.midrange.com/midrange-l.
Please contact support@xxxxxxxxxxxx for any subscription related
questions.
Help support midrange.com by shopping at amazon.com with our affiliate
link: https://amazon.midrange.com
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list
To post a message email: MIDRANGE-L@xxxxxxxxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: https://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxxxxxxxx
Before posting, please take a moment to review the archives
at https://archive.midrange.com/midrange-l.
Please contact support@xxxxxxxxxxxx for any subscription related
questions.
Help support midrange.com by shopping at amazon.com with our affiliate
link: https://amazon.midrange.com
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list
To post a message email: MIDRANGE-L@xxxxxxxxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: https://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxxxxxxxx
Before posting, please take a moment to review the archives
at https://archive.midrange.com/midrange-l.
Please contact support@xxxxxxxxxxxx for any subscription related
questions.
Help support midrange.com by shopping at amazon.com with our affiliate
link: https://amazon.midrange.com
As an Amazon Associate we earn from qualifying purchases.
This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.