unspected shutdown. TCP attack?

[Peter Slam]

Hi!

My server shut downs unexpected randomly. Evend log only shows "Last
shutdown was unspected".
I checked everythink, and i changed switch, cable and ... computer! I
changed computer 2 times, and network card! I applied registry
recomendations of microsoft to improve TCP security.And the problem persist!
Theres is a expert people here (MCP, MVP) without answer for this question.

My computer has a public IP, but is behind a firewall, and only with open
TCP ports to a custom application. (this application was working fine for 6
months).

The question is this: IS POSSIBLE TO HANG A WIN200 COMPUTER WITH A MALFORMED
OR SOME KIND OF TCP PACKETS?

Thank you in advance!!!!!

Pet.
to msoft people: if you think that this can be a bug of tcp/ip stack, and do
you want to analyze it, i can offer to you to take full control over this
server.

 

[Marc Reynolds [MSFT]]

It is possible, but only one possiblity. Before you start goijng down the
network attack path, check your System, Application and Security event logs
for ANY recent event errors that may give you some type of a clue to what
may have caused the shutdown.

--

Thanks,
Marc Reynolds
Microsoft Technical Support

This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Peter Slam]

Marc,

System, Application and Security event logs are EMPTY!
In one of the machines tested, one time is see a "bluescreen" with NDIS
error before restart.

There is a patch to make more secure TCP/IP stack? (even if this is
expeerimental or in beta stage, i will try it!)

Thanks,

Pet.

 

[Lanwench [MVP - Exchange]]

First things first - do you have a good UPS with a management cable? If not,
you may have experienced power problems....

 

[Peter Slam]

This server is inside a high security hosting building, with 2 lines of
power. I tryied 2 lines. This is not the problem.

(

"Lanwench [MVP - Exchange]"

 

[Peter Slam]

More information:

Application reports "Failed to call socket() function. ret value:
INVALID_SOCKET".

What do you think?

THANK YOU IN ADVANCE!

Pet.

 

[Dave]

does the invalid socket error always occur in conjunction with the
unexpected shutdown?

 

[Charles Otstot]

Peter,

Having just stumbled across your threadI'm shooting in the dark, but I'll
hit one thing you've probably checked...your NIC drivers.
I'm guessing you have recently installed Windows 2000 Service Pack 4 (this
would explain all the empty logs...
http://support.microsoft.com/default.aspx?scid=kb;en-us;829246&Product=win2000).
If your NIC drivers were originally OEM (manufacturer-labeled, for example,
Dell branded drivers for embedded 3COM cards), the Service Pack installation
could have overwritten those drivers with Microsoft native-Windows 2000
drivers. This could account for your noted blue-screen event.

I'll also hit one thing you may not have checked, in your local security
policy...
Do you have "Shut down system immediately if unable to log security audits"
enabled (this is found in Local policies...Security Options)? If you are
auditing improperly (generating enough events to exceed the max size of your
security log and not allowing those events to be overwritten), your Security
Log could be filling up and shutting down your system. The aforementioned
Service Pack 4 installation could be causing this issue...assuming you
installed SP 4, your event logs may (likely are) being corrupted and while
appearing empty, one or more are actually full. The corruption could be
preventing entries from being written and the abve mentioned security
setting could be shutting you down when you reach an event logging
threshhold.

I realize this may be a bit esoteric, but it sounds like you are looking for
unusual explanations at this point. I will say that I've never heard of
anyone attacking a system in the fashion your describing, so I would think
something malicious would still be far down the list of suspects (almost to
the point of only if it is the only answer left).

Charlie

 

[Peter Slam]

Yes! First all connections to system fails (RCP, my application, ...etc),
and then, in a few minuts, systems restarts.

What can i do!!!

 

[Peter Slam]

Charlie,

Thank you very much for your answer.

I tried 3 diferent computer with 3 diferent network cards.
Event log is in "Overwrite when necessary" mode, but is not full.
I will check again drivers and Local policies, but every time, a few minutes
before system shutdown or restart, every connection to comuter fails (RCP,
my application, ...etc).
I changed switch, cable, power line and source, computer, network
card....all!
The only think that is the same is ... IP address.
And my aplication reports "Failed to call socket() function. ret
value:INVALID_SOCKET" a few minutes before shutdown or restart (this
application was working fine for 6 months until now).

There is a debug tool to show buffers or other internal values of TCP/IP
stack?

Thank you.

Pet.

 

[Dave]

ok, if it is your application you should be able to load the program in the
original debugging environment and see what is causing that problem. it may
be your program has a bug that is bringing down the tcp/ip stack and causing
other services to malfunction.

there are various tools to let you monitor the tcp/ip statistics, capture
network traffic, and other details of the system operation. netstat and the
task manager are the simple built in ones, others are available either free
or for mega$$$ depending on the complexity of the problem.

i would start by back tracking and see what you changed before the problem
started. if you did that service pack just before the problem started, try
undoing it or preferably building a clean system without it and running that
for a while, then adding the sp and see if the problem repeats.

 

[Peter Slam]

Dave,

Thank you for your answer.
I don't changed anythink. The problem begins in a computer WITHOUT sp4.
Then, i installed SP to try to avoid it, but the problem persist.
I tried to change computer, application, etc. I don't understand how is
possible to restart a computer o corrupt TCP/IP stack, simply sending some
TCP packets from network.
We used network monitor, netstat, sniffers, security policies, ..etc.
We changed computer 3 times.
We don't know whats happens.

 

[Peter Slam]

I receveid event ID 2019 before machine stop responding.
I tun POOLMON to try to locate problem.


What means Pool Tag IoNM (it makes a lot of allocs() without frees())?

Thanks!

Pet.



Memory: 523828K Avail: 366616K PageFlts: 44 InRam Krnl: 4144K
P:32920
Commit: 159756K Limit:1277940K Peak: 160840K Pool N:25376K
P:33084
Tag Type Allocs Frees Diff Bytes Per Alloc

CM Paged 4197 ( 0) 1287 ( 0) 2910 11643744 ( 0)
400
NAI0 Paged 8 ( 0) 4 ( 0) 4 8011776 ( 0)
200294
MmSt Paged 3736 ( 0) 416 ( 0) 3320 2330720 ( 0)
702
Ntff Paged 2685 ( 0) 62 ( 0) 2623 2266272 ( 0)
864
AfdX Paged 7140 ( 0) 143 ( 0) 6997 1567328 ( 0)
224
Toke Paged 52936 ( 42) 51470 ( 42) 1466 1062304 ( 0)
724
IoNm Paged 62002 ( 39) 51867 ( 39) 10135 788064 ( 0)
77
SeTd Paged 52936 ( 42) 51470 ( 42) 1466 750592 ( 0)
512
Gh 5 Paged 2712 ( 6) 2603 ( 6) 109 461568 ( 0)
4234
Dcl Paged 59465 ( 45) 58467 ( 45) 998 404384 ( 1088)
405
FSim Paged 2746 ( 0) 49 ( 0) 2697 345216 ( 0)
128
NtfF Paged 320 ( 0) 52 ( 0) 268 265856 ( 0)
992
Obtb Paged 70 ( 0) 8 ( 0) 62 253952 ( 0)
4096
Ntfc Paged 2578 ( 0) 4 ( 0) 2574 247104 ( 0)
96
Gla1 Paged 169 ( 0) 47 ( 0) 122 191296 ( 0)
1568
NtFs Paged 4992 ( 0) 2082 ( 0) 2910 191008 ( 0)
65
MmSm Paged 2937 ( 0) 241 ( 0) 2696 172544 ( 0)
64
Ttfd Paged 636 ( 0) 529 ( 0) 107 164480 ( 0)
1537
RAGE Paged 221 ( 0) 181 ( 0) 40 140512 ( 0)
3512
NtFf Paged 4 ( 0) 1 ( 0) 3 131232 ( 0)
43744
LfsI Paged 2 ( 0) 0 ( 0) 2 131072 ( 0)
65536

Gcac Paged 44 ( 0) 24 ( 0) 20 98624 ( 0)
4931
Gla5 Paged 477 ( 5) 260 ( 4) 217 90272 ( 416)
416
CMkb Paged 18474 ( 0) 17682 ( 0) 792 76032 ( 0)
96
rx Paged 1 ( 0) 0 ( 0) 1 73728 ( 0)
73728
CMVa Paged 19882 ( 0) 18804 ( 0) 1078 73504 ( 0)
68
Gdrs Paged 41 ( 0) 28 ( 0) 13 64960 ( 0)
4996
Gla: Paged 175 ( 0) 82 ( 0) 93 62496 ( 0)
672
RRle Paged 9306 ( 0) 8331 ( 0) 975 62400 ( 0)
64
NtFS Paged 48212 ( 87) 47991 ( 87) 221 56416 ( 0)
255
Port Paged 50038 ( 204) 49810 ( 204) 228 52096 ( 0)
228
ArbA Paged 12 ( 0) 1 ( 0) 11 49152 ( 0)
4468
NtFB Paged 37 ( 0) 36 ( 0) 1 49152 ( 0)
49152
Bmfd Paged 28 ( 0) 6 ( 0) 22 48992 ( 0)
2226
SeSd Paged 33656 ( 128) 33344 ( 128) 312 46304 ( 0)
148
Key Paged 128865 ( 328) 128162 ( 328) 703 45056 ( 0)
64
CMNb Paged 126659 ( 286) 125974 ( 286) 685 40192 ( 0)
58
Ggb Paged 41 ( 0) 20 ( 0) 21 36096 ( 0)
1718