Old 3rd March 2013, 13:55   #1
Jeroen52
Junior Member
 
Join Date: Mar 2012
Posts: 8
Lots, and lots of TCP connections from 2 IPs

Hello,

So recently I have installed DNAS + Transcoder, works great!
The last few days it started to work less great.
Somehow no DJ could login and yesterday the connections to the server began to get a high packetloss of 6%.

When I tried to investigate, my host closed my server because it was affecting the hardware.
At the time the server was forced to close, there where 3.6k connections.
And most connections where to 2 ip adresses and their destination ports where 8000 (dnas).

Is this a DDoS, a bug, exploit or normal?

Kind Regards,

Jeroen
Jeroen52 is offline   Reply With Quote
Old 3rd March 2013, 23:15   #2
DrO
 
Join Date: Sep 2003
Posts: 27,873
mght have been a DDoS attempt, depends really on what the DNAS log showed the connections were trying to do / access. it could even have been a DNAS bug or a bug in the source software or the listener software.

is just not possible give a specific answer based on what you've provided.
DrO is offline   Reply With Quote
Old 12th March 2013, 19:26   #3
Jeroen52
Junior Member
 
Join Date: Mar 2012
Posts: 8
Quote:
Originally Posted by DrO View Post
mght have been a DDoS attempt, depends really on what the DNAS log showed the connections were trying to do / access. it could even have been a DNAS bug or a bug in the source software or the listener software.

is just not possible give a specific answer based on what you've provided.
Sorry for the late response, I forgot to subscribe.
This is what I got in the logs:
[Insert some IP from Switzerland] 2013-02-28 22:04:51 /stream?title=Unknown 200 13032 30 3475
And duplicate the line above a few thousand times.
Also, this is in a different log:
2013-03-02 22:54:29 E msg:virtual void AOL_logger::consoleLogger_element::log(const AOL_logger::message&) Error writing to console - write issue
2013-03-02 22:55:29 I msg:[DST Many of the same IP addresses:44684 sid=1] SHOUTcast 1 client connection accepted. SHOUTcast Metadata Puller
Jeroen52 is offline   Reply With Quote
Old 13th March 2013, 12:31   #4
DrO
 
Join Date: Sep 2003
Posts: 27,873
Quote:
Originally Posted by Jeroen52 View Post
Sorry for the late response, I forgot to subscribe.
This is what I got in the logs:
[Insert some IP from Switzerland] 2013-02-28 22:04:51 /stream?title=Unknown 200 13032 30 3475
And duplicate the line above a few thousand times.
might have been a DDoS (intentional or otherwise) or it's just a buggy listener client (hence the 'otherwise' earlier) as that's not a normal connection path for a listener unless you're running the stream with streampath=/stream and it's an issue with one of the DJ connections trying to send the title. alas the log doesn't really help much to determine the cause.

Quote:
Originally Posted by Jeroen52 View Post
Also, this is in a different log:
2013-03-02 22:54:29 E msg:virtual void AOL_logger::consoleLogger_element::log(const AOL_logger::message&) Error writing to console - write issue
that is because the shell the DNAS was started in has gone away but the DNAS is still running. setting screenlog=0 in the configuration file will resolve the issue.

Quote:
Originally Posted by Jeroen52 View Post
2013-03-02 22:55:29 I msg:[DST Many of the same IP addresses:44684 sid=1] SHOUTcast 1 client connection accepted. SHOUTcast Metadata Puller
that is from the Directory servers. that is used by the shoutcast.com site player to get the current playing information.
DrO is offline   Reply With Quote
Old 15th March 2013, 17:01   #5
Jeroen52
Junior Member
 
Join Date: Mar 2012
Posts: 8
Just a headsup.
I've got a lot of connections with irdmi (port 8000) and port 8000 is the admin panel here.
And the IP that had those connections was my IP.
So can it be that the panel is causing it?
Jeroen52 is offline   Reply With Quote
Old 17th March 2013, 20:11   #6
DrO
 
Join Date: Sep 2003
Posts: 27,873
if you've got multiple things trying to run on the same port (shouldn't be allowed but does seem to happen at times) then that would most likely be the cause of the issue. simplest option is to move the port of the DNAS server to a different value - that will break any saved stream urls people have for your stream but would resolve the conflict.
DrO is offline   Reply With Quote
Old 17th March 2013, 20:14   #7
Jeroen52
Junior Member
 
Join Date: Mar 2012
Posts: 8
Quote:
Originally Posted by DrO View Post
if you've got multiple things trying to run on the same port (shouldn't be allowed but does seem to happen at times) then that would most likely be the cause of the issue. simplest option is to move the port of the DNAS server to a different value - that will break any saved stream urls people have for your stream but would resolve the conflict.
Well, the radio station is not popular.
How to move the port of the stream?
Jeroen52 is offline   Reply With Quote
Old 17th March 2013, 20:18   #8
DrO
 
Join Date: Sep 2003
Posts: 27,873
change portbase in the stream configuration file.
DrO is offline   Reply With Quote
Old 17th March 2013, 21:25   #9
Jeroen52
Junior Member
 
Join Date: Mar 2012
Posts: 8
I only have the site and the stream running on the same port.
I have tried to move the stream to a different port (port 8080), but it also moves the admin page.

Any help?
Jeroen52 is offline   Reply With Quote
Old 17th March 2013, 21:34   #10
DrO
 
Join Date: Sep 2003
Posts: 27,873
that is expected. portbase controls _all_ DNAS server pages be it stream urls or admin pages - as far as the DNAS is concerned, they're handled the same when when a connection is made to them.
DrO is offline   Reply With Quote
Old 17th March 2013, 21:38   #11
Jeroen52
Junior Member
 
Join Date: Mar 2012
Posts: 8
Quote:
Originally Posted by DrO View Post
that is expected. portbase controls _all_ DNAS server pages be it stream urls or admin pages - as far as the DNAS is concerned, they're handled the same when when a connection is made to them.
But is it going to conflict?
Jeroen52 is offline   Reply With Quote
Old 17th March 2013, 22:04   #12
DrO
 
Join Date: Sep 2003
Posts: 27,873
pages provided by the DNAS will not conflict with other pages provided by the DNAS server. if it conflicts with another service on your machine then i don't know as it took a few posts before you even mentioned other things running on the server.

if that's not what you mean then you really need to provide more information, though if you're using a 3rd party control panel then you'd be better off looking for updates from them first (as we cannot help with those sorts of issues).
DrO is offline   Reply With Quote
Old 17th March 2013, 22:17   #13
Jeroen52
Junior Member
 
Join Date: Mar 2012
Posts: 8
Quote:
Originally Posted by DrO View Post
pages provided by the DNAS will not conflict with other pages provided by the DNAS server. if it conflicts with another service on your machine then i don't know as it took a few posts before you even mentioned other things running on the server.

if that's not what you mean then you really need to provide more information, though if you're using a 3rd party control panel then you'd be better off looking for updates from them first (as we cannot help with those sorts of issues).
I do have other services running on my machine, 80 is http and 443 is https (SSL), and some other services too.
But none is set to port 8000, 7999 or 8001.
And I do use the normal control panel.
Jeroen52 is offline   Reply With Quote
Reply
Go Back   Winamp & Shoutcast Forums > Shoutcast > Shoutcast Technical Support

Tags
connections, dnas, tcp, transcoder, vps

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump