DOS Attack on my Mac

[mnewman]

I've been away from home for a couple of weeks. When I returned I noticed the cpu was running near 100% with most of that taken up by mDNSResponder and Launchd.

They system.log file contains tens of thousands of entries like this:

11/4/12 5:18:23.039 AM mDNSResponder[41]: CacheRecordAdd: 1.courier-sandbox-push-apple.com.akadns.net. (Addr) has 40429890 answers; shedding records to resist DOS attack

(The system.log file for today is 1.4GB. Normally the compressed systeme.log files are under 100KB.)

I restarted the machine and the DOS attack seems to have ended.

Unfortunately, I can no longer open console.app because it keeps trying to open system.log.2.bz2 which causes it to hang.

How can I figure out what's going on here?

[jsalmi]

What do you have for a firewall between you and the internet? Which router are you using behind your cable modem/dsl/satellite/etc?

[mnewman]

Buffalo WZR-HP-G300NH router running: DD-WRT v24-sp2 (06/14/11) std

Firewall is on. UPnP is on. None of the standard ports (22, 8080, 5900) are open.

[zo219]

In Finder, under the Go menu, select Go To Folder ... and enter /private/var/log
and delete the damn thing.

If you want to save a copy, you could drag it to the Desktop first.

Though it will sit, like everything else, in the Trash until Emptied, and can be dragged from there.

BTW, you will be asked for your Admin (login) password. This all assumes you are Admin to your own machine.

[jsalmi]

Quote: Originally Posted by mnewman Buffalo WZR-HP-G300NH router running: DD-WRT v24-sp2 (06/14/11) std Firewall is on. UPnP is on. None of the standard ports (22, 8080, 5900) are open.

Which ports are open/forwarded?

[mnewman]

The ports forwarded to this machine are:

1000x to 22
1001x to 5900
32700 to 32700

I just turned off 32700 and 5900 as I no longer use them.

(zo219 - I had deleted the massive log file.)

What is: 1.courier-sandbox-push-apple.com.akadns.net

All the DOS log messages contain this URL.

[mclbruce]

Whois in Network utility tells me that akadns.net is owned by Akamai Technologies.

[mnewman]

I've done some more research on this an have tentatively concluded that this is not a DOS attack, but Apple's push notification servers run amok.

The numerous system.log entires correspond roughly to the time period when my wife (in Thailand) and I (visiting the US) were trying to get Messages to work properly. So, she and I were both constantly adjusting Messages parameters.

Here's the problem:

You're in a foreign country with your iPhone using Voice/SMS (not data) roaming from your home carrier. You send an SMS to someone with an iPhone back in your home country. They get it. But, when they reply, their iPhone "knows" that you, the recipient, can receive iMessages. So, it responds with an iMessage rather than an SMS. You don't receive the reply until you get an Internet connection and then you receive a flood.

I suspect that in the interim Apple's push servers are sending out a huge number of push notifications for iMessage.

You can sort of fix this if both parties turn iMessages off when you don't have an Internet connection, but then you need to remember to turn it back on when you do and then off again when you don't, ad infinitum.