SSH Flood – Running tcpdump Starts SSH Flood on Embedded Linux

embedded-linuxfloodingsshtcptcpdump

I have runtime Linux running in a PLC. My development machine is running Ubuntu 14.04. The PLC and the development machine are connected through a five port switch. I ssh to PLC from my development machine to transfer executable of a networking application that I develop on my development machine.

I run tcpdump on PLC to debug the kind of packets my network application is receiving BUT as soon as I start tcpdump, there starts a flood of ssh sync and acks back and forth from my ubuntu machine to the PLC. The LED lights of ethernet controller of PLC as well on the switch start blinking rapidly. The flood overwhelms the PLC and it almost dies down while all other packets get dropped. It feels like a DOS attack whenever I run tcpdump but as soon as I stop tcpdump, everything calms down and gets back to the normal.

I would like know remedy on this problem and why it happens?

Any help would be appreciated.

Best Answer

My command is just > tcpdump -i eth0. but what I dont understans it why running tcpdump suddenly esclates to huge amount of traffic.

Try facing a mirror at a mirror, you'll get the idea. If not, try facing a mirror and a mirror and preventing the mirror from seeing itself.

Because your SSH traffic is also part of the capture that is being captured and reported via the your SSH session. Sure, because it is encrypted means you can't see anything inside the SSH packet, but when tcpdump prints out the headers for a packet to your terminal, those changes to your terminal are being transmitted over the network. But those changes being transmitted over the network is going to cause more data over the network to be captured/displayed/etc.

Anyway, solution filter out ssh from your capture, or the client machine, or both. Also setting the -n option to prevent tcpdump from performing DNS lookups and also polluting your capture with DNS requests/replies that have nothing to do with actual activity.

tcpdump -ni eth0 not port 22
tcpdump -ni eth0 not host ip.of.the.sshclient
tcpdump -ni eth0 not host ip.of.the.sshclient and not port 22