From owner-freebsd-stable@FreeBSD.ORG Tue May 20 14:04:45 2003 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EBA8137B401 for ; Tue, 20 May 2003 14:04:44 -0700 (PDT) Received: from mail.takas.lt (mail-src.takas.lt [212.59.31.78]) by mx1.FreeBSD.org (Postfix) with ESMTP id D004C43FDD for ; Tue, 20 May 2003 14:04:43 -0700 (PDT) (envelope-from razzmatazz@mail.lt) Received: from midway.tamsa ([213.190.36.209]) by mail.takas.lt with Microsoft SMTPSVC(5.0.2195.5329); Wed, 21 May 2003 00:04:42 +0300 Received: from highland.tamsa ([10.0.1.1] helo=highland) by midway.tamsa with smtp (Exim 4.20) id 19IFEH-0000Hg-64 for freebsd-stable@freebsd.org; Wed, 21 May 2003 00:05:05 +0200 From: Saulius Menkevičius To: X-Mailer: PocoMail 2.6 (1006) - Licensed Version Date: Wed, 21 May 2003 00:08:13 +0200 In-Reply-To: <20030520131538.M9634@carver.gumbysoft.com> Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Message-Id: X-OriginalArrivalTime: 20 May 2003 21:04:42.0817 (UTC) FILETIME=[6F457B10:01C31F13] Subject: Re: lots of sockets in TIME_WAIT X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 20 May 2003 21:04:45 -0000 Once Doug White wrote: >On Tue, 20 May 2003, Saulius Menkevi=E8ius wrote: > >>I have some DDOS(?) attack on my router going where my apache= HTTP >>server is flooded with short-timed connections from some host.= This >>results in LOTS of sockets in TIME_WAIT/LAST_ACK/CLOSING states= and >>eventually I'm out of mbufs, which, consequently means I can't= even >>connect to the router from LAN. The kern.ipc.nmbclusters is= 2560, >>(I >>guess high enough for router with DSL connection). > >TIME_WAIT is normal for a server. LAST_ACK/CLOSING looks like packet >loss. Is your outbound link overloaded normally, or from the= DoS? > >Can you block the host? :) > >> After some time all mbufs are depleted (system says "All= mbuf >>cluster exhausted"). However, unexpectedly the system panics >>shortly >>in about 10 minutes (+/-) with: > >Then increase the mbufs & clusters. Did you read the tuning man= page? Ahem, I did increase mbufs, according to man page. But I wonder= why it panics. It shouldn't panic when there are no mbufs free, or= should it ? -- Saulius Menkevi=E8ius, razzmatazz@mail.lt on 05.21.2003