Date: Fri, 29 Jan 2010 11:13:46 -0600 From: Adam Vande More <amvandemore@gmail.com> To: James Smallacombe <up@3.am> Cc: freebsd-questions@freebsd.org Subject: Re: UDP flooding / Ethernet issues? WAS Re: named "error sending response: not enough free resources" Message-ID: <6201873e1001290913p3616411fo966c6683020662b6@mail.gmail.com> In-Reply-To: <alpine.BSF.2.00.1001291133290.26372@ns3.pil.net> References: <alpine.BSF.2.00.1001271322250.29151@ns3.pil.net> <979FD2CE-FCCE-4C61-8FA8-74D75E091C43@mac.com> <alpine.BSF.2.00.1001271604460.73419@ns3.pil.net> <D588AADC-6C59-4A60-BD2A-05ECF6E7A571@mac.com> <alpine.BSF.2.00.1001281351590.95602@ns3.pil.net> <6201873e1001281207o6071426ud29a9de5b02424e@mail.gmail.com> <alpine.BSF.2.00.1001291133290.26372@ns3.pil.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, Jan 29, 2010 at 10:51 AM, James Smallacombe <up@3.am> wrote: > Some updates that may confuse more than inform: I caught this while it was > happening yesterday and was able to do a tcpdump. I saw a ton of UDP > traffic outbound to one IP that turned out to be a colocated server in > Chicago. I put that IP in my ipfw rules and once I blocked "any to" that > IP, it seemed to stop. Since then however, the logs have show the same > issue again and there have been a few brief service disruptions. > > Today's security run output showed this: > > +(RULE NUMBER) 16054161 131965203420 deny ip from any to (blocked IP) > > and more alarmingly, this: > > kernel log messages: > +++ /tmp/security.BErFHSS3 2010-01-29 03:09:32.000000000 -0500 > +re0: link state changed to DOWN > +re0: link state changed to UP > +re0: promiscuous mode enabled > +re0: promiscuous mode disabled > +re0: promiscuous mode enabled > +re0: promiscuous mode disabled > +re0: promiscuous mode enabled > +re0: promiscuous mode disabled > > re0 obviously being the Realtek Ethernet driver. The server itself never > went down during this time, but the Ethernet did. Is there any DOS type of > event that could cause this, or could the root of the problem be an Ethernet > hardware or driver issue? Again, it is not clear to me which is the cause > and which is the effect. > > Last bit of info: I just did a: 'tcpdump -n | grep -i udp' and saw a bunch > of these, coming up a couple of times per second: > promiscuous mode entries are caused by tcpdump -- Adam Vande More
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?6201873e1001290913p3616411fo966c6683020662b6>