From owner-freebsd-questions@FreeBSD.ORG Fri Jan 29 17:13:48 2010 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 649F91065672 for ; Fri, 29 Jan 2010 17:13:48 +0000 (UTC) (envelope-from amvandemore@gmail.com) Received: from mail-qy0-f201.google.com (mail-qy0-f201.google.com [209.85.221.201]) by mx1.freebsd.org (Postfix) with ESMTP id 177918FC23 for ; Fri, 29 Jan 2010 17:13:47 +0000 (UTC) Received: by qyk39 with SMTP id 39so967087qyk.27 for ; Fri, 29 Jan 2010 09:13:47 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:cc:content-type; bh=jJHNvSXfBjFDY9NY0A/mMw79c+OAPNMLuJyKGk6Svxc=; b=iWaw18iIxWRj4VXc9zzuhnS3EnKRS8jRoiwGpEKa60E4XffWWKCfz6B7uuDcNc7oac 3Sf2uWqG39GSSnRbiCs4UwmdKUzJwQVSU865QJ5VaXUB1HSg19ah7f3ixJyYp1g4yinh BCP+4fDzQ7hDPy08OLAIk4cC8BZcxFThbB/qw= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=mx459eTtwL2JZkotPHcsqyAutH3HSW/eO/zirA4HX7eNsm91Y4HbB+iWPK5X0XVCUe eD4CjomZV3FRRLdpXerJ/l1USRkZ2H5IOXK4Pk16L5RZeAIP+FIO8WHDEyC/GniuQF5M pJulNnWNgrEqglsDuJ1arQW+YRrdDYrjS6c+I= MIME-Version: 1.0 Received: by 10.142.196.14 with SMTP id t14mr726309wff.326.1264785226800; Fri, 29 Jan 2010 09:13:46 -0800 (PST) In-Reply-To: References: <979FD2CE-FCCE-4C61-8FA8-74D75E091C43@mac.com> <6201873e1001281207o6071426ud29a9de5b02424e@mail.gmail.com> Date: Fri, 29 Jan 2010 11:13:46 -0600 Message-ID: <6201873e1001290913p3616411fo966c6683020662b6@mail.gmail.com> From: Adam Vande More To: James Smallacombe Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-questions@freebsd.org Subject: Re: UDP flooding / Ethernet issues? WAS Re: named "error sending response: not enough free resources" X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 29 Jan 2010 17:13:48 -0000 On Fri, Jan 29, 2010 at 10:51 AM, James Smallacombe wrote: > Some updates that may confuse more than inform: I caught this while it was > happening yesterday and was able to do a tcpdump. I saw a ton of UDP > traffic outbound to one IP that turned out to be a colocated server in > Chicago. I put that IP in my ipfw rules and once I blocked "any to" that > IP, it seemed to stop. Since then however, the logs have show the same > issue again and there have been a few brief service disruptions. > > Today's security run output showed this: > > +(RULE NUMBER) 16054161 131965203420 deny ip from any to (blocked IP) > > and more alarmingly, this: > > kernel log messages: > +++ /tmp/security.BErFHSS3 2010-01-29 03:09:32.000000000 -0500 > +re0: link state changed to DOWN > +re0: link state changed to UP > +re0: promiscuous mode enabled > +re0: promiscuous mode disabled > +re0: promiscuous mode enabled > +re0: promiscuous mode disabled > +re0: promiscuous mode enabled > +re0: promiscuous mode disabled > > re0 obviously being the Realtek Ethernet driver. The server itself never > went down during this time, but the Ethernet did. Is there any DOS type of > event that could cause this, or could the root of the problem be an Ethernet > hardware or driver issue? Again, it is not clear to me which is the cause > and which is the effect. > > Last bit of info: I just did a: 'tcpdump -n | grep -i udp' and saw a bunch > of these, coming up a couple of times per second: > promiscuous mode entries are caused by tcpdump -- Adam Vande More