From owner-freebsd-isp Sat Aug 18 9:48: 6 2001 Delivered-To: freebsd-isp@freebsd.org Received: from digitaldaemon.com (digitaldaemon.com [63.105.9.34]) by hub.freebsd.org (Postfix) with SMTP id 9B52B37B409 for ; Sat, 18 Aug 2001 09:48:01 -0700 (PDT) (envelope-from jan@digitaldaemon.com) Received: (qmail 24799 invoked from network); 18 Aug 2001 16:45:46 -0000 Received: from unknown (HELO digitaldaemon.com) (192.168.0.73) by digitaldaemon.com with SMTP; 18 Aug 2001 16:45:46 -0000 Message-ID: <3B7E9BB2.4040709@digitaldaemon.com> Date: Sat, 18 Aug 2001 12:45:38 -0400 From: Jan Knepper User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:0.9.2) Gecko/20010726 Netscape6/6.1 X-Accept-Language: en-us MIME-Version: 1.0 To: "Michael C. Wu" Cc: FreeBSD ISP Subject: Re: slashdotted: /kernel: xl0: no memory for rx list -- packet dropped! References: Content-Type: multipart/alternative; boundary="------------080205020404080505060208" Sender: owner-freebsd-isp@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --------------080205020404080505060208 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit > > >>tcp4 0 15360 63.105.9.61.20 193.124.148.213.1598 LAST_ACK >>tcp4 0 15360 63.105.9.61.20 193.124.148.213.1597 LAST_ACK >>tcp4 0 15360 63.105.9.61.20 193.124.148.213.1556 LAST_ACK >>tcp4 0 15360 63.105.9.61.20 193.124.148.213.1553 LAST_ACK >>tcp4 0 15360 63.105.9.61.20 203.195.181.4.1440 LAST_ACK >> >>I am sure this has been in there the last at least 24 hours and I can >>see nothing is happening. I suspect that this is because of the no >>memory for rx list, but I am not quite sure. I was kinda a cool feeling >>though that FreeBSD didn't give up, but still runs!!! >> >I think you might have been attacked by a well-known attack, simply named >the LAST_ACK attack. It puts our TCP state machine into whack by not >sending the proper TCP states. There is no way around it. > It there a way to find out when these connections where setup? Or how long they have been open? >>Is there anyway to clean this up without having to reboot the system? >> >I don't know. :) > Is there somebody who does/might? Jan --------------080205020404080505060208 Content-Type: text/html; charset=us-ascii Content-Transfer-Encoding: 7bit

tcp4       0  15360  63.105.9.61.20         193.124.148.213.1598   LAST_ACK
tcp4       0  15360  63.105.9.61.20         193.124.148.213.1597   LAST_ACK
tcp4       0  15360  63.105.9.61.20         193.124.148.213.1556   LAST_ACK
tcp4       0  15360  63.105.9.61.20         193.124.148.213.1553   LAST_ACK
tcp4       0  15360  63.105.9.61.20         203.195.181.4.1440     LAST_ACK

I am sure this has been in there the last at least 24 hours and I can
see nothing is happening. I suspect that this is because of the no
memory for rx list, but I am not quite sure. I was kinda a cool feeling
though that FreeBSD didn't give up, but still runs!!!

I think you might have been attacked by a well-known attack, simply named
the LAST_ACK attack.  It puts our TCP state machine into whack by not
sending the proper TCP states.  There is no way around it.

<grrr>
It there a way to find out when these connections where setup? Or how long they have been open?

Is there anyway to clean this up without having to reboot the system?

I don't know. :)

Is there somebody who does/might?

Jan

--------------080205020404080505060208-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message