From owner-freebsd-stable@FreeBSD.ORG  Tue May 20 19:04:50 2003
Return-Path: <owner-freebsd-stable@FreeBSD.ORG>
Delivered-To: freebsd-stable@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP
	id 17A3637B401; Tue, 20 May 2003 19:04:50 -0700 (PDT)
Received: from www.svzserv.kemerovo.su (www.svzserv.kemerovo.su
	[213.184.65.80])	by mx1.FreeBSD.org (Postfix) with ESMTP
	id 0481B43FAF; Tue, 20 May 2003 19:04:48 -0700 (PDT)
	(envelope-from eugen@kuzbass.ru)
Received: from kuzbass.ru (kost [213.184.65.82])h4L24iYt074282;
	Wed, 21 May 2003 10:04:44 +0800 (KRAST)
	(envelope-from eugen@kuzbass.ru)
Message-ID: <3ECADE5C.EC1A2630@kuzbass.ru>
Date: Wed, 21 May 2003 10:03:08 +0800
From: Eugene Grosbein <eugen@kuzbass.ru>
Organization: SVZServ
X-Mailer: Mozilla 4.8 [en] (Win98; U)
X-Accept-Language: ru,en
MIME-Version: 1.0
To: "Saulius Menkevičius" <razzmatazz@mail.lt>
References: <E19IDku-0000CA-Et@midway.tamsa>
Content-Type: text/plain; charset=koi8-r
Content-Transfer-Encoding: 8bit
cc: freebsd-stable@freebsd.org
cc: bug-followup@freebsd.org
cc: net@freebsd.org
Subject: Re: lots of sockets in TIME_WAIT
X-BeenThere: freebsd-stable@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Production branch of FreeBSD source code
	<freebsd-stable.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>,
	<mailto:freebsd-stable-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-stable>
List-Post: <mailto:freebsd-stable@freebsd.org>
List-Help: <mailto:freebsd-stable-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>,
	<mailto:freebsd-stable-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 21 May 2003 02:04:50 -0000

"Saulius Menkevičius" wrote:
> 
>         Hi there,
> 
> I have some DDOS(?) attack on my router going where my apache HTTP
> server is flooded with short-timed connections from some host. This
> results in LOTS of sockets in TIME_WAIT/LAST_ACK/CLOSING states and
> eventually I'm out of mbufs, which, consequently means I can't even
> connect to the router from LAN. The kern.ipc.nmbclusters is 2560, (I
> guess high enough for router with DSL connection).
>         After some time all mbufs are depleted (system says "All mbuf
> cluster exhausted"). However, unexpectedly the system panics shortly
> in about 10 minutes (+/-) with:
> /kernel: All mbuf cluster exhausted, please see tuning(7)
> /kernel: looutput: mbuf allocation failed
> /kernel: panic: sbappendaddr
> /kernel:
> /kernel: syncing disks....
> .
> .
>         I don't think this behaviour (a panic) is normal. This crash is
> happens often when I'm under such attack and I guess I can easily
> give crash dump, kgdb output or something like, if you need.
>         System is running 4.8-RELEASE, on iPentium166/mmx with 64MB of RAM.
> 4 NICs, BRIDGE on two of them.
> 
>         Thanks for any response..

I agree with you. I've got crashdump for mbuf-related kernel panic 
(sbappendaddr), see http://www.FreeBSD.org/cgi/query-pr.cgi?pr=kern/50803
I believe a kernel must not panic due to DoS.

Eugene Grosbein