Date: Sun, 20 Feb 2011 12:59:54 +1000 From: Mike M <mail@miketm.com> To: freebsd-net@freebsd.org Subject: ARP issue post DDoS Message-ID: <4D6083AA.6010201@miketm.com>
next in thread | raw e-mail | index | archive | help
Hi, After receiving a DDoS recently (likely SYN related on ports with legitimate services), I was unable to contact my primary interface gateway (immediate switch it's connected to). When I looked at the ARP table I saw an 'incomplete' entry for this gateway. I deleted it manually then watched the ARP traffic on the interface and saw the who-has requests, but saw no replies. NOC suggested that something looked messed up in the TCP/IP stack of the OS and suggested I reboot the machine. When I rebooted, everything came right again. Any ideas what caused this, or moreso how to prevent it from happening in the future? I'm concerned it will happen again and obviously don't want to have to keep rebooting the machine. The box is running FreeBSD 8.1-RELEASE-p2 Intel Xeon 2.4GHz w/4GB RAM 2 x NetXtreme Gigabit Ethernet PCI Express (BCM5721) No idea if the below helps or not. Note the netstat statistics were not captured at the time this happened, I just grabbed them now. # pfctl -s memory states hard limit 10000000 src-nodes hard limit 10000 frags hard limit 5000 tables hard limit 1000 table-entries hard limit 100000 # netstat -m 1027/11393/12420 mbufs in use (current/cache/total) 1025/4215/5240/65000 mbuf clusters in use (current/cache/total/max) 1024/3456 mbuf+clusters out of packet secondary zone in use (current/cache) 0/199/199/12800 4k (page size) jumbo clusters in use (current/cache/total/max) 0/0/0/6400 9k jumbo clusters in use (current/cache/total/max) 0/0/0/3200 16k jumbo clusters in use (current/cache/total/max) 2306K/12074K/14381K bytes allocated to network (current/cache/total) 0/0/0 requests for mbufs denied (mbufs/clusters/mbuf+clusters) 0/0/0 requests for jumbo clusters denied (4k/9k/16k) 0/0/0 sfbufs in use (current/peak/max) 0 requests for sfbufs denied 0 requests for sfbufs delayed 0 requests for I/O initiated by sendfile 0 calls to protocol drain routines Any help would be much appreciated. Regards, - Mike
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4D6083AA.6010201>