From owner-freebsd-net@FreeBSD.ORG Sun Feb 20 03:25:03 2011 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id EA0861065674 for ; Sun, 20 Feb 2011 03:25:03 +0000 (UTC) (envelope-from mail@miketm.com) Received: from mail-px0-f182.google.com (mail-px0-f182.google.com [209.85.212.182]) by mx1.freebsd.org (Postfix) with ESMTP id C46D98FC25 for ; Sun, 20 Feb 2011 03:25:03 +0000 (UTC) Received: by pxi20 with SMTP id 20so111538pxi.13 for ; Sat, 19 Feb 2011 19:25:03 -0800 (PST) Received: by 10.142.178.6 with SMTP id a6mr1914023wff.196.1298170847091; Sat, 19 Feb 2011 19:00:47 -0800 (PST) Received: from [172.16.4.6] (sandbox.bentdata.com [123.243.191.201]) by mx.google.com with ESMTPS id n4sm4752983wfl.14.2011.02.19.19.00.44 (version=SSLv3 cipher=OTHER); Sat, 19 Feb 2011 19:00:46 -0800 (PST) Message-ID: <4D6083AA.6010201@miketm.com> Date: Sun, 20 Feb 2011 12:59:54 +1000 From: Mike M User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20101207 Thunderbird/3.1.7 MIME-Version: 1.0 To: freebsd-net@freebsd.org X-Enigmail-Version: 1.1.1 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Subject: ARP issue post DDoS X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 20 Feb 2011 03:25:04 -0000 Hi, After receiving a DDoS recently (likely SYN related on ports with legitimate services), I was unable to contact my primary interface gateway (immediate switch it's connected to). When I looked at the ARP table I saw an 'incomplete' entry for this gateway. I deleted it manually then watched the ARP traffic on the interface and saw the who-has requests, but saw no replies. NOC suggested that something looked messed up in the TCP/IP stack of the OS and suggested I reboot the machine. When I rebooted, everything came right again. Any ideas what caused this, or moreso how to prevent it from happening in the future? I'm concerned it will happen again and obviously don't want to have to keep rebooting the machine. The box is running FreeBSD 8.1-RELEASE-p2 Intel Xeon 2.4GHz w/4GB RAM 2 x NetXtreme Gigabit Ethernet PCI Express (BCM5721) No idea if the below helps or not. Note the netstat statistics were not captured at the time this happened, I just grabbed them now. # pfctl -s memory states hard limit 10000000 src-nodes hard limit 10000 frags hard limit 5000 tables hard limit 1000 table-entries hard limit 100000 # netstat -m 1027/11393/12420 mbufs in use (current/cache/total) 1025/4215/5240/65000 mbuf clusters in use (current/cache/total/max) 1024/3456 mbuf+clusters out of packet secondary zone in use (current/cache) 0/199/199/12800 4k (page size) jumbo clusters in use (current/cache/total/max) 0/0/0/6400 9k jumbo clusters in use (current/cache/total/max) 0/0/0/3200 16k jumbo clusters in use (current/cache/total/max) 2306K/12074K/14381K bytes allocated to network (current/cache/total) 0/0/0 requests for mbufs denied (mbufs/clusters/mbuf+clusters) 0/0/0 requests for jumbo clusters denied (4k/9k/16k) 0/0/0 sfbufs in use (current/peak/max) 0 requests for sfbufs denied 0 requests for sfbufs delayed 0 requests for I/O initiated by sendfile 0 calls to protocol drain routines Any help would be much appreciated. Regards, - Mike