From owner-freebsd-net  Tue Aug 14  1:44: 3 2001
Delivered-To: freebsd-net@freebsd.org
Received: from pikus.o2.pl (pikus.o2.pl [212.126.20.2])
	by hub.freebsd.org (Postfix) with ESMTP id DDD7837B405
	for <net@freebsd.org>; Tue, 14 Aug 2001 01:43:55 -0700 (PDT)
	(envelope-from conyo@go2.pl)
Received: from konradrz (unknown [195.116.201.107])
	by pikus.o2.pl (Postfix) with SMTP
	id 8A02114764D; Tue, 14 Aug 2001 10:40:48 +0200 (CEST)
Message-ID: <000b01c1249d$38bb9f10$6c66a8c0@konradrz>
From: "Konrad Rzadzinski" <conyo@go2.pl>
To: "Barry Irwin" <bvi@devco.net>
Cc: <incidents@securityfocus.org>, <net@freebsd.org>
References: <20010813213216.I684@itouchlabs.com>
Subject: Re: FreeBSD NATd problems
Date: Tue, 14 Aug 2001 10:43:39 +0200
MIME-Version: 1.0
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 5.50.4522.1200
X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200
Sender: owner-freebsd-net@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-net.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-net>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-net>
X-Loop: FreeBSD.org

From: "Barry Irwin" <bvi@devco.net>
: Just wondering if anyone else has experiance the following problem:

Yup. FreeBSD 4.3.

: I have a number of networks running with FreeBSD firewalls providing a
: nat service to a number of hosts behind the wall itself. Both outgoing
nat,
: and port_redirection is provided.  THis has been running stabily for over
a
: year.  However in the last 10 days I have had a number of these natd
: mprocesses suddenly bloat ( looking at 48Megs upwards when they normally
sit
: at around 700K-1Meg.  Ping times to the firewalls ( infact any packets
: passing through the natd process are delayed, it seems to suffer a type of
: exponential decay, with the highest delay I have recorded being in the
order
: of 240 seconds!

Same kind of things. CPU loss, network congestion.

: This has sofar impacted 4.0-Release, 4.1-RELEASE  as well as 4.3-STABLE.
: Reviews of tcpdumps collected once slowdown has been noticed do not show
any
: signs of strange activity.  What I am wondering is , is there some new
: Scanning /DoS tool, which is causing natd to get its data structures in a
: knot, and thereby grow massively, in addition to the slowdown.

CodeRed, in my case.
One machine (Win2000, IIS) had port 80 redirected to 'the world', got caught
by this worm, infected other machines. Natd took 99% CPU time, pings were
dramatically long.
Cleaning infected machines (only 9 of them) helped. Now natd takes 0.1% CPU,
pings are < 1 ms. As it should be :)

Hope it helps.

--
Konrad


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message