From owner-freebsd-ipfw  Tue Feb 11  4:32:34 2003
Delivered-To: freebsd-ipfw@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 3673E37B401
	for <ipfw@FreeBSD.ORG>; Tue, 11 Feb 2003 04:32:33 -0800 (PST)
Received: from rumba.wu-wien.ac.at (rumba.wu-wien.ac.at [137.208.3.45])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 38BA543F93
	for <ipfw@FreeBSD.ORG>; Tue, 11 Feb 2003 04:32:29 -0800 (PST)
	(envelope-from georg@graf.priv.at)
Received: from schurli.wu-wien.ac.at (schurli.wu-wien.ac.at [137.208.16.32])
	by rumba.wu-wien.ac.at (8.12.6/8.12.6) with SMTP id h1BCWRck005528
	for <ipfw@FreeBSD.ORG>; Tue, 11 Feb 2003 13:32:27 +0100 (CET)
	(envelope-from georg@graf.priv.at)
Received: (qmail 29696 invoked by uid 1001); 11 Feb 2003 12:32:26 -0000
Date: Tue, 11 Feb 2003 13:32:26 +0100
From: Georg Graf <georg@graf.priv.at>
To: ipfw@FreeBSD.ORG
Subject: Re: Static NAT
Message-ID: <20030211123226.GA29498@graf.priv.at>
References: <3D9865DB.5040902@tcoip.com.br> <20021001055502.GC79303@blossom.cjclark.org> <3D998142.8070005@tcoip.com.br> <20021001174546.GB81932@blossom.cjclark.org> <3D99EEBE.2010403@tcoip.com.br> <20021001195258.GB82099@blossom.cjclark.org> <3D9A00A1.2070809@tcoip.com.br>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <3D9A00A1.2070809@tcoip.com.br>
User-Agent: Mutt/1.4i
X-WU-uvscan-status: clean v4.1.60/v4246 rumba a686bae9a46a1486ced20ab1b7af0f79
Sender: owner-freebsd-ipfw@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-ipfw.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-ipfw>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-ipfw>
X-Loop: FreeBSD.ORG

Sorry for my late reply:

On Tue, Oct 01, 2002 at 05:08:01PM -0300, you wrote:

[...]

> The attack is a Syn Flood. Nothing is affected by the attack except 
> natd. The symptom with NAT is packet loss (ie, packets enter from one 
> interface do not exit through the other if they happen to go through 
> natd). Restarting natd eliminates the symptom immediatly on start (and 
> then the flood gets to it again). netstat -m shows mbuf clusters peak 
> equal to maximum, and some hundreds of thousands (maybe more, I don't 
> recall the exact order, but at least that much) of requests for memory 
> denied. On syslog, there are messages of packets dropped because of lack 
> of mbuf clusters.

If the synflood comes from the natted network, it is clear that
natd is eating up memory. If you use natd "reverse", then you can
be dosed by getting synflooded from the internet, because every
single syn packet adds an entry in natd's table, at least that's
the way I understand this. Were you using reverse nat in October?

-- 
Georg Graf       http://georg.graf.priv.at/       PGP Key ID: 0xA5232AD5
Gobergasse 43/2             A-1130 Wien               Tel: +43 1 8796723


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ipfw" in the body of the message