From owner-freebsd-net Thu Aug 16 6:14:21 2001 Delivered-To: freebsd-net@freebsd.org Received: from mail.tcoip.com.br (cerberus.tcoip.com.br [200.220.254.3]) by hub.freebsd.org (Postfix) with ESMTP id 3A2AB37B41C for ; Thu, 16 Aug 2001 06:14:04 -0700 (PDT) (envelope-from daniel.sobral@tcoip.com.br) Received: from tcoip.com.br (pdbqjildwxmnpud8@dcs.intra.tcoip.com.br [192.168.60.194]) by purus.tcoip (8.11.1/8.11.1) with ESMTP id f7DKA9L12474; Mon, 13 Aug 2001 17:10:09 -0300 Message-ID: <3B783422.4010201@tcoip.com.br> Date: Mon, 13 Aug 2001 17:10:10 -0300 From: "Daniel C. Sobral" User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:0.9.3) Gecko/20010808 X-Accept-Language: en, pt-br, ja MIME-Version: 1.0 To: Barry Irwin Cc: incidents@securityfocus.org, net@freebsd.org Subject: Re: FreeBSD NATd problems References: <20010813213216.I684@itouchlabs.com> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Do you, by any chance, have a Microsoft IIS server running? Barry Irwin wrote: > Hi All > > Just wondering if anyone else has experiance the following problem: > > I have a number of networks running with FreeBSD firewalls providing a > nat service to a number of hosts behind the wall itself. Both outgoing nat, > and port_redirection is provided. THis has been running stabily for over a > year. However in the last 10 days I have had a number of these natd > mprocesses suddenly bloat ( looking at 48Megs upwards when they normally sit > at around 700K-1Meg. Ping times to the firewalls ( infact any packets > passing through the natd process are delayed, it seems to suffer a type of > exponential decay, with the highest delay I have recorded being in the order > of 240 seconds! > > At this kind of latency, network connectivity is non existant. One of the > first signs of an impending slowdown is that DNS starts timing out. The > firewalls are running prettey standard martian filters ( see > Darft-manning-dusa03.txt) to filter out the majority of the cruft floating > around. > > This has sofar impacted 4.0-Release, 4.1-RELEASE as well as 4.3-STABLE. > Reviews of tcpdumps collected once slowdown has been noticed do not show any > signs of strange activity. What I am wondering is , is there some new > Scanning /DoS tool, which is causing natd to get its data structures in a > knot, and thereby grow massively, in addition to the slowdown. > > Without having looked at the data structures in detail, it appears as tho > there is a long linked list, that is getting exponentially grown, and > therby accounting for the increas in memory usage, as well as the massively > increased latency caused by performing lookups in the data structure chain. > > So back to the question, has anyone else hear/experianced/seen this ? > > Barry > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-net" in the body of the message > -- Daniel C. Sobral (8-DCS) Daniel.Sobral@tcoip.com.br dcs@newsguy.com dcs@freebsd.org capo@notorious.bsdconspiracy.net An exotic young lady named Suki Once danced in a troupe of kabuki When asked for a fuck She said, "Solly, no luck-- See here: looky looky, no nuki " To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message