From owner-freebsd-security Tue Dec 5 23:15:55 2000 From owner-freebsd-security@FreeBSD.ORG Tue Dec 5 23:15:52 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from eeyore.sebster.com (e163161.upc-e.chello.nl [213.93.163.161]) by hub.freebsd.org (Postfix) with SMTP id 173BF37B400 for ; Tue, 5 Dec 2000 23:15:51 -0800 (PST) Received: (qmail 50328 invoked by uid 1000); 6 Dec 2000 07:15:49 -0000 Date: Wed, 6 Dec 2000 08:15:49 +0100 From: Sebastiaan van Erk To: freebsd-security@freebsd.org Subject: rx list Message-ID: <20001206081549.A49341@sebster.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i Sender: sebster@eeyore.sebster.com Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Good morning everybody!! I have a question. Yesterday two production firewalls were (probably) attacked using a DoS attack. One of them is running 4.1.1-RELEASE, the other is running 3.4-STABLE. I get these kind of messages in the syslog of both machines. Dec 6 00:09:43 hobbes /kernel: Out of mbuf clusters - adjust NMBCLUSTERS or inc rease maxusers! Dec 6 00:09:43 hobbes /kernel: xl2: no memory for rx list -- packet dropped! Dec 6 00:09:43 hobbes /kernel: xl1: no memory for rx list -- packet dropped! I checked on the net, but it seems to suggest that systems after 3.2 and 4.0 should be safe. Also I don't see any patches. How likely is it that this is a DoS attack (note that we also get the message on the internal interface!)? And how do I go about fixing it? (I can increase maxusers and NMBCLUSTERS, but then how do I know it's not going to happen again?). Thanks in advance, Sebastiaan van Erk To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message