From owner-freebsd-hackers@FreeBSD.ORG Sat Nov 24 13:24:16 2007 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4738416A46B for ; Sat, 24 Nov 2007 13:24:16 +0000 (UTC) (envelope-from joel@smail.ee) Received: from smtp-gw1.starman.ee (smtp-out3.starman.ee [85.253.0.5]) by mx1.freebsd.org (Postfix) with ESMTP id DFDA713C4CE for ; Sat, 24 Nov 2007 13:24:15 +0000 (UTC) (envelope-from joel@smail.ee) Received: from mx1.starman.ee (mx1.starman.ee [62.65.192.16]) by smtp-gw1.starman.ee (Postfix) with ESMTP id 23447A21605 for ; Sat, 24 Nov 2007 14:56:28 +0200 (EET) X-Virus-Scanned: by Amavisd-New at mx1.starman.ee Received: from windsor (ip247.cab84.tln.starman.ee [82.131.84.247]) by mx1.starman.ee (Postfix) with ESMTP id 659713F4052 for ; Sat, 24 Nov 2007 14:56:27 +0200 (EET) From: "Joel V." To: Date: Sat, 24 Nov 2007 14:56:25 +0200 Message-ID: <003301c82e99$6c099360$0200a8c0@windsor> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook 11 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3198 Thread-Index: AcguHCYawT+B7bZVTy+xCXtxOhTrtgAfLPZg X-Mailman-Approved-At: Sat, 24 Nov 2007 13:34:49 +0000 Subject: RE: Welcome to Hell / Mysterious networking troubles on FreeBSD X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 24 Nov 2007 13:24:16 -0000 As a lot of people recommended using tcpdump, here it is. The only thing that stands out, are hundreds and thousands of lines like this: 13:45:49.991592 IP 82.165.252.222.36887 > ns1.galandrex.ee.43077: UDP, length 9216 13:45:49.996482 IP 82.165.252.222.36887 > ns1.galandrex.ee.33803: UDP, length 9216 13:45:50.001174 IP 82.165.252.222.36887 > ns1.galandrex.ee.63574: UDP, length 9216 13:45:50.005955 IP 82.165.252.222.36887 > ns1.galandrex.ee.36618: UDP, length 9216 13:45:50.010749 IP 82.165.252.222.36887 > ns1.galandrex.ee.48231: UDP, length 9216 That IP resolves to u15194704.onlinehome-server.com. Seems to be a german ISP. After five seconds the capture.out file was already 2.8MB. You can see the file here: https://89.219.136.126/capture.out Thank you again to all the nice people who contacted me. And again, it would be nice if you could send me a copy of your reply, because I'm not a member of the list (either reply or cc to joel@spirit.ee). Thanks! Joel V. -----Original Message----- From: Joel V. [mailto:joel@smail.ee] Sent: Saturday, November 24, 2007 12:00 AM To: 'freebsd-hackers@freebsd.org' Subject: Welcome to Hell / Mysterious networking troubles on FreeBSD Hello all, I'm not experiencing this problem, my friend is. He's simply too pissed off to write here and I'm afraid he's going to set his office on fire if he doesn't solve the problem soon, so without further ado, here's the problem: He has two fbsd boxes, main server running 6.1 and dns server running 4.3. He has 4 public IPs which he can use and the main server is running on x.x.x.122. He's main box is NOT acting as a gateway/NAT box in the office. Today he noticed that net is getting awfully slow. Sometimes there would be 50% pl when pinging, sometimes pinging would be all OK, but SSH is dead-slow and the webpages running on the main server are not displaying. E-mails are not going through. He calls the ISP, who say that his network is showing major uploading activity. He switches off networking services one by one in the main box but situation does not improve. He disconnects the main server and puts a windows xp box instead, which seems to run fine. He puts back the freebsd box, disables all networking services again except for SSH and connects the network: instant 100% networking slow-down. He tried to change the switch, thinking it's faulty. He disconnect every other computer in the office from the network: nothing. He put the public IP address on the second, internal network NIC: same thing. Now it gets really mysterious: he puts the old dns server with the x.x.x.122 IP and instantly it becomes slow as death. The logical conclusion would be that someone is flooding that IP? Only the windows xp box seemed to work fine and the ISP guy said it was upload bandwidth that was excessive... Netstat -a doesn't show anything interesting, arp -a doesn't show any incomplete addresses He tried to build and install a new fresh kernel. Nothing. This is the most creepy networking problem I've heard of. Can YOU help? Any ideas where to start looking? I'm not in the freebsd-hackers list, so if you want the e-mail to reach me, send a copy to joel@spirit.ee Thank you in advance! Joel