From owner-freebsd-security Tue Dec 5 23:23:35 2000 From owner-freebsd-security@FreeBSD.ORG Tue Dec 5 23:23:32 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from sunny.pacific.net.sg (sunny.pacific.net.sg [203.120.90.127]) by hub.freebsd.org (Postfix) with ESMTP id 508C837B400 for ; Tue, 5 Dec 2000 23:23:31 -0800 (PST) Received: from pop1.pacific.net.sg (pop1.pacific.net.sg [203.120.90.85]) by sunny.pacific.net.sg with ESMTP id eB67NTo05458; Wed, 6 Dec 2000 15:23:29 +0800 (SGT) Received: from gchang (spoff250.pacific.net.sg [203.120.94.250]) by pop1.pacific.net.sg with SMTP id PAA05564; Wed, 6 Dec 2000 15:23:26 +0800 (SGT) Message-ID: <002801c05f55$0a492ac0$fa5e78cb@gchang> From: "James Lim" To: "Sebastiaan van Erk" , References: <20001206081549.A49341@sebster.com> Subject: Re: rx list Date: Wed, 6 Dec 2000 15:20:40 +0800 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi there, You could try increasing the maxusers to 512 and later increase your NMBCLUSTERS to prolly 50000. How much ram does your machine has as well as the CPU speed? Btw i was wondering whether the new accept filter helps in DoS attacks. options ACCEPT_FILTER_DATA options ACCEPT_FILTER_HTTP options TCP_DROP_SYNFIN #drop TCP packets with SYN+FIN options TCP_RESTRICT_RST #restrict emission of TCP RST options ICMP_BANDLIM to the newsgroup, correct me if I am wrong, thank you! James Lim Technical Support Executive Pacific Internet Limited 89 Science Park Drive #02-05/06 The Rutherford Singapore 118261 Finger evilfry@sg.freebsd.org for PGP key. ----- Original Message ----- From: "Sebastiaan van Erk" To: Sent: Wednesday, December 06, 2000 3:15 PM Subject: rx list > Good morning everybody!! > > I have a question. Yesterday two production firewalls were (probably) > attacked using a DoS attack. > > One of them is running 4.1.1-RELEASE, the other is running 3.4-STABLE. > > I get these kind of messages in the syslog of both machines. > > Dec 6 00:09:43 hobbes /kernel: Out of mbuf clusters - adjust NMBCLUSTERS or inc > rease maxusers! > Dec 6 00:09:43 hobbes /kernel: xl2: no memory for rx list -- packet dropped! > Dec 6 00:09:43 hobbes /kernel: xl1: no memory for rx list -- packet dropped! > > I checked on the net, but it seems to suggest that systems after 3.2 and 4.0 > should be safe. Also I don't see any patches. > > How likely is it that this is a DoS attack (note that we also get the message > on the internal interface!)? And how do I go about fixing it? (I can increase > maxusers and NMBCLUSTERS, but then how do I know it's not going to happen > again?). > > Thanks in advance, > Sebastiaan van Erk > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message