From owner-freebsd-net@FreeBSD.ORG Thu Mar 22 01:20:52 2012 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 5A97B106566C for ; Thu, 22 Mar 2012 01:20:52 +0000 (UTC) (envelope-from cswiger@mac.com) Received: from asmtpout026.mac.com (asmtpout026.mac.com [17.148.16.101]) by mx1.freebsd.org (Postfix) with ESMTP id 3CFFE8FC08 for ; Thu, 22 Mar 2012 01:20:52 +0000 (UTC) MIME-version: 1.0 Content-type: text/plain; charset=iso-8859-1 Received: from cswiger1.apple.com (unknown [17.209.4.71]) by asmtp026.mac.com (Oracle Communications Messaging Server 7u4-23.01 (7.0.4.23.0) 64bit (built Aug 10 2011)) with ESMTPSA id <0M190009HFM8TP50@asmtp026.mac.com> for freebsd-net@freebsd.org; Wed, 21 Mar 2012 17:20:33 -0700 (PDT) X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:5.6.7498,1.0.260,0.0.0000 definitions=2012-03-21_10:2012-03-21, 2012-03-21, 1970-01-01 signatures=0 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 spamscore=0 ipscore=0 suspectscore=0 phishscore=0 bulkscore=0 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=6.0.2-1012030000 definitions=main-1203210284 From: Chuck Swiger In-reply-to: <3807CE6F3BF4B04EB897F4EBF2D258CE5C064A80@yuhanna.magnetdigital.local> Date: Wed, 21 Mar 2012 17:20:32 -0700 Content-transfer-encoding: quoted-printable Message-id: <2805EAC2-BC15-4BC8-B85B-0908FCF255C5@mac.com> References: <3807CE6F3BF4B04EB897F4EBF2D258CE5C05F221@yuhanna.magnetdigital.local> <38FA7BAB-AC2B-4515-85CF-27F77C3F4313@mac.com> <3807CE6F3BF4B04EB897F4EBF2D258CE5C064A80@yuhanna.magnetdigital.local> To: =?iso-8859-1?Q?Seyit_=D6zg=FCr?= X-Mailer: Apple Mail (2.1084) Cc: "freebsd-net@freebsd.org" Subject: Re: Malformed syn packet cause %100 cpu and interrupts FreeBSD 9.0 release X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 22 Mar 2012 01:20:52 -0000 On Mar 21, 2012, at 7:15 AM, Seyit =D6zg=FCr wrote: > Hello chris, I'm Chuck, but no matter. > Here i get tcpdump with X param..=20 >=20 > First look input errors.. its about 60 mbit/sec and much more packets = can't > process >=20 > packets errs idrops bytes packets errs bytes colls > 36356 42777 0 7747642 243 0 263462 0 > 36732 41709 0 7681242 240 0 359432 0 [ ... ] 60 mbit/s of SYNs is a pretty significant DoS attack. You should be = involving your ISP to filter the source IPs before they hit your pipe, = and probably pull in the police and/or national CERT organization. > Then tcpdump with X param, also i attach txt file in mail.. >=20 > 16:02:53.954863 IP 88.133.15.78 > x.x.x.x: tcp > 0x0000: 4500 0050 10ba 07d0 6b06 7382 5885 0f4e = E..P....k.s.X..N > 0x0010: 556f 065a f386 0050 45c4 8c77 9592 0241 = Uo.Z...PE..w...A > 0x0020: 00a3 3c4c b5a3 0000 8807 a83a f215 b40d = .. 0x0030: 0006 acb5 0038 8f76 afd7 3d00 0000 0000 = .....8.v..=3D..... > 0x0040: 0000 0000 0000 0000 0000 0000 0000 0000 = ................ =46rom inspection, that looks to be a normal TCP over IPv4 SYN packet = from client port 62342 to your port 80...I didn't validate the = checksums, though. (No real point in obscuring the destination IP = address, as it's in the packets you're showing.) Regards, --=20 -Chuck