From owner-freebsd-net@FreeBSD.ORG Thu Mar 22 09:31:55 2012 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 7469B1065670 for ; Thu, 22 Mar 2012 09:31:55 +0000 (UTC) (envelope-from seyit.ozgur@istanbul.net) Received: from spamtrap1.istanbul.net (spamtrap1.istanbul.net [85.111.12.35]) by mx1.freebsd.org (Postfix) with ESMTP id B7EE38FC1A for ; Thu, 22 Mar 2012 09:31:54 +0000 (UTC) X-ASG-Debug-ID: 1332408706-0426b010a1b70e0001-QdxwpM Received: from GAMMA.magnetdigital.local (gamma.magnetdigital.local [192.168.131.244]) by spamtrap1.istanbul.net with ESMTP id YYvICZPngL9ElzQG; Thu, 22 Mar 2012 11:31:46 +0200 (EET) X-Barracuda-Envelope-From: seyit.ozgur@istanbul.net X-Barracuda-RBL-Trusted-Forwarder: 192.168.131.244 Received: from YUHANNA.magnetdigital.local ([fe80::1058:3088:f9b1:1346]) by GAMMA.magnetdigital.local ([fe80::3cca:d6ef:febb:fafb%17]) with mapi id 14.01.0218.012; Thu, 22 Mar 2012 11:30:54 +0200 From: =?iso-8859-9?Q?Seyit_=D6zg=FCr?= X-Barracuda-Apparent-Source-IP: fe80::1058:3088:f9b1:1346 To: Chuck Swiger Thread-Topic: Malformed syn packet cause %100 cpu and interrupts FreeBSD 9.0 release X-ASG-Orig-Subj: RE: Malformed syn packet cause %100 cpu and interrupts FreeBSD 9.0 release Thread-Index: Ac0C5Fxpv2wbk7REQXGSXBWgiq7+JP//5aEA//bValCAEt3kAP//RObQ Date: Thu, 22 Mar 2012 09:30:53 +0000 Message-ID: <3807CE6F3BF4B04EB897F4EBF2D258CE5C0651A4@yuhanna.magnetdigital.local> References: <3807CE6F3BF4B04EB897F4EBF2D258CE5C05F221@yuhanna.magnetdigital.local> <38FA7BAB-AC2B-4515-85CF-27F77C3F4313@mac.com> <3807CE6F3BF4B04EB897F4EBF2D258CE5C064A80@yuhanna.magnetdigital.local> <2805EAC2-BC15-4BC8-B85B-0908FCF255C5@mac.com> In-Reply-To: <2805EAC2-BC15-4BC8-B85B-0908FCF255C5@mac.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: yes X-MS-TNEF-Correlator: x-originating-ip: [192.168.134.34] Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg=SHA1; boundary="----=_NextPart_000_0095_01CD081F.3D665F20" MIME-Version: 1.0 X-Barracuda-Connect: gamma.magnetdigital.local[192.168.131.244] X-Barracuda-Start-Time: 1332408706 X-Barracuda-URL: http://10.10.140.223:8000/cgi-mod/mark.cgi X-Barracuda-Spam-Score: 0.00 X-Barracuda-Spam-Status: No, SCORE=0.00 using per-user scores of TAG_LEVEL=1000.0 QUARANTINE_LEVEL=1000.0 KILL_LEVEL=9.0 tests= X-Barracuda-Spam-Report: Code version 3.2, rules version 3.2.2.91904 Rule breakdown below pts rule name description ---- ---------------------- -------------------------------------------------- X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: "freebsd-net@freebsd.org" Subject: RE: Malformed syn packet cause %100 cpu and interrupts FreeBSD 9.0 release X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 22 Mar 2012 09:31:55 -0000 ------=_NextPart_000_0095_01CD081F.3D665F20 Content-Type: text/plain; charset="iso-8859-9" Content-Transfer-Encoding: quoted-printable I solve the problem myself. Thanks anyway Best regards. Seyit =D6zg=FCr Network Y=F6neticisi -----Original Message----- From: Chuck Swiger [mailto:cswiger@mac.com]=20 Sent: Thursday, March 22, 2012 2:21 AM To: Seyit =D6zg=FCr Cc: freebsd-net@freebsd.org Subject: Re: Malformed syn packet cause %100 cpu and interrupts FreeBSD = 9.0 release On Mar 21, 2012, at 7:15 AM, Seyit =D6zg=FCr wrote: > Hello chris, I'm Chuck, but no matter. > Here i get tcpdump with X param..=20 >=20 > First look input errors.. its about 60 mbit/sec and much more packets=20 > can't process >=20 > packets errs idrops bytes packets errs bytes colls > 36356 42777 0 7747642 243 0 263462 0 > 36732 41709 0 7681242 240 0 359432 0 [ ... ] 60 mbit/s of SYNs is a pretty significant DoS attack. You should be involving your ISP to filter the source IPs before they hit your pipe, = and probably pull in the police and/or national CERT organization. > Then tcpdump with X param, also i attach txt file in mail.. >=20 > 16:02:53.954863 IP 88.133.15.78 > x.x.x.x: tcp > 0x0000: 4500 0050 10ba 07d0 6b06 7382 5885 0f4e = E..P....k.s.X..N > 0x0010: 556f 065a f386 0050 45c4 8c77 9592 0241 = Uo.Z...PE..w...A > 0x0020: 00a3 3c4c b5a3 0000 8807 a83a f215 b40d = .. 0x0030: 0006 acb5 0038 8f76 afd7 3d00 0000 0000 = .....8.v..=3D..... > 0x0040: 0000 0000 0000 0000 0000 0000 0000 0000 = ................ >From inspection, that looks to be a normal TCP over IPv4 SYN packet from client port 62342 to your port 80...I didn't validate the checksums, = though. (No real point in obscuring the destination IP address, as it's in the packets you're showing.) Regards, -- -Chuck ------=_NextPart_000_0095_01CD081F.3D665F20--