Date: Thu, 22 Mar 2012 09:30:53 +0000 From: =?iso-8859-9?Q?Seyit_=D6zg=FCr?= <seyit.ozgur@istanbul.net> To: Chuck Swiger <cswiger@mac.com> Cc: "freebsd-net@freebsd.org" <freebsd-net@freebsd.org> Subject: RE: Malformed syn packet cause %100 cpu and interrupts FreeBSD 9.0 release Message-ID: <3807CE6F3BF4B04EB897F4EBF2D258CE5C0651A4@yuhanna.magnetdigital.local> In-Reply-To: <2805EAC2-BC15-4BC8-B85B-0908FCF255C5@mac.com> References: <3807CE6F3BF4B04EB897F4EBF2D258CE5C05F221@yuhanna.magnetdigital.local> <38FA7BAB-AC2B-4515-85CF-27F77C3F4313@mac.com> <3807CE6F3BF4B04EB897F4EBF2D258CE5C064A80@yuhanna.magnetdigital.local> <2805EAC2-BC15-4BC8-B85B-0908FCF255C5@mac.com>
next in thread | previous in thread | raw e-mail | index | archive | help
------=_NextPart_000_0095_01CD081F.3D665F20 Content-Type: text/plain; charset="iso-8859-9" Content-Transfer-Encoding: quoted-printable I solve the problem myself. Thanks anyway Best regards. Seyit =D6zg=FCr Network Y=F6neticisi -----Original Message----- From: Chuck Swiger [mailto:cswiger@mac.com]=20 Sent: Thursday, March 22, 2012 2:21 AM To: Seyit =D6zg=FCr Cc: freebsd-net@freebsd.org Subject: Re: Malformed syn packet cause %100 cpu and interrupts FreeBSD = 9.0 release On Mar 21, 2012, at 7:15 AM, Seyit =D6zg=FCr wrote: > Hello chris, I'm Chuck, but no matter. > Here i get tcpdump with X param..=20 >=20 > First look input errors.. its about 60 mbit/sec and much more packets=20 > can't process >=20 > packets errs idrops bytes packets errs bytes colls > 36356 42777 0 7747642 243 0 263462 0 > 36732 41709 0 7681242 240 0 359432 0 [ ... ] 60 mbit/s of SYNs is a pretty significant DoS attack. You should be involving your ISP to filter the source IPs before they hit your pipe, = and probably pull in the police and/or national CERT organization. > Then tcpdump with X param, also i attach txt file in mail.. >=20 > 16:02:53.954863 IP 88.133.15.78 > x.x.x.x: tcp > 0x0000: 4500 0050 10ba 07d0 6b06 7382 5885 0f4e = E..P....k.s.X..N > 0x0010: 556f 065a f386 0050 45c4 8c77 9592 0241 = Uo.Z...PE..w...A > 0x0020: 00a3 3c4c b5a3 0000 8807 a83a f215 b40d = ..<L.......:.... > 0x0030: 0006 acb5 0038 8f76 afd7 3d00 0000 0000 = .....8.v..=3D..... > 0x0040: 0000 0000 0000 0000 0000 0000 0000 0000 = ................ >From inspection, that looks to be a normal TCP over IPv4 SYN packet from client port 62342 to your port 80...I didn't validate the checksums, = though. (No real point in obscuring the destination IP address, as it's in the packets you're showing.) Regards, -- -Chuck ------=_NextPart_000_0095_01CD081F.3D665F20--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3807CE6F3BF4B04EB897F4EBF2D258CE5C0651A4>