From owner-freebsd-net@FreeBSD.ORG Tue Oct 2 01:04:37 2007 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0F5A216A41A for ; Tue, 2 Oct 2007 01:04:37 +0000 (UTC) (envelope-from jamie.ostrowski@gmail.com) Received: from mu-out-0910.google.com (mu-out-0910.google.com [209.85.134.189]) by mx1.freebsd.org (Postfix) with ESMTP id A81F913C4A5 for ; Tue, 2 Oct 2007 01:04:36 +0000 (UTC) (envelope-from jamie.ostrowski@gmail.com) Received: by mu-out-0910.google.com with SMTP id w9so4973203mue for ; Mon, 01 Oct 2007 18:04:35 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; bh=1x06RQPfDE6GilzFRZvBdZAfNGwvOyxHZctIf/QpT4Y=; b=hCh5R0ItWOZB02Gkfd49/UIQDOsfZ7itSeQ9tVlGCHen0VO/hGq7Rrfo9Vr9Y/7z5ETyas6RCd0dX/DyHfaOsk7/2YNzTZtyzOoiBBXb9ZmAmAv0Nb7a5t1PZh2IQTkifaVPV8D1MF5Q39luBUsXa/PYdrpdxAbDvsC39IMICBo= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=QjzK4/gfuaR71DQVP51y5ZTnBUpzBFx1/RKS/M+U+5DKUWgmexDB1Urf//AHEo61YGRYvJ5yAp0xxnCNSuTuBCuGhfn8lf9lQTZSmtznnPr5mK705N8a9ya6CXOUJkT2wZhJkjDS6odERpVsqM1AoGO0u0G9FxuXL9epqdfTmhw= Received: by 10.82.165.13 with SMTP id n13mr17302431bue.1191287074881; Mon, 01 Oct 2007 18:04:34 -0700 (PDT) Received: by 10.82.161.2 with HTTP; Mon, 1 Oct 2007 18:04:34 -0700 (PDT) Message-ID: <29ae62fc0710011804j395815ccy47951aee4e2092a6@mail.gmail.com> Date: Mon, 1 Oct 2007 20:04:34 -0500 From: "Jamie Ostrowski" To: "Alfred Perlstein" In-Reply-To: <20071002000755.GQ53439@elvis.mu.org> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <29ae62fc0710011534u7b14d4cdp290c537b33ce79da@mail.gmail.com> <20071002000755.GQ53439@elvis.mu.org> Cc: freebsd-net@freebsd.org Subject: Re: Too many TIME_WAIT connections X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 02 Oct 2007 01:04:37 -0000 Thats a good idea, but in this particular arrangement we've firewalled off all other smtp connections except for a certain small range which comes through Postini. All these connections on the machine run through the Postini machines, so we can't firewall them off. Any other suggestions? If not, we'll tweak msl. On 10/1/07, Alfred Perlstein wrote: > * Jamie Ostrowski [071001 16:02] wrote: > > Hello - > > > > I've got a mailserver running FreeBSD 4.11 and Sendmail 8.13 that has > > been running as a mailserver for a couple of years without any > > load/connection problems. Here are my memory stats: > > Mem: 71M Active, 265M Inact, 96M Wired, 24M Cache, 60M Buf, 36M Free > > Swap: 2048M Total, 760K Used, 2047M Free > > > > Then all of a sudden we started experiencing dropped connections even > though > > the load average is generally around 2.0 or less. > > > > I found the problem today: there are currently 1300 socket connections > > suspended at status TIME_WAIT on the incoming smtp port. > > > > I checked some of my kernel settings: > > > > kern.ipc.somaxconn = 128 > > net.inet.tcp.msl: 30000 > > > > I suspect this is a dos attack: they're just opening these connections, > > and then let them hang there and they don't close them, so they just build > > up and the machine rejects new connections. > > > > Based on my configuration, does anyone have some suggestions on how I > > might tweak the system to overcome this (apparent?) DOS attack? > > You can tweak msl, but it probably makes more sense to use some form > of firewall, ipfw, ipfilter, pf, etc on the box. > > you can use netstat to see the remote addresses, just block them. > > -- > - Alfred Perlstein >