From owner-freebsd-net@FreeBSD.ORG Tue Oct 2 01:06:33 2007 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id ACE1D16A420 for ; Tue, 2 Oct 2007 01:06:33 +0000 (UTC) (envelope-from kip.macy@gmail.com) Received: from wa-out-1112.google.com (wa-out-1112.google.com [209.85.146.179]) by mx1.freebsd.org (Postfix) with ESMTP id 9830113C49D for ; Tue, 2 Oct 2007 01:06:33 +0000 (UTC) (envelope-from kip.macy@gmail.com) Received: by wa-out-1112.google.com with SMTP id k17so4922852waf for ; Mon, 01 Oct 2007 18:06:33 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; bh=e6ABkDyif86DR0YiGTdPklw7Xu7XuZxMDt3STQHqC3w=; b=ISJell0uAI3fCMr1s0VGHxpeMsFEecPaRzCrLAgCtNeRg/TuXeCvAJHyifJNE+4IYC+WDVXz83pw/7//wPiTeBjOqPIKLrieH9MSej9d4Sh+SiElUMs3GtMTd3gfED1uv84HuNedjTOrAOjxF976f7gicFJp7Bb/47FWvKp7v8k= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=fuhqLzSPe8KjrsxjB5H8i7Xms8bwUYn5Sx5Oh4QBmcwgo6ASASB33ZXPux+0Y49XZnRlA+o1wBZmhKMfmREpqVGdo/RyjTBbIn6Wqd6uXGmSbTmLyWCiDyR3ju/G1zfP2wLs/lgVgOf1dQzd0DWw6OxbIXO6cFaiTbEh4v4mwH0= Received: by 10.114.195.19 with SMTP id s19mr1544961waf.1191287192714; Mon, 01 Oct 2007 18:06:32 -0700 (PDT) Received: by 10.114.13.15 with HTTP; Mon, 1 Oct 2007 18:06:32 -0700 (PDT) Message-ID: Date: Mon, 1 Oct 2007 18:06:32 -0700 From: "Kip Macy" To: "Jamie Ostrowski" In-Reply-To: <29ae62fc0710011804j395815ccy47951aee4e2092a6@mail.gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <29ae62fc0710011534u7b14d4cdp290c537b33ce79da@mail.gmail.com> <20071002000755.GQ53439@elvis.mu.org> <29ae62fc0710011804j395815ccy47951aee4e2092a6@mail.gmail.com> Cc: freebsd-net@freebsd.org, Alfred Perlstein Subject: Re: Too many TIME_WAIT connections X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 02 Oct 2007 01:06:33 -0000 On 10/1/07, Jamie Ostrowski wrote: > Thats a good idea, but in this particular arrangement we've > firewalled off all other smtp connections except for a certain small > range which comes through Postini. All these connections on the > machine run through the Postini machines, so we can't firewall them > off. If all your connections are local you can safely reduce the MSL. -Kip > > Any other suggestions? If not, we'll tweak msl. > > On 10/1/07, Alfred Perlstein wrote: > > * Jamie Ostrowski [071001 16:02] wrote: > > > Hello - > > > > > > I've got a mailserver running FreeBSD 4.11 and Sendmail 8.13 that has > > > been running as a mailserver for a couple of years without any > > > load/connection problems. Here are my memory stats: > > > Mem: 71M Active, 265M Inact, 96M Wired, 24M Cache, 60M Buf, 36M Free > > > Swap: 2048M Total, 760K Used, 2047M Free > > > > > > Then all of a sudden we started experiencing dropped connections even > > though > > > the load average is generally around 2.0 or less. > > > > > > I found the problem today: there are currently 1300 socket connections > > > suspended at status TIME_WAIT on the incoming smtp port. > > > > > > I checked some of my kernel settings: > > > > > > kern.ipc.somaxconn = 128 > > > net.inet.tcp.msl: 30000 > > > > > > I suspect this is a dos attack: they're just opening these connections, > > > and then let them hang there and they don't close them, so they just build > > > up and the machine rejects new connections. > > > > > > Based on my configuration, does anyone have some suggestions on how I > > > might tweak the system to overcome this (apparent?) DOS attack? > > > > You can tweak msl, but it probably makes more sense to use some form > > of firewall, ipfw, ipfilter, pf, etc on the box. > > > > you can use netstat to see the remote addresses, just block them. > > > > -- > > - Alfred Perlstein > > > _______________________________________________ > freebsd-net@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" >