From owner-freebsd-hackers Tue Aug 28 22:50:13 2001 Delivered-To: freebsd-hackers@freebsd.org Received: from niwun.pair.com (niwun.pair.com [209.68.2.70]) by hub.freebsd.org (Postfix) with SMTP id 5C93937B406 for ; Tue, 28 Aug 2001 22:50:09 -0700 (PDT) (envelope-from silby@silby.com) Received: (qmail 82910 invoked by uid 3193); 29 Aug 2001 05:50:08 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 29 Aug 2001 05:50:08 -0000 Date: Wed, 29 Aug 2001 01:50:08 -0400 (EDT) From: Mike Silbersack X-Sender: To: Deepak Jain Cc: "freebsd-hackers@FreeBSD. ORG" Subject: Re: FW: Interesting Router Question In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Tue, 28 Aug 2001, Deepak Jain wrote: > We've got a customer running a FreeBSD router with 2 x 1GE interfaces [ti0 > and ti1]. At no point was bandwidth an issue. > > The router was under some kind of ICMP attack: > > For about 30 minutes: > icmp-response bandwidth limit 96304/200 pps ... > icmp-response bandwidth limit 75657/20000 pps Um, whoa! Someone on the system upped the bandwidth limit, making the problem worse. As to what type of flood that is - you can't tell with that version of freebsd. It could've been a UDP or TCP flood (ACK or SYN). It actually couldn't have been a icmp flood, that version of freebsd didn't limit icmp responses. (Even though the message implies it, yes. This has been clarified in 4.3.) > The router is a dual 600mhz PIII and had a load average of about 0.2 peak > during the entire event, but was running out of buffer space. A ping would > return "No buffer space available". Performance became atrocious with high > packet loss and latency, but completely buffer related. No buffer space available can also refer to the system being out of sockets as well. From the mbuf stats you provided, it looks like you were never in trouble there. The routing table, on the other hand, might also have been filling up with cloned routes; it's hard to say. I don't think you could have done must to improve the situation; high packet loss seems expected when you're getting bombarded with 90000 packets per second. Next time it happens you'll want to check top and see where the processor time is going. One thing obvious here is that you're allowing outside packets to the ip stack of the router. I think it would probably be a good idea to setup ipfw to drop all packets destined for the router itself unless they're coming from known IPs. Doing this would make all of the above a non-issue. I have no clue why adding the icmp filter helped. Doing so should not have mattered. Mike "Silby" Silbersack To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message