From owner-freebsd-stable@FreeBSD.ORG Thu Nov 18 03:28:42 2004 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BF39F16A4CE; Thu, 18 Nov 2004 03:28:42 +0000 (GMT) Received: from obsecurity.dyndns.org (CPE0050040655c8-CM00111ae02aac.cpe.net.cable.rogers.com [69.194.102.143]) by mx1.FreeBSD.org (Postfix) with ESMTP id 87DFA43D3F; Thu, 18 Nov 2004 03:28:42 +0000 (GMT) (envelope-from kris@obsecurity.org) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id 6226A51281; Wed, 17 Nov 2004 19:31:56 -0800 (PST) Date: Wed, 17 Nov 2004 19:31:56 -0800 From: Kris Kennaway To: Doug White Message-ID: <20041118033156.GA37856@xor.obsecurity.org> References: <000401c4c95a$e6287ff0$e001a8c0@p4> <20041117191632.Y29048@carver.gumbysoft.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="pWyiEgJYm5f9v55/" Content-Disposition: inline In-Reply-To: <20041117191632.Y29048@carver.gumbysoft.com> User-Agent: Mutt/1.4.2.1i cc: freebsd-stable@freebsd.org cc: Zoltan Frombach cc: simon@FreeBSD.org Subject: Re: sshd stops accepting connections X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 18 Nov 2004 03:28:42 -0000 --pWyiEgJYm5f9v55/ Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Nov 17, 2004 at 07:19:21PM -0800, Doug White wrote: > This is the kicker -- sshd couldn't fork because somethnig went berzerk. >=20 > > Nov 11 13:49:54 www kernel: Limiting closed port RST response from 212 = to > > 200 packets/sec >=20 > This looks a lot like a SYN flood on some daemon that fork()s each > connection but doesn't have any limits. >=20 > The disk error could certainly be related, although I'm not sure > why it would cause something to spike up and hit maxproc. Often the processes running on the machine will block while waiting for the disk to time out (i.e. if they're also attempting to use the disk, typical for a webserver) ..if the machine is reasonably busy, there could be a lot of pending connections that are suddenly processed when the drive resets. Kris --pWyiEgJYm5f9v55/ Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (FreeBSD) iD8DBQFBnBesWry0BWjoQKURAiYqAKC0o7ctcIT9Ys66D94sAyWQwpnn6ACgrRNA X2BUkU/wOMnw88l3Fq6KXFM= =HeXz -----END PGP SIGNATURE----- --pWyiEgJYm5f9v55/--