Date: Mon, 27 Mar 2006 12:24:05 -0300 From: "Luiz Eduardo Guida Valmont" <legvalmont@gmail.com> To: freebsd-questions@freebsd.org Subject: Re: filling up UDP socket buffers like mad Message-ID: <97be9bec0603270724ie37405ei70cfa544ef84d31b@mail.gmail.com> In-Reply-To: <20060327145102.GA57216@bewilderbeast.blackhelicopters.org> References: <20060324211741.GA40819@bewilderbeast.blackhelicopters.org> <83E0BC22-BFFA-47EE-88DA-D6A5D1862081@mac.com> <20060327145102.GA57216@bewilderbeast.blackhelicopters.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Could it be that you're under a DOS attack even though you're "behind three layers of firewall"? =/ Try configuring a firewall to block every UDP packet for every port except those needed by the services you run. On 3/27/06, Michael W. Lucas <mwlucas@blackhelicopters.org> wrote: > On Fri, Mar 24, 2006 at 06:03:47PM -0500, Charles Swiger wrote: > > On Mar 24, 2006, at 4:17 PM, Michael W. Lucas wrote: > > >Running FreeBSD 6.1-PRERELEASE as a DNS, dhcp, and syslog server. > > > > > >I'm having trouble with DNS, DHCP, and syslogd locking up, and I think > > >I've found what they all share in common. > > > > > >During the lockups, the box starts dropping UDP due to full socket > > >buffers. I have a dumb little script to capture the rate of drops > > >over 5 seconds, and it's about 45 a second. > > > > > >168725 dropped due to full socket buffers > > >168958 dropped due to full socket buffers > > > > There is generally a cause behind the socket buffers filling up, > > whether that is some form of livelock due to an OS problem or a > > misconfiguration with a firewall/dummynet setup. You could look at > > the output of "netstat -a(n)" for insight as to where the packets are > > being queued up, but "netstat -s" would be useful to show to us as well. > > Thanks. I think you've shown me how to find the problem: > > # netstat -na > ... > udp4 0 0 127.0.0.1.57058 127.0.0.1.53 > udp4 0 0 127.0.0.1.61259 127.0.0.1.53 > udp4 0 0 127.0.0.1.54240 127.0.0.1.53 > udp4 0 0 127.0.0.1.52997 127.0.0.1.53 > udp4 0 0 *.67 *.* > udp4 43414 0 *.514 *.* > udp4 0 0 *.49661 *.* > ... > > We have no firewall on this machine; it's buried behind three layers > of firewall. > > I've tried running syslogd in debug mode, but not found anything > particularly useful yet. Syslogd is now set to restart every 15 > minutes, and run in debug mode, so hopefully the next time this > happens I'll have the debugging output. The problem happens even > within fifteen minutes, but because of my timeouts nobody notices. > > I'm attaching the output of netstat -na and netstat -s for general > informative purposes; if anyone has any further suggestions, I'm all > ears. > > Thanks, > ==ml > > -- > Michael W. Lucas mwlucas@FreeBSD.org, mwlucas@BlackHelicopters.org > http://www.BlackHelicopters.org/~mwlucas/ > > "The cloak of anonymity protects me from the nuisance of caring." -Non > Sequitur > > > > > > -- []'s, Luiz Eduardo
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?97be9bec0603270724ie37405ei70cfa544ef84d31b>