Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 21 Mar 2012 17:20:32 -0700
From:      Chuck Swiger <cswiger@mac.com>
To:        =?iso-8859-1?Q?Seyit_=D6zg=FCr?= <seyit.ozgur@istanbul.net>
Cc:        "freebsd-net@freebsd.org" <freebsd-net@freebsd.org>
Subject:   Re: Malformed syn packet cause %100 cpu and interrupts FreeBSD 9.0 release
Message-ID:  <2805EAC2-BC15-4BC8-B85B-0908FCF255C5@mac.com>
In-Reply-To: <3807CE6F3BF4B04EB897F4EBF2D258CE5C064A80@yuhanna.magnetdigital.local>
References:  <3807CE6F3BF4B04EB897F4EBF2D258CE5C05F221@yuhanna.magnetdigital.local> <38FA7BAB-AC2B-4515-85CF-27F77C3F4313@mac.com> <3807CE6F3BF4B04EB897F4EBF2D258CE5C064A80@yuhanna.magnetdigital.local>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Mar 21, 2012, at 7:15 AM, Seyit =D6zg=FCr wrote:
> Hello chris,

I'm Chuck, but no matter.

> Here i get tcpdump with X param..=20
>=20
> First look input errors.. its about 60 mbit/sec and much more packets =
can't
> process
>=20
>   packets  errs idrops      bytes    packets  errs      bytes colls
>     36356 42777     0    7747642        243     0     263462     0
>     36732 41709     0    7681242        240     0     359432     0
[ ... ]

60 mbit/s of SYNs is a pretty significant DoS attack.  You should be =
involving your ISP to filter the source IPs before they hit your pipe, =
and probably pull in the police and/or national CERT organization.

> Then tcpdump with X param, also i attach txt file in mail..
>=20
> 16:02:53.954863 IP 88.133.15.78 > x.x.x.x: tcp
>        0x0000:  4500 0050 10ba 07d0 6b06 7382 5885 0f4e  =
E..P....k.s.X..N
>        0x0010:  556f 065a f386 0050 45c4 8c77 9592 0241  =
Uo.Z...PE..w...A
>        0x0020:  00a3 3c4c b5a3 0000 8807 a83a f215 b40d  =
..<L.......:....
>        0x0030:  0006 acb5 0038 8f76 afd7 3d00 0000 0000  =
.....8.v..=3D.....
>        0x0040:  0000 0000 0000 0000 0000 0000 0000 0000  =
................


=46rom inspection, that looks to be a normal TCP over IPv4 SYN packet =
from client port 62342 to your port 80...I didn't validate the =
checksums, though.  (No real point in obscuring the destination IP =
address, as it's in the packets you're showing.)

Regards,
--=20
-Chuck

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?2805EAC2-BC15-4BC8-B85B-0908FCF255C5>