Hi there, I have some DDOS(?) attack on my router going where my apache HTTP server is flooded with short-timed connections from some host. This results in LOTS of sockets in TIME_WAIT/LAST_ACK/CLOSING states and eventually I'm out of mbufs, which, consequently means I can't even connect to the router from LAN. The kern.ipc.nmbclusters is 2560, (I guess high enough for router with DSL connection). After some time all mbufs are depleted (system says "All mbuf cluster exhausted"). However, unexpectedly the system panics shortly in about 10 minutes (+/-) with: /kernel: All mbuf cluster exhausted, please see tuning(7) /kernel: looutput: mbuf allocation failed /kernel: panic: sbappendaddr /kernel: /kernel: syncing disks.... . . I don't think this behaviour (a panic) is normal. This crash is happens often when I'm under such attack and I guess I can easily give crash dump, kgdb output or something like, if you need. System is running 4.8-RELEASE, on iPentium166/mmx with 64MB of RAM. 4 NICs, BRIDGE on two of them. Thanks for any response.. P.S. (is there some sysctl oid for setting TIME_WAIT duration?) -- Saulius Menkevicius, razzmatazz@mail.lt on 05.20.2003
On Tue, 20 May 2003, Saulius Menkevi?ius wrote:> I have some DDOS(?) attack on my router going where my apache HTTP > server is flooded with short-timed connections from some host. This > results in LOTS of sockets in TIME_WAIT/LAST_ACK/CLOSING states and > eventually I'm out of mbufs, which, consequently means I can't even > connect to the router from LAN. The kern.ipc.nmbclusters is 2560, (I > guess high enough for router with DSL connection).TIME_WAIT is normal for a server. LAST_ACK/CLOSING looks like packet loss. Is your outbound link overloaded normally, or from the DoS? Can you block the host? :)> After some time all mbufs are depleted (system says "All mbuf > cluster exhausted"). However, unexpectedly the system panics shortly > in about 10 minutes (+/-) with:Then increase the mbufs & clusters. Did you read the tuning man page? -- Doug White | FreeBSD: The Power to Serve dwhite@gumbysoft.com | www.FreeBSD.org
Hello, Saulius! You wrote to <freebsd-stable@freebsd.org> on Tue, 20 May 2003 22:33:47 +0200: SMi> P.S. (is there some sysctl oid for setting TIME_WAIT duration?) "TIME_WAIT duration" = 2 * `sysctl -n net.inet.tcp.msl` The default MSL (maximum segment lifetime) for BSD systems = 30 sec. -- With best regards, Maksym Shevchenko. E-mail: r0land@r0land.kiev.ua
"Saulius Menkevi?ius" wrote:> > Hi there, > > I have some DDOS(?) attack on my router going where my apache HTTP > server is flooded with short-timed connections from some host. This > results in LOTS of sockets in TIME_WAIT/LAST_ACK/CLOSING states and > eventually I'm out of mbufs, which, consequently means I can't even > connect to the router from LAN. The kern.ipc.nmbclusters is 2560, (I > guess high enough for router with DSL connection). > After some time all mbufs are depleted (system says "All mbuf > cluster exhausted"). However, unexpectedly the system panics shortly > in about 10 minutes (+/-) with: > /kernel: All mbuf cluster exhausted, please see tuning(7) > /kernel: looutput: mbuf allocation failed > /kernel: panic: sbappendaddr > /kernel: > /kernel: syncing disks.... > . > . > I don't think this behaviour (a panic) is normal. This crash is > happens often when I'm under such attack and I guess I can easily > give crash dump, kgdb output or something like, if you need. > System is running 4.8-RELEASE, on iPentium166/mmx with 64MB of RAM. > 4 NICs, BRIDGE on two of them. > > Thanks for any response..I agree with you. I've got crashdump for mbuf-related kernel panic (sbappendaddr), see http://www.FreeBSD.org/cgi/query-pr.cgi?pr=kern/50803 I believe a kernel must not panic due to DoS. Eugene Grosbein