Date: Tue, 11 Feb 2003 13:32:26 +0100 From: Georg Graf <georg@graf.priv.at> To: ipfw@FreeBSD.ORG Subject: Re: Static NAT Message-ID: <20030211123226.GA29498@graf.priv.at> In-Reply-To: <3D9A00A1.2070809@tcoip.com.br> References: <3D9865DB.5040902@tcoip.com.br> <20021001055502.GC79303@blossom.cjclark.org> <3D998142.8070005@tcoip.com.br> <20021001174546.GB81932@blossom.cjclark.org> <3D99EEBE.2010403@tcoip.com.br> <20021001195258.GB82099@blossom.cjclark.org> <3D9A00A1.2070809@tcoip.com.br>
next in thread | previous in thread | raw e-mail | index | archive | help
Sorry for my late reply: On Tue, Oct 01, 2002 at 05:08:01PM -0300, you wrote: [...] > The attack is a Syn Flood. Nothing is affected by the attack except > natd. The symptom with NAT is packet loss (ie, packets enter from one > interface do not exit through the other if they happen to go through > natd). Restarting natd eliminates the symptom immediatly on start (and > then the flood gets to it again). netstat -m shows mbuf clusters peak > equal to maximum, and some hundreds of thousands (maybe more, I don't > recall the exact order, but at least that much) of requests for memory > denied. On syslog, there are messages of packets dropped because of lack > of mbuf clusters. If the synflood comes from the natted network, it is clear that natd is eating up memory. If you use natd "reverse", then you can be dosed by getting synflooded from the internet, because every single syn packet adds an entry in natd's table, at least that's the way I understand this. Were you using reverse nat in October? -- Georg Graf http://georg.graf.priv.at/ PGP Key ID: 0xA5232AD5 Gobergasse 43/2 A-1130 Wien Tel: +43 1 8796723 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030211123226.GA29498>