From owner-freebsd-net  Mon Aug 13 12:32: 0 2001
Delivered-To: freebsd-net@freebsd.org
Received: from shell.devco.net (shell.devco.net [196.15.188.7])
	by hub.freebsd.org (Postfix) with ESMTP id C525C37B408
	for <net@freebsd.org>; Mon, 13 Aug 2001 12:31:56 -0700 (PDT)
	(envelope-from bvi@shell.devco.net)
Received: from bvi by shell.devco.net with local (Exim 3.20 #2)
	id 15WNRg-000H7K-00; Mon, 13 Aug 2001 21:32:16 +0200
Date: Mon, 13 Aug 2001 21:32:16 +0200
From: Barry Irwin <bvi@devco.net>
To: incidents@securityfocus.org, net@freebsd.org
Subject: FreeBSD NATd problems
Message-ID: <20010813213216.I684@itouchlabs.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
Sender: owner-freebsd-net@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-net.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-net>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-net>
X-Loop: FreeBSD.org

Hi All

Just wondering if anyone else has experiance the following problem:

I have a number of networks running with FreeBSD firewalls providing a
nat service to a number of hosts behind the wall itself. Both outgoing nat,
and port_redirection is provided.  THis has been running stabily for over a
year.  However in the last 10 days I have had a number of these natd
mprocesses suddenly bloat ( looking at 48Megs upwards when they normally sit
at around 700K-1Meg.  Ping times to the firewalls ( infact any packets
passing through the natd process are delayed, it seems to suffer a type of
exponential decay, with the highest delay I have recorded being in the order
of 240 seconds!

At this kind of latency, network connectivity is non existant.  One of the
first signs of an impending slowdown is that DNS starts timing out.  The
firewalls are running prettey standard martian filters ( see
Darft-manning-dusa03.txt) to filter out the majority of the cruft floating
around.  

This has sofar impacted 4.0-Release, 4.1-RELEASE  as well as 4.3-STABLE. 
Reviews of tcpdumps collected once slowdown has been noticed do not show any
signs of strange activity.  What I am wondering is , is there some new
Scanning /DoS tool, which is causing natd to get its data structures in a
knot, and thereby grow massively, in addition to the slowdown.  

Without having looked at the data structures in detail, it appears as tho
there is a long linked list, that is getting exponentially grown, and
therby accounting for the increas in memory usage, as well as the massively
increased latency caused by performing lookups in the data structure chain.

So back to the question, has anyone else hear/experianced/seen this ?

Barry

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message