Date: Mon, 13 Aug 2001 14:57:31 -0500 (CDT) From: Nick Rogness <nick@rogness.net> To: Barry Irwin <bvi@devco.net> Cc: incidents@securityfocus.org, net@FreeBSD.ORG Subject: Re: FreeBSD NATd problems Message-ID: <Pine.BSF.4.21.0108131453130.26968-100000@cody.jharris.com> In-Reply-To: <20010813213216.I684@itouchlabs.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, 13 Aug 2001, Barry Irwin wrote: > Hi All > > Just wondering if anyone else has experiance the following problem: > > I have a number of networks running with FreeBSD firewalls providing a > nat service to a number of hosts behind the wall itself. Both outgoing > nat, and port_redirection is provided. THis has been running stabily > for over a year. However in the last 10 days I have had a number of > these natd mprocesses suddenly bloat ( looking at 48Megs upwards when > they normally sit at around 700K-1Meg. Ping times to the firewalls ( > infact any packets passing through the natd process are delayed, it > seems to suffer a type of exponential decay, with the highest delay I > have recorded being in the order of 240 seconds! > > At this kind of latency, network connectivity is non existant. One of > the first signs of an impending slowdown is that DNS starts timing > out. The firewalls are running prettey standard martian filters ( see > Darft-manning-dusa03.txt) to filter out the majority of the cruft > floating around. > > This has sofar impacted 4.0-Release, 4.1-RELEASE as well as > 4.3-STABLE. Reviews of tcpdumps collected once slowdown has been > noticed do not show any signs of strange activity. What I am > wondering is , is there some new Scanning /DoS tool, which is causing > natd to get its data structures in a knot, and thereby grow massively, > in addition to the slowdown. Turn on natd logging when this occurs and see what is happening. Submit log if necessary. Nick Rogness <nick@rogness.net> - Keep on Routing in a Free World... "FreeBSD: The Power to Serve!" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.0108131453130.26968-100000>