From owner-freebsd-net  Mon Aug 13 12:57:48 2001
Delivered-To: freebsd-net@freebsd.org
Received: from cody.jharris.com (cody.jharris.com [205.238.128.83])
	by hub.freebsd.org (Postfix) with ESMTP id 4DE3437B401
	for <net@FreeBSD.ORG>; Mon, 13 Aug 2001 12:57:42 -0700 (PDT)
	(envelope-from nick@rogness.net)
Received: from localhost (nick@localhost)
	by cody.jharris.com (8.11.1/8.9.3) with ESMTP id f7DJvVA28722;
	Mon, 13 Aug 2001 14:57:32 -0500 (CDT)
	(envelope-from nick@rogness.net)
Date: Mon, 13 Aug 2001 14:57:31 -0500 (CDT)
From: Nick Rogness <nick@rogness.net>
X-Sender: nick@cody.jharris.com
To: Barry Irwin <bvi@devco.net>
Cc: incidents@securityfocus.org, net@FreeBSD.ORG
Subject: Re: FreeBSD NATd problems
In-Reply-To: <20010813213216.I684@itouchlabs.com>
Message-ID: <Pine.BSF.4.21.0108131453130.26968-100000@cody.jharris.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-net@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-net.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-net>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-net>
X-Loop: FreeBSD.org

On Mon, 13 Aug 2001, Barry Irwin wrote:

> Hi All
> 
> Just wondering if anyone else has experiance the following problem:
> 
> I have a number of networks running with FreeBSD firewalls providing a
> nat service to a number of hosts behind the wall itself. Both outgoing
> nat, and port_redirection is provided.  THis has been running stabily
> for over a year.  However in the last 10 days I have had a number of
> these natd mprocesses suddenly bloat ( looking at 48Megs upwards when
> they normally sit at around 700K-1Meg.  Ping times to the firewalls (
> infact any packets passing through the natd process are delayed, it
> seems to suffer a type of exponential decay, with the highest delay I
> have recorded being in the order of 240 seconds!
> 
> At this kind of latency, network connectivity is non existant.  One of
> the first signs of an impending slowdown is that DNS starts timing
> out.  The firewalls are running prettey standard martian filters ( see
> Darft-manning-dusa03.txt) to filter out the majority of the cruft
> floating around.
> 
> This has sofar impacted 4.0-Release, 4.1-RELEASE as well as
> 4.3-STABLE.  Reviews of tcpdumps collected once slowdown has been
> noticed do not show any signs of strange activity.  What I am
> wondering is , is there some new Scanning /DoS tool, which is causing
> natd to get its data structures in a knot, and thereby grow massively,
> in addition to the slowdown.

	Turn on natd logging when this occurs and see what is
	happening.  Submit log if necessary.


Nick Rogness <nick@rogness.net>
 - Keep on Routing in a Free World...
  "FreeBSD: The Power to Serve!"


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message