From owner-freebsd-hackers@FreeBSD.ORG Sat Nov 24 06:40:08 2007 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id DBFDF16A469 for ; Sat, 24 Nov 2007 06:40:08 +0000 (UTC) (envelope-from soralx@cydem.org) Received: from pd2mo3so.prod.shaw.ca (idcmail-mo1so.shaw.ca [24.71.223.10]) by mx1.freebsd.org (Postfix) with ESMTP id D531913C46A for ; Sat, 24 Nov 2007 06:40:08 +0000 (UTC) (envelope-from soralx@cydem.org) Received: from pd2mr1so.prod.shaw.ca (pd2mr1so-qfe3.prod.shaw.ca [10.0.141.110]) by l-daemon (Sun ONE Messaging Server 6.0 HotFix 1.01 (built Mar 15 2004)) with ESMTP id <0JRZ001CKX1OL060@l-daemon> for freebsd-hackers@freebsd.org; Fri, 23 Nov 2007 22:39:24 -0700 (MST) Received: from pn2ml2so.prod.shaw.ca ([10.0.121.146]) by pd2mr1so.prod.shaw.ca (Sun Java System Messaging Server 6.2-7.05 (built Sep 5 2006)) with ESMTP id <0JRZ00BHVX1NX250@pd2mr1so.prod.shaw.ca> for freebsd-hackers@freebsd.org; Fri, 23 Nov 2007 22:39:24 -0700 (MST) Received: from soralx ([24.87.3.133]) by l-daemon (Sun Java System Messaging Server 6.2-7.05 (built Sep 5 2006)) with ESMTP id <0JRZ00LRJX1LZQ10@l-daemon> for freebsd-hackers@freebsd.org; Fri, 23 Nov 2007 22:39:22 -0700 (MST) Date: Fri, 23 Nov 2007 21:39:22 -0800 From: soralx@cydem.org In-reply-to: <000001c82e1c$27909d50$0200a8c0@windsor> To: joel@smail.ee Message-id: <20071123213922.171e8b29@soralx> MIME-version: 1.0 X-Mailer: Claws Mail 3.0.2 (GTK+ 2.10.14; i386-portbld-freebsd6.2) Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7bit References: <000001c82e1c$27909d50$0200a8c0@windsor> Cc: freebsd-hackers@freebsd.org Subject: Re: Welcome to Hell / Mysterious networking troubles on FreeBSD X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 24 Nov 2007 06:40:08 -0000 On Fri, 23 Nov 2007 23:59:41 +0200 "Joel V." wrote: > Hello all, > > I'm not experiencing this problem, my friend is. He's simply too > pissed off to write here and I'm afraid he's going to set his office > on fire if he doesn't solve the problem soon, so without further ado, > here's the problem: > > He has two fbsd boxes, main server running 6.1 and dns server running > 4.3. He has 4 public IPs which he can use and the main server is > running on x.x.x.122. He's main box is NOT acting as a gateway/NAT > box in the office. Today he noticed that net is getting awfully slow. > Sometimes there would be 50% pl when pinging, sometimes pinging would > be all OK, but SSH is dead-slow and the webpages running on the main > server are not displaying. E-mails are not going through. He calls > the ISP, who say that his network is showing major uploading > activity. He switches off networking services one by one in the main > box but situation does not improve. He disconnects the main server > and puts a windows xp box instead, which seems to run fine. He puts > back the freebsd box, disables all networking services again except > for SSH and connects the network: instant 100% networking slow-down. > He tried to change the switch, thinking it's faulty. He disconnect > every other computer in the office from the network: nothing. He put > the public IP address on the second, internal network NIC: same > thing. Now it gets really mysterious: he puts the old dns server with > the x.x.x.122 IP and instantly it becomes slow as death. The logical > conclusion would be that someone is flooding that IP? Only the > windows xp box seemed to work fine and the ISP guy said it was upload > bandwidth that was excessive... > > Netstat -a doesn't show anything interesting, arp -a doesn't show any > incomplete addresses He tried to build and install a new fresh kernel. > Nothing. This is the most creepy networking problem I've heard of. > Can YOU help? Any ideas where to start looking? Not enough information (a bit hard to extract from above...) To date I remember experiencing only 2 causes that had symptoms very similar to your buddie's: 0. DDoS attack -- started suddenly one day after I scanned some spammer's gateway with Nessus (or just nmap? can't remember); 1. All my home network is 10/100, but workstation has a Gigabit NIC, Marvell Yukon 88E8056, using their driver myk(4) [thanks, Marvell! but where is the source code? ;)]. Right after I replaced an old 10/100 switch by a gigabit one, the network speed dropped to less than 100 kbytes/s. Turns out the NIC began autonegotiating to 1000baseTX for some reason. Setting media manually to 100baseTX improved things to my satisfaction. > I'm not in the freebsd-hackers list, so if you want the e-mail to > reach me, send a copy to joel@spirit.ee > > Thank you in advance! > Joel [SorAlx] ridin' VS1400