Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 24 Nov 2007 15:45:40 +0100
From:      Marten Vijn <>
To:        Bill Moran <>
Cc:, "Joel V." <>
Subject:   Re: Welcome to Hell / Mysterious networking troubles on FreeBSD
Message-ID:  <>
In-Reply-To: <>
References:  <000001c82e1c$27909d50$0200a8c0@windsor> <>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
On Sat, 2007-11-24 at 08:51 -0500, Bill Moran wrote:
> "Joel V." <> wrote:
> >
> > Hello all,
> > 
> > I'm not experiencing this problem, my friend is. He's simply too pissed off
> > to write here and I'm afraid he's going to set his office on fire if he
> > doesn't solve the problem soon, so without further ado, here's the problem:
> > 
> > He has two fbsd boxes, main server running 6.1 and dns server running 4.3.
> > He has 4 public IPs which he can use and the main server is running on
> > x.x.x.122. He's main box is NOT acting as a gateway/NAT box in the office.
> > Today he noticed that net is getting awfully slow. Sometimes there would be
> > 50% pl when pinging, sometimes pinging would be all OK, but SSH is dead-slow
> > and the webpages running on the main server are not displaying. E-mails are
> > not going through. He calls the ISP, who say that his network is showing
> > major uploading activity. He switches off networking services one by one in
> > the main box but situation does not improve. He disconnects the main server
> > and puts a windows xp box instead, which seems to run fine. He puts back the
> > freebsd box, disables all networking services again except for SSH and
> > connects the network: instant 100% networking slow-down. He tried to change
> > the switch, thinking it's faulty. He disconnect every other computer in the
> > office from the network: nothing. He put the public IP address on the
> > second, internal network NIC: same thing. Now it gets really mysterious: he
> > puts the old dns server with the x.x.x.122 IP and instantly it becomes slow
> > as death. The logical conclusion would be that someone is flooding that IP?
> > Only the windows xp box seemed to work fine and the ISP guy said it was
> > upload bandwidth that was excessive...
> > 
> > Netstat -a doesn't show anything interesting, arp -a doesn't show any
> > incomplete addresses He tried to build and install a new fresh kernel.
> > Nothing. This is the most creepy networking problem I've heard of. Can YOU
> > help? Any ideas where to start looking?
> +1 on the tcpdump work.  Once you have the packet capture, something like
> Wireshark will give you a pretty view of the packets.  However, posting
> the text output of tcpdump will allow the crew on this mailing list to
> give you specific advice (once you've done what Julian suggests, you
> can get text output by doing tcpdump -r capture.out)
> Overall, based on your vague symptoms, I'd guess you got cracked and
> someone's running a spambot or other bot on that box.  They may even
> have it rooted.
You may find that out putting bridging (man bridge and sysctl) box
inbetween the internet connection and your box and dump there. I would
use for temp my laptop with an extra usb_ethernet device. 

A mirrorport on a switch + sflow / netflow could show traffic in ntop to
get more insight on your traffic.   

more tools:
md5sum (too late for tripwire) if you have your bins somewhere else on


Want to link to this message? Use this URL: <>