Network Interface 'overload' in 4.11

Mon Aug 22 13:39:08 GMT 2005

--- Jim Durham <durham at jcdurham.com> wrote:

> On Sunday 21 August 2005 05:05 pm, Danial Thom
> wrote:
> > --- Martin Hepworth <maxsec at gmail.com> wrote:
> > > Therere's things you cvan do with
> reasonable
> > > low end managed switches
> > > for bandwidth thottling etc. BTW I fing
> > > symantec 'no the best' and
> > > prefer Sophos (theres a nice free trial
> version
> > > you can download). I'd
> > > also run some of the anti-spyware programs
> on
> > > the boxes (you'll need
> > > to run more than one) and sometimes the AV
> > > software can be particular
> > > about whats viral and whats spyware..
> > >
> > > --
> > > Martin
> > >
> > > On 8/18/05, Jim Durham
> <durham at jcdurham.com>
> > >
> > > wrote:
> > > > On Thursday 18 August 2005 02:31 pm, you
> > >
> > > wrote:
> > > > > Sounds like viral activity to me. I has
> > >
> > > this at work recently
> > >
> > > > > where 2 mtob infected machines where
> able
> > >
> > > to bring the entire
> > >
> > > > > 100mbs switched network to its needs 
> If
> > >
> > > you run ethereal you
> > >
> > > > > may find the network is being flooded
> by
> > >
> > > arp lookups from the
> > >
> > > > > Windows machine in question.....
> > > >
> > > > Yes. I agree. Although we've run Symantec
> on
> > >
> > > the silly box and
> > >
> > > > nothing is there with the latest identity
> > >
> > > files. In fact, now
> > >
> > > > you can hook it back up to the net and
> all is
> > >
> > > fine. Maybe it got
> > >
> > > > fixed by one of the 'anti-worm worms' ? 
> 8-)
> > >
> > > .
> > >
> > > > What I was really wondering is if there
> is
> > >
> > > some way of preventing
> > >
> > > > one silly Windows box from taking the
> FreeBSD
> > >
> > > server into a
> > >
> > > > state where it is pretty much useless
> > >
> > > network-wise.
> > >
> > > > Setting throttling is one thing that was
> > >
> > > suggested, but as I
> > >
> > > > recall, when I tried that, it actually
> made
> > >
> > > no difference
> > >
> > > > because it throttled the interface and it
> was
> > >
> > > useless anyway.
> > >
> > > > Doesn't ethereal really just run tcpdump?
> > >
> > > Tcpdump showed very
> > >
> > > > little. I guess because it was running on
> the
> > >
> > > same machine and
> > >
> > > > the machine wasn't delivering packets to
> the
> > >
> > > internal
> > >
> > > > networking..or it was infernally slow and
> it
> > >
> > > didn't get much to
> > >
> > > > show.
> > > >
> > > > Probably if I had a 2nd FreeBSD box
> > >
> > > monitoring the network on a
> > >
> > > > hub insdtead of a switch, that would
> work,
> > >
> > > but this is an "outer
> > >
> > > > office" with no on-site IT staff and that
> is
> > >
> > > sort of hard to
> > >
> > > > accomplish.
> > > >
> > > > Thanks!
> > > >
> > > > -Jim
> >
> > The obvious thing to do is don't connect
> everyone
> > to the gig backbone at a gigabit. It doesn't
> > sound like the 4.11 box was the problem; it
> > sounds like there was no bandwidth for any
> other
> > traffic on the wire because the haywire box
> was
> > filling it with garbage. 
> 
> Wrong wire. I couldn't log in on the other
> interface either. It 
> does not touch the switches and local LAN
> stuff. It goes to an 
> outside T1. The 4.11 box was so busy it
> couldn't handle a login 
> from the T1 and I couldn't get anywhere. If I
> could have gotten 
> in, I would have shut down the inside interface
> and got the web, 
> etc back up, but I couldn't log in.
> 
> > So it needs to be fixed 
> > at the source.
> 
> That is being done, but, like above, it would
> be nice if it 
> didn't completely shut down the BSD server, at
> least the 
> networking part.
> 
> Anyhow, no easy fix I guess... 

The problem is distinguishing between good and
bad data. If you filter when you get to a certain
limit, then you have to indescriminently drop
packets, some of which may be your telnet or ssh
packets. So you have a problem no matter what you
do.

We use commercal bandwidth management, so I'm not
familiar with the freebsd internal stuff. But we
have policies for our admin IPs that are always
allowed, and packets/second rules for "unknown"
traffic that would handle such things. Of course
if the packets are coming in so fast that you're
overrunning the receiver rings then handling it
internally isn't going to work.

Danial

__________________________________ 
Do you Yahoo!? 
Read only the mail you want - Yahoo! Mail SpamGuard. 
http://promotions.yahoo.com/new_mail 