ARP issue post DDoS
Mike M
mail at miketm.com
Sun Feb 20 03:25:04 UTC 2011
Hi,
After receiving a DDoS recently (likely SYN related on ports with
legitimate services), I was unable to contact my primary interface
gateway (immediate switch it's connected to).
When I looked at the ARP table I saw an 'incomplete' entry for this
gateway. I deleted it manually then watched the ARP traffic on the
interface and saw the who-has requests, but saw no replies.
NOC suggested that something looked messed up in the TCP/IP stack of the
OS and suggested I reboot the machine.
When I rebooted, everything came right again.
Any ideas what caused this, or moreso how to prevent it from happening
in the future? I'm concerned it will happen again and obviously don't
want to have to keep rebooting the machine.
The box is running FreeBSD 8.1-RELEASE-p2
Intel Xeon 2.4GHz w/4GB RAM
2 x NetXtreme Gigabit Ethernet PCI Express (BCM5721)
No idea if the below helps or not. Note the netstat statistics were not
captured at the time this happened, I just grabbed them now.
# pfctl -s memory
states hard limit 10000000
src-nodes hard limit 10000
frags hard limit 5000
tables hard limit 1000
table-entries hard limit 100000
# netstat -m
1027/11393/12420 mbufs in use (current/cache/total)
1025/4215/5240/65000 mbuf clusters in use (current/cache/total/max)
1024/3456 mbuf+clusters out of packet secondary zone in use (current/cache)
0/199/199/12800 4k (page size) jumbo clusters in use
(current/cache/total/max)
0/0/0/6400 9k jumbo clusters in use (current/cache/total/max)
0/0/0/3200 16k jumbo clusters in use (current/cache/total/max)
2306K/12074K/14381K bytes allocated to network (current/cache/total)
0/0/0 requests for mbufs denied (mbufs/clusters/mbuf+clusters)
0/0/0 requests for jumbo clusters denied (4k/9k/16k)
0/0/0 sfbufs in use (current/peak/max)
0 requests for sfbufs denied
0 requests for sfbufs delayed
0 requests for I/O initiated by sendfile
0 calls to protocol drain routines
Any help would be much appreciated.
Regards,
- Mike
More information about the freebsd-net
mailing list