filling up UDP socket buffers like mad

Luiz Eduardo Guida Valmont legvalmont at gmail.com
Mon Mar 27 15:52:20 UTC 2006 

Could it be that you're under a DOS attack even though you're "behind
three layers of firewall"? =/ Try configuring a firewall to block
every UDP packet for every port except those needed by the services
you run.

On 3/27/06, Michael W. Lucas <mwlucas at blackhelicopters.org> wrote:
> On Fri, Mar 24, 2006 at 06:03:47PM -0500, Charles Swiger wrote:
> > On Mar 24, 2006, at 4:17 PM, Michael W. Lucas wrote:
> > >Running FreeBSD 6.1-PRERELEASE as a DNS, dhcp, and syslog server.
> > >
> > >I'm having trouble with DNS, DHCP, and syslogd locking up, and I think
> > >I've found what they all share in common.
> > >
> > >During the lockups, the box starts dropping UDP due to full socket
> > >buffers.  I have a dumb little script to capture the rate of drops
> > >over 5 seconds, and it's about 45 a second.
> > >
> > >168725 dropped due to full socket buffers
> > >168958 dropped due to full socket buffers
> >
> > There is generally a cause behind the socket buffers filling up,
> > whether that is some form of livelock due to an OS problem or a
> > misconfiguration with a firewall/dummynet setup.  You could look at
> > the output of "netstat -a(n)" for insight as to where the packets are
> > being queued up, but "netstat -s" would be useful to show to us as well.
>
> Thanks.  I think you've shown me how to find the problem:
>
> # netstat -na
> ...
> udp4       0      0  127.0.0.1.57058        127.0.0.1.53
> udp4       0      0  127.0.0.1.61259        127.0.0.1.53
> udp4       0      0  127.0.0.1.54240        127.0.0.1.53
> udp4       0      0  127.0.0.1.52997        127.0.0.1.53
> udp4       0      0  *.67                   *.*
> udp4   43414      0  *.514                  *.*
> udp4       0      0  *.49661                *.*
> ...
>
> We have no firewall on this machine; it's buried behind three layers
> of firewall.
>
> I've tried running syslogd in debug mode, but not found anything
> particularly useful yet.  Syslogd is now set to restart every 15
> minutes, and run in debug mode, so hopefully the next time this
> happens I'll have the debugging output.  The problem happens even
> within fifteen minutes, but because of my timeouts nobody notices.
>
> I'm attaching the output of netstat -na and netstat -s for general
> informative purposes; if anyone has any further suggestions, I'm all
> ears.
>
> Thanks,
> ==ml
>
> --
> Michael W. Lucas	mwlucas at FreeBSD.org, mwlucas at BlackHelicopters.org
> 		http://www.BlackHelicopters.org/~mwlucas/
>
> "The cloak of anonymity protects me from the nuisance of caring." -Non
> Sequitur
>
>
>
>
>
>


--
[]'s,
Luiz Eduardo

More information about the freebsd-questions mailing list