Problems with IPFW causing failed DNS and FTP sessions
Michael Powell
nightrecon at hotmail.com
Mon Apr 1 04:39:47 UTC 2013
Don O'Neil wrote:
> Hi everyone. recently my server started having issues with DNS and FTP
> sessions either not resolving or timing out. I've tracked the issue down
> to IPFW. if I issue a 'sysctl net.inet.ip.fw.enable=0' then my issues go
> away.
>
[snip]
I'm probably not smart enough to be able to help directly with your problem
but I'd like to add that there is a snowballing DNS Amplification ddos
attack against SpamHaus going on which is spilling over. I was looking at
some weird stuff my Suricata was reporting today when I noticed a large
majority of it was coming from CloudFlare CDN. They use anycast packet
traffic to deflect and diffuse such attacks for their customers.
I'm wondering if your box has just been sitting there doing it's thing and
you've made zero changes to it so it is essentially 'steady state' and this
problem just sort of came up seemingly out of nowhere. Consider a
possibility that the cause may be external and what you're seeing is just
IPFW's reaction to it.
A friend of mine is on a nearby Verizon subnet and he uses their DNS
servers. He noticed minimal hiccup while I have my DNS pointed at OpenDNS
and it took them almost a day to get their situation under control. Once
they did traffic seemed to return to normal, then I noticed Suricata alerting
on return traffic in my pf DNS firewall rule. All the traffic Suricata was
complaining about was coming from the CloudFlare CDN. I've never seen this
before, so I'm not completely certain what to make of it. My hypothesis is
OpenDNS subscribed to CloudFlare's "protection", and since it is legit
return traffic from my DNS server's lookups the firewall never touched it. I
would never have noticed if it wasn't for Suricata.
I just don't know enough about it all, just that I was having some flaky DNS
stalling and hanging and when it seemed like it returned to normal I began
to see this weird stuff from CloudFlare CDN on my DNS traffic. Just would like
to point out it may be possible your problem is somehow just a reflection of
some noise going on outside your box. As for exactly what you might do about
it is for smarter people than me.
-Mike
More information about the freebsd-questions
mailing list