lots of sockets in TIME_WAIT

Saulius Menkevièius razzmatazz at mail.lt
Tue May 20 14:04:45 PDT 2003


Once Doug White wrote:
>On Tue, 20 May 2003, Saulius Menkevièius wrote:
>
>>I have some DDOS(?) attack on my router going where my apache HTTP
>>server is flooded with short-timed connections from some host. This
>>results in LOTS of sockets in TIME_WAIT/LAST_ACK/CLOSING states and
>>eventually I'm out of mbufs, which, consequently means I can't even
>>connect to the router from LAN. The kern.ipc.nmbclusters is 2560,
>>(I
>>guess high enough for router with DSL connection).
>
>TIME_WAIT is normal for a server.  LAST_ACK/CLOSING looks like 
packet
>loss.  Is your outbound link overloaded normally, or from the DoS?
>
>Can you block the host? :)
>
>>    After some time all mbufs are depleted (system says "All mbuf
>>cluster exhausted"). However, unexpectedly the system panics
>>shortly
>>in about 10 minutes (+/-) with:
>
>Then increase the mbufs & clusters. Did you read the tuning man 
page?
Ahem, I did increase mbufs, according to man page. But I wonder why 
it panics. It shouldn't panic when there are no mbufs free, or should 
it ?

-- 
Saulius Menkevièius, razzmatazz at mail.lt on 05.21.2003




More information about the freebsd-stable mailing list