lots of sockets in TIME_WAIT
Saulius Menkevièius
razzmatazz at mail.lt
Tue May 20 14:04:45 PDT 2003
Once Doug White wrote:
>On Tue, 20 May 2003, Saulius Menkevièius wrote:
>
>>I have some DDOS(?) attack on my router going where my apache HTTP
>>server is flooded with short-timed connections from some host. This
>>results in LOTS of sockets in TIME_WAIT/LAST_ACK/CLOSING states and
>>eventually I'm out of mbufs, which, consequently means I can't even
>>connect to the router from LAN. The kern.ipc.nmbclusters is 2560,
>>(I
>>guess high enough for router with DSL connection).
>
>TIME_WAIT is normal for a server. LAST_ACK/CLOSING looks like
packet
>loss. Is your outbound link overloaded normally, or from the DoS?
>
>Can you block the host? :)
>
>> After some time all mbufs are depleted (system says "All mbuf
>>cluster exhausted"). However, unexpectedly the system panics
>>shortly
>>in about 10 minutes (+/-) with:
>
>Then increase the mbufs & clusters. Did you read the tuning man
page?
Ahem, I did increase mbufs, according to man page. But I wonder why
it panics. It shouldn't panic when there are no mbufs free, or should
it ?
--
Saulius Menkevièius, razzmatazz at mail.lt on 05.21.2003
More information about the freebsd-stable
mailing list