Subject: Re: Interesting discovery.
To: Herb Peyerl <>
From: Harry Waddell <>
List: current-users
Date: 08/23/2004 13:42:12
On Mon, 23 Aug 2004 14:23:56 -0600
Herb Peyerl <> wrote:

> I just had a really bad morning/day trying to figure out why a 
> firewall/router which had been up for 8+ months had suddenly decided to 
> be unreliable.  After having remote hands swap hardware and so forth, 
> it was isolated to the OS which was 1.6.1... As soon as the thing hit 
> multi-user, it would hang within a minute. nothing on the console 
> except some 'tlp' underruns...
> Eventually I managed to get a 2.0 beta kernel onto it and then it would 
> actually stay up... Strangely, this only started happening last night; 
> with months of being a perfectly happy little computer.
> Shortly after the 2.0 kernel went on, and I untarred the rest of 
> userland, is when I discovered the problem.  Quite a number of hosts on 
> the network were fishing through the address space on port 445 looking 
> for, presumably, windows fileservers.  Clearly a virus of some sort.  
> After ipf'ing those hosts out of the way, everything is calm again.  We 
> were hitting some 30,000 ipnat MAP's and 2.0 was perfectly content to 
> deal with them whereas 1.6.1 was decidedly less happy with the 
> prospect..

I ran into similar problems in the past. I replaced an old intel
firewall/router, because it was seemingly unreliable, with a pc running netbsd
1.6.1. After a while, things started slowing down, at which point I found that 
a virus was causing local machines to add about 200 nat associations/sec.
FWIW, 1.6.1 handles these sorts of problems with a lot more grace than a cheap
HW box. It's good to know that 2.0 is even better.

FYI, I have a cron entry on that router that counts the MAP entries and pages
me if the number is too high, since this is an indicator of virus activity.

Harry Waddell
Caravan Electronic Publishing