Subject: SYN floods and ICMP oddness
To: None <tech-net@netbsd.org>
From: Michael Graff <explorer@flame.org>
List: tech-net
Date: 03/03/2003 19:32:37
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
I think there is a rather severe bug in the TCP stack, which may or
may not be SMP related. I don't think it is, since I see close to the
same behavior on a non-SMP box.
What happens is this:
A SYN flood runs the non-SMP box out of mbufs, which crashes the box.
A SYN flood confuses the SMP box (it's a dual Athelon with much, much
more memory) so badly that TCP connections really get hosed, and even
non-network things start acting up ("sync" takes 15 seconds, "netstat
- -inbw 1" doesn't print more than the first line of text, http is
screwed, UDP seems to have issues talking off-machine, etc.)
Also, on either box, I cannot get a kernel dump. The SMP box says
"dumping" and then sits there. The other grew more memory than swap
space so it fails to dump.
Here's a sniplet of all the TCP connections I see. Most of the
TIME_WAIT were there for more than 30 minutes. This snapshot was made
AFTER I blocked the SYN flood at the router (just blocked access to
the flooded port.)
Active Internet connections
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 816 xxx.xxx.xxx.xx.9000 yy.183.90.60.64783 FIN_WAIT_1
tcp 0 831 xxx.xxx.xxx.xx.9000 yy.165.132.141.4865 LAST_ACK
tcp 0 830 xxx.xxx.xxx.xx.9000 yy.58.47.32.1304 FIN_WAIT_1
tcp 0 837 xxx.xxx.xxx.xx.9000 yy.86.83.52.1263 FIN_WAIT_1
tcp 0 835 xxx.xxx.xxx.xx.9000 yy.187.236.55.1597 FIN_WAIT_1
tcp 0 836 xxx.xxx.xxx.xx.9000 yy.227.201.106.2857 FIN_WAIT_1
tcp 0 0 xxx.xxx.xxx.xx.9000 yy.209.195.67.1316 TIME_WAIT
tcp 0 814 xxx.xxx.xxx.xx.9000 yy.88.79.247.4294 FIN_WAIT_1
tcp 0 0 xxx.xxx.xxx.xx.9000 yy.229.129.240.1149 TIME_WAIT
tcp 0 820 xxx.xxx.xxx.xx.9000 yy.154.100.89.4109 FIN_WAIT_1
tcp 0 0 xxx.xxx.xxx.xx.9000 yy.169.40.174.4103 TIME_WAIT
tcp 0 835 xxx.xxx.xxx.xx.9000 yy.102.116.79.3116 FIN_WAIT_1
tcp 0 0 xxx.xxx.xxx.xx.9000 yy.176.64.99.2180 TIME_WAIT
tcp 0 812 xxx.xxx.xxx.xx.9000 yy.227.240.78.64835 FIN_WAIT_1
tcp 0 830 xxx.xxx.xxx.xx.9000 yy.175.132.177.65360 FIN_WAIT_1
tcp 0 819 xxx.xxx.xxx.xx.9000 yy.161.5.96.3716 LAST_ACK
tcp 0 831 xxx.xxx.xxx.xx.9000 yy.61.199.33.3990 FIN_WAIT_1
tcp 0 839 xxx.xxx.xxx.xx.9000 yy.201.195.123.2868 FIN_WAIT_1
tcp 0 829 xxx.xxx.xxx.xx.9000 yy.2.153.6.38331 FIN_WAIT_1
tcp 0 817 xxx.xxx.xxx.xx.9000 yy.155.198.65.4132 FIN_WAIT_1
tcp 0 821 xxx.xxx.xxx.xx.9000 yy.78.0.106.4769 FIN_WAIT_1
tcp 0 812 xxx.xxx.xxx.xx.9000 yy.10.45.65.3980 FIN_WAIT_1
tcp 0 0 xxx.xxx.xxx.xx.9000 yy.85.65.125.1954 TIME_WAIT
tcp 0 0 xxx.xxx.xxx.xx.9000 yy.52.8.184.4327 TIME_WAIT
tcp 0 0 xxx.xxx.xxx.xx.9000 yy.125.193.107.3216 TIME_WAIT
tcp 0 835 xxx.xxx.xxx.xx.9000 yy.98.75.171.1242 FIN_WAIT_1
tcp 0 0 xxx.xxx.xxx.xx.9000 yy.253.32.166.1511 TIME_WAIT
tcp 0 0 xxx.xxx.xxx.xx.9000 yy.77.27.120.65092 TIME_WAIT
tcp 0 818 xxx.xxx.xxx.xx.9000 yy.229.180.117.3899 FIN_WAIT_1
tcp 0 0 xxx.xxx.xxx.xx.9000 yy.193.240.121.1641 TIME_WAIT
tcp 0 0 xxx.xxx.xxx.xx.9000 yy.44.251.44.1966 TIME_WAIT
tcp 0 0 xxx.xxx.xxx.xx.9000 yy.86.85.97.1875 TIME_WAIT
tcp 0 0 xxx.xxx.xxx.xx.9000 yy.245.135.74.3405 TIME_WAIT
tcp 0 0 xxx.xxx.xxx.xx.9000 yy.8.49.50.1155 TIME_WAIT
tcp 0 0 xxx.xxx.xxx.xx.9000 yy.51.19.52.1986 TIME_WAIT
tcp 0 0 xxx.xxx.xxx.xx.9000 yy.146.25.42.1117 TIME_WAIT
tcp 0 0 xxx.xxx.xxx.xx.9000 yy.63.129.69.1798 TIME_WAIT
< over 9800 more lines omitted >
- --Michael
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (NetBSD)
Comment: See http://www.flame.org/~explorer/pgp for my keys
iD8DBQE+ZB5Vl6Nz7kJWYWYRAt0oAJ4saFW7NOp9pocj1OLkksYiLpDnqgCbBfHo
FEBEpGEmwWDl0Ms1Pa/SAAc=
=dq20
-----END PGP SIGNATURE-----