Re: FreeBSD NATd problems

Daniel C. Sobral Thu, 16 Aug 2001 05:47:40 -0700
Do you, by any chance, have a Microsoft IIS server running?

Barry Irwin wrote:
> Hi All
> 
> Just wondering if anyone else has experiance the following problem:
> 
> I have a number of networks running with FreeBSD firewalls providing a
> nat service to a number of hosts behind the wall itself. Both outgoing nat,
> and port_redirection is provided.  THis has been running stabily for over a
> year.  However in the last 10 days I have had a number of these natd
> mprocesses suddenly bloat ( looking at 48Megs upwards when they normally sit
> at around 700K-1Meg.  Ping times to the firewalls ( infact any packets
> passing through the natd process are delayed, it seems to suffer a type of
> exponential decay, with the highest delay I have recorded being in the order
> of 240 seconds!
> 
> At this kind of latency, network connectivity is non existant.  One of the
> first signs of an impending slowdown is that DNS starts timing out.  The
> firewalls are running prettey standard martian filters ( see
> Darft-manning-dusa03.txt) to filter out the majority of the cruft floating
> around.  
> 
> This has sofar impacted 4.0-Release, 4.1-RELEASE  as well as 4.3-STABLE. 
> Reviews of tcpdumps collected once slowdown has been noticed do not show any
> signs of strange activity.  What I am wondering is , is there some new
> Scanning /DoS tool, which is causing natd to get its data structures in a
> knot, and thereby grow massively, in addition to the slowdown.  
> 
> Without having looked at the data structures in detail, it appears as tho
> there is a long linked list, that is getting exponentially grown, and
> therby accounting for the increas in memory usage, as well as the massively
> increased latency caused by performing lookups in the data structure chain.
> 
> So back to the question, has anyone else hear/experianced/seen this ?
> 
> Barry
> 
> To Unsubscribe: send mail to [EMAIL PROTECTED]
> with "unsubscribe freebsd-net" in the body of the message
> 


-- 
Daniel C. Sobral                   (8-DCS)
[EMAIL PROTECTED]
[EMAIL PROTECTED]
[EMAIL PROTECTED]
[EMAIL PROTECTED]

An exotic young lady named Suki
Once danced in a troupe of kabuki
        When asked for a fuck
        She said, "Solly, no luck--
See here: looky looky, no nuki "


To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-net" in the body of the message
Re: FreeBSD NATd problems

Reply via email to
