[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

pf sending an ACK storm?!



  Hello.
  
  I noticed something strange with pf, 100% reproducible on OpenBSD 3.2 and
today's -current.
  brutus is an OpenBSD-current NAT gateway.
  synchron is a Linux workstation whoose gateway is brutus.
  
  If I ssh from synchron to brutus and disable the firewall:
  
synchron> ssh brutus
brutus> sudo pfctl -d
  synchron gets flooded by brutus, the 100Mb link gets immediately saturated
and the only way to calm the storm is to change the IP address of synchron.
  tcpdump on synchron when the storm starts:
18:58:42.801305 synchron.stdc.org.41291 > brutus.stdc.org.ssh: P 1193829569:1193829617(48) ack 560299668 win 22512 <nop,nop,timestamp 3437295 1686345910> (DF) [tos 0x10] 
18:58:42.815417 brutus.stdc.org.ssh > synchron.stdc.org.41291: P 1:49(48) ack 48 win 17376 <nop,nop,timestamp 1686345941 3437295> [tos 0x10] 
18:58:42.815438 synchron.stdc.org.41291 > brutus.stdc.org.ssh: . ack 49 win 22512 <nop,nop,timestamp 3437297 1686345941> (DF) [tos 0x10] 
18:58:42.826503 brutus.stdc.org.ssh > synchron.stdc.org.41291: P 2440842849:2440842897(48) ack 3926423246 win 17376 <nop,nop,timestamp 1686345941 3437297> (DF) [tos 0x10] 
18:58:42.826525 synchron.stdc.org.41291 > brutus.stdc.org.ssh: . ack 49 win 22512 <nop,nop,timestamp 3437298 1686345941,nop,nop,sack sack 1 {2440842849:2440842897} > (DF) [tos 0x10] 
18:58:42.826676 brutus.stdc.org.ssh > synchron.stdc.org.41291: . ack 3926423246 win 17376 <nop,nop,timestamp 1686345941 3437297> (DF) [tos 0x10] 
18:58:42.826680 synchron.stdc.org.41291 > brutus.stdc.org.ssh: . ack 49 win 22512 <nop,nop,timestamp 3437298 1686345941> (DF) [tos 0x10] 
18:58:42.826779 brutus.stdc.org.ssh > synchron.stdc.org.41291: . ack 3926423246 win 17376 <nop,nop,timestamp 1686345941 3437297> (DF) [tos 0x10] 
18:58:42.826782 synchron.stdc.org.41291 > brutus.stdc.org.ssh: . ack 49 win 22512 <nop,nop,timestamp 3437298 1686345941> (DF) [tos 0x10] 
18:58:42.826871 brutus.stdc.org.ssh > synchron.stdc.org.41291: . ack 3926423246 win 17376 <nop,nop,timestamp 1686345941 3437297> (DF) [tos 0x10] 
18:58:42.826873 synchron.stdc.org.41291 > brutus.stdc.org.ssh: . ack 49 win 22512 <nop,nop,timestamp 3437298 1686345941> (DF) [tos 0x10] 
  tons of similar packets are following.
    
-- 
 __  /*-      Frank DENIS (Jedi/Sector One) <[email protected]>     -*\  __
 \ '/    <a href="http://www.PureFTPd.Org/";> Secure FTP Server </a>    \' /
  \/  <a href="http://www.Jedi.Claranet.Fr/";> Misc. free software </a>  \/