[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: pf sending an ACK storm?!



On Thu, Nov 28, 2002 at 07:13:28PM +0100, Jedi/Sector One wrote:
> brutus> sudo pfctl -d
> 
>   synchron gets flooded by brutus, the 100Mb link gets immediately saturated
> and the only way to calm the storm is to change the IP address of synchron.
The ssh connection to synchron<->brutus isn't by any chance filtered
statefully, using modulate state? :)
Deactivating pf will immediately break all ongoing modulated connections
(obviously), though I've never seen that cause a flood. Usually one of
the peers issues an RST when it sees the first unmodulated packet.
Even if the unmodulated packets don't cause an immediate RST, both peers'
retransmissions shouldn't flood the network, very weird.
Can you confirm whether it's modulate related? I'll think about an
explanation in the meantime :)
Daniel