Hello,
The problem occurred again. The kernel has over 3,000 connections in
TIME_WAIT state. The compounds are after an hour wait not disappeared.
There are more and more connections in the TIME_WAIT state. My settings
are:
net.inet.tcp.mslt.enable = 1
net.inet.tcp.mslt.loopback = 2
net.inet.tcp.mslt.local = 10
net.inet.tcp.mslt.remote = 60
net.inet.tcp.mslt.remote_threshold = 6
The last few times I have restarted the server in order to solve the
problem. Frequent reboots but very inconvenient for a server.
Does anyone have instructions what information I can still gather to post
a bug report? The statement "connections in the TIME_WAIT status are not
degraded" are probably not sufficient to find the problem.
Thank you for your efforts
Regards
Uwe
On Mon, 19 Jan 2015, Michael van Elst wrote:
Date: Mon, 19 Jan 2015 19:51:31 +0000 (UTC)
From: Michael van Elst <[email protected]>
To: [email protected]
Newsgroups: lists.netbsd.current-users
Subject: Re: DoS attack against TCP services
[email protected] (Johnny Billquist) writes:
Timeout should not depend on distance, and should actually be (at least)
2*MSS, which would be something in the several minutes range.
It's 2*msl but msl can be a bit variable
net.inet.tcp.mslt.enable = 1
net.inet.tcp.mslt.loopback = 2
net.inet.tcp.mslt.local = 10
net.inet.tcp.mslt.remote = 60
If I understand this correctly, these msl values are in units of 500ms,
so 2*msl is the same value in seconds.
What is considered a local connection is a bit of magic and if you set
net.inet.tcp.mslt.enable=0 then everything is treated as a remote
connection.
--
--
Michael van Elst
Internet: [email protected]
"A potential Snark may lurk in every tree."
