Re: Possible DoS in mpd 5.6 pppoe server
Em 05/05/13 04:21, Eugene Grosbein escreveu: On 05.05.2013 07:51, Marcelo Gondim wrote: I changed hardware for motherboard Supermicro X9SCM-F and Xeon processor 3.2Ghz E31230 with 8Gb ram ECC. The problem stopped and the server was very stable. The problem could be with the Intel motherboard S5500BC? Because this was installed with 2 Xeon processors and two memory banks 4Gb. Could be FreeBSD incompatibility with the hardware or faulty hardware? Thanks and best regards, I don't think so. The race problem is known. It has software nature and crash probability depends of many reasons. The change of hardware changes some of aspects, indeed :-) In your case it somehow made the server more stable but that's not any kind of hardware incompatibility. Does any developer is seeing this problem? Because I saw the prthat has been going on since 2011. http://www.freebsd.org/cgi/query-pr.cgi?pr=kern/162558 I'm trying to replace severalMikrotik RouterOS (PPPoE server) for FreeBSD with mpd + freeradius + mysql. All my servers are FreeBSD except PPPoE Server. :( Best regards, ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
Re: Possible DoS in mpd 5.6 pppoe server
On 05.05.2013 07:51, Marcelo Gondim wrote: > I changed hardware for motherboard Supermicro X9SCM-F and Xeon processor > 3.2Ghz E31230 with 8Gb ram ECC. The problem stopped and the server was > very stable. > The problem could be with the Intel motherboard S5500BC? Because this > was installed with 2 Xeon processors and two memory banks 4Gb. > Could be FreeBSD incompatibility with the hardware or faulty hardware? > > Thanks and best regards, I don't think so. The race problem is known. It has software nature and crash probability depends of many reasons. The change of hardware changes some of aspects, indeed :-) In your case it somehow made the server more stable but that's not any kind of hardware incompatibility. ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
Re: Possible DoS in mpd 5.6 pppoe server
Em 21/04/13 10:59, Eugene Grosbein escreveu: On 21.04.2013 06:08, Marcelo Gondim wrote: Em 20/04/13 14:33, Eugene Grosbein escreveu: On 21.04.2013 00:26, Marcelo Gondim wrote: You seem to use dummynet and the problem is not in mpd/pppoe code, it's it the dummynet code. Look at http://www.freebsd.org/cgi/query-pr.cgi?pr=kern/162558 for workarounds. Ok :) I will try this: - net.isr.bindthreads=1 in /boot/loader.conf; - net.isr.direct=1 and net.isr.direct_force=1 in /etc/sysctl.conf For 9.x and newer, net.isr.XXX knobs names have changed but defaults are fine - if you have not messed them, you should be OK. Eugene, Does FreeBSD 8.3-STABLEis best for this use or this problem also occurs in 8.x? I have not tried anything newer than 8.x for this task yet. With noted tuning, this problem within dummynet occurs very seldom for me. I had about two or three panics for many months. Another one described here: http://www.freebsd.org/cgi/query-pr.cgi?pr=kern/171711 Perhaps, using ng_car would be even more stable, I have not tried it. Eugene Grosbein Hi all, I changed hardware for motherboard Supermicro X9SCM-F and Xeon processor 3.2Ghz E31230 with 8Gb ram ECC. The problem stopped and the server was very stable. The problem could be with the Intel motherboard S5500BC? Because this was installed with 2 Xeon processors and two memory banks 4Gb. Could be FreeBSD incompatibility with the hardware or faulty hardware? Thanks and best regards, Gondim ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
Re: Possible DoS in mpd 5.6 pppoe server
Marcelo, On Sat, Apr 20, 2013 at 02:26:10PM -0300, Marcelo Gondim wrote: M> >> I'm doing tests with mpdas pppoeserver. Tried to simulate an attack of M> >> 1000 connections using an incorrect login and after a certain time can M> >> cause a kernel panic in the system. Below the panicgenerated: M> >> M> >> http://pastebin.com/nUXGVR3y M> > You seem to use dummynet and the problem is not in mpd/pppoe code, M> > it's it the dummynet code. Look at http://www.freebsd.org/cgi/query-pr.cgi?pr=kern/162558 M> > for workarounds. M> Ok :) I will try this: M> M> - net.isr.bindthreads=1 in /boot/loader.conf; M> - net.isr.direct=1 and net.isr.direct_force=1 in /etc/sysctl.conf Be advised, that these settings do not fix the problem with dummynet, they just make the race less probable to happen. -- Totus tuus, Glebius. ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
Re: Possible DoS in mpd 5.6 pppoe server
On 21.04.2013 06:08, Marcelo Gondim wrote: > Em 20/04/13 14:33, Eugene Grosbein escreveu: >> On 21.04.2013 00:26, Marcelo Gondim wrote: >> You seem to use dummynet and the problem is not in mpd/pppoe code, it's it the dummynet code. Look at http://www.freebsd.org/cgi/query-pr.cgi?pr=kern/162558 for workarounds. >>> Ok :) I will try this: >>> >>> - net.isr.bindthreads=1 in /boot/loader.conf; >>> - net.isr.direct=1 and net.isr.direct_force=1 in /etc/sysctl.conf >> For 9.x and newer, net.isr.XXX knobs names have changed but defaults are >> fine - >> if you have not messed them, you should be OK. >> >> >> > Eugene, > > Does FreeBSD 8.3-STABLEis best for this use or this problem also occurs > in 8.x? I have not tried anything newer than 8.x for this task yet. With noted tuning, this problem within dummynet occurs very seldom for me. I had about two or three panics for many months. Another one described here: http://www.freebsd.org/cgi/query-pr.cgi?pr=kern/171711 Perhaps, using ng_car would be even more stable, I have not tried it. Eugene Grosbein ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
Re: Possible DoS in mpd 5.6 pppoe server
Em 20/04/13 14:33, Eugene Grosbein escreveu: On 21.04.2013 00:26, Marcelo Gondim wrote: You seem to use dummynet and the problem is not in mpd/pppoe code, it's it the dummynet code. Look at http://www.freebsd.org/cgi/query-pr.cgi?pr=kern/162558 for workarounds. Ok :) I will try this: - net.isr.bindthreads=1 in /boot/loader.conf; - net.isr.direct=1 and net.isr.direct_force=1 in /etc/sysctl.conf For 9.x and newer, net.isr.XXX knobs names have changed but defaults are fine - if you have not messed them, you should be OK. Eugene, Does FreeBSD 8.3-STABLEis best for this use or this problem also occurs in 8.x? Best regards, Gondim ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
Re: Possible DoS in mpd 5.6 pppoe server
Hi, My ipfw rules, pf rules and dummynet: fw="/sbin/ipfw" ext_if="igb0" $fw disable one_pass $fw -f flush $fw zero $fw table all flush $fw -f pipe flush ssh_port="4321" $fw add allow all from any to any via lo0 $fw add deny all from 127.0.0.0/8 to any $fw add deny all from any to 127.0.0.0/8 $fw add check-state # velocidade de 1024kbps $fw add pipe 1 ip from "table(10)" to any in via ng* $fw add pipe 2 ip from any to "table(10)" out via ng* $fw pipe 1 config bw 1024Kbit/s queue 128 mask src-ip 255.255.255.255 $fw pipe 2 config bw 1024Kbit/s queue 128 mask dst-ip 255.255.255.255 # velocidade de 2048kbps $fw add pipe 3 ip from "table(11)" to any in via ng* $fw add pipe 4 ip from any to "table(11)" out via ng* $fw pipe 3 config bw 2048Kbit/s queue 256 mask src-ip 255.255.255.255 $fw pipe 4 config bw 2048Kbit/s queue 256 mask dst-ip 255.255.255.255 # velocidade de 10240kbps $fw add pipe 5 ip from "table(12)" to any in via ng* $fw add pipe 6 ip from any to "table(12)" out via ng* $fw pipe 5 config bw 10240Kbit/s queue 1280 mask src-ip 255.255.255.255 $fw pipe 6 config bw 10240Kbit/s queue 1280 mask dst-ip 255.255.255.255 # velocidade de 64kbps $fw add pipe 7 ip from "table(13)" to any in via ng* $fw add pipe 8 ip from any to "table(13)" out via ng* $fw pipe 7 config bw 64Kbit/s queue 8 mask src-ip 255.255.255.255 $fw pipe 8 config bw 64Kbit/s queue 8 mask dst-ip 255.255.255.255 $fw add allow icmp from any to any icmptypes 0,3,8,11,12 $fw add deny icmp from any to any PF Rules: === ext_if = "igb0" table persist { 10.0.0.0/8 } set skip on lo0 set limit states 4 nat on $ext_if from to any -> 192.168.8.34 Em 20/04/13 11:48, Adrian Chadd escreveu: Can you provide more information about the configuration of mpd and ppp? the panic is in the dummynet code; can you provide information about your ipfw/dummynet setup? Thanks, adrian On 20 April 2013 06:21, Marcelo Gondim wrote: Hi all, I'm doing tests with mpdas pppoeserver. Tried to simulate an attack of 1000 connections using an incorrect login and after a certain time can cause a kernel panic in the system. Below the panicgenerated: http://pastebin.com/nUXGVR3y Other equipment I do: # for (( i=0; i < 1000; i++ )); do ppp -ddial intnet ; done My System: Intel Motherboard Server S5500BC with Dual Processor Xeon(R) CPU E5606 @ 2.13GHz 8Gb ram I do not understand programming in Cor Assembly. But could someone tell me if what happened was a system problem or hardware? Best regards, Gondim ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org" ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
Re: Possible DoS in mpd 5.6 pppoe server
On 21.04.2013 00:26, Marcelo Gondim wrote: >> You seem to use dummynet and the problem is not in mpd/pppoe code, >> it's it the dummynet code. Look at >> http://www.freebsd.org/cgi/query-pr.cgi?pr=kern/162558 >> for workarounds. > Ok :) I will try this: > > - net.isr.bindthreads=1 in /boot/loader.conf; > - net.isr.direct=1 and net.isr.direct_force=1 in /etc/sysctl.conf For 9.x and newer, net.isr.XXX knobs names have changed but defaults are fine - if you have not messed them, you should be OK. ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
Re: Possible DoS in mpd 5.6 pppoe server
Em 20/04/13 13:10, Eugene Grosbein escreveu: On 20.04.2013 20:21, Marcelo Gondim wrote: Hi all, I'm doing tests with mpdas pppoeserver. Tried to simulate an attack of 1000 connections using an incorrect login and after a certain time can cause a kernel panic in the system. Below the panicgenerated: http://pastebin.com/nUXGVR3y You seem to use dummynet and the problem is not in mpd/pppoe code, it's it the dummynet code. Look at http://www.freebsd.org/cgi/query-pr.cgi?pr=kern/162558 for workarounds. Ok :) I will try this: - net.isr.bindthreads=1 in /boot/loader.conf; - net.isr.direct=1 and net.isr.direct_force=1 in /etc/sysctl.conf ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
Re: Possible DoS in mpd 5.6 pppoe server
Hi Adrian, Thanks for your help. :) My mpd.conf: startup: # configure mpd users #set user foo bar admin set user suporte papatango set user admin tutumineiro admin # configure the console set console self 192.168.8.34 5005 set console open # configure the web server set web self 0.0.0.0 5006 set web open default: load pppoe_server pppoe_server: create bundle template B set iface disable proxy-arp set iface enable tcpmssfix set ipcp dns 8.8.8.8 8.8.4.4 #set ipcp enable vjcomp set iface up-script /usr/local/etc/mpd5/addclient.sh set iface down-script /usr/local/etc/mpd5/removeclient.sh set ippool add pool1 10.10.0.1 10.10.255.254 set ipcp ranges 10.51.0.1/32 ippool pool1 create link template common pppoe #set link enable multilink set link action bundle B set link disable chap pap eap set link mtu 1492 set link mru 1492 set link enable pap load radius create link template igb1 common set pppoe iface igb1 set pppoe acname "IntBSD1" set pppoe service "*" set link enable incoming set auth max-logins 1 set link max-children 5000 create link template igb2 common set pppoe iface igb2 set pppoe acname "IntBSD2" set pppoe service "*" set link enable incoming set auth max-logins 1 set link max-children 5000 create link template igb3 common set pppoe iface igb3 set pppoe acname "IntBSD3" set pppoe service "*" set link enable incoming set auth max-logins 1 set link max-children 5000 radius: set radius server localhost xuxupedra 1812 1813 set radius retries 3 set radius timeout 3 # send the given IP in the RAD_NAS_IP_ADDRESS attribute to the server. set radius me 127.0.0.1 # send accounting updates every 5 minutes set auth acct-update 300 # enable RADIUS, and fallback to mpd.secret, if RADIUS auth failed set auth enable radius-auth # enable RADIUS accounting set auth enable radius-acct # protect our requests with the message-authenticator set radius enable message-authentic My ppp.conf: intnet: set device PPPoE:re0 set mru 1492 set mtu 1492 set authname hercilia201254 set authkey 12345 set login set dial enable dns add default HISADDR set timeout 0 open The test server is off now, but I'll get ipfw and dummynet settings in the Companyand post it here. Em 20/04/13 11:48, Adrian Chadd escreveu: Can you provide more information about the configuration of mpd and ppp? the panic is in the dummynet code; can you provide information about your ipfw/dummynet setup? Thanks, adrian On 20 April 2013 06:21, Marcelo Gondim wrote: Hi all, I'm doing tests with mpdas pppoeserver. Tried to simulate an attack of 1000 connections using an incorrect login and after a certain time can cause a kernel panic in the system. Below the panicgenerated: http://pastebin.com/nUXGVR3y Other equipment I do: # for (( i=0; i < 1000; i++ )); do ppp -ddial intnet ; done My System: Intel Motherboard Server S5500BC with Dual Processor Xeon(R) CPU E5606 @ 2.13GHz 8Gb ram I do not understand programming in Cor Assembly. But could someone tell me if what happened was a system problem or hardware? Best regards, Gondim ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org" -- ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
Re: Possible DoS in mpd 5.6 pppoe server
On 20.04.2013 20:21, Marcelo Gondim wrote: > Hi all, > > I'm doing tests with mpdas pppoeserver. Tried to simulate an attack of > 1000 connections using an incorrect login and after a certain time can > cause a kernel panic in the system. Below the panicgenerated: > > http://pastebin.com/nUXGVR3y You seem to use dummynet and the problem is not in mpd/pppoe code, it's it the dummynet code. Look at http://www.freebsd.org/cgi/query-pr.cgi?pr=kern/162558 for workarounds. ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
Re: Possible DoS in mpd 5.6 pppoe server
Can you provide more information about the configuration of mpd and ppp? the panic is in the dummynet code; can you provide information about your ipfw/dummynet setup? Thanks, adrian On 20 April 2013 06:21, Marcelo Gondim wrote: > Hi all, > > I'm doing tests with mpdas pppoeserver. Tried to simulate an attack of 1000 > connections using an incorrect login and after a certain time can cause a > kernel panic in the system. Below the panicgenerated: > > http://pastebin.com/nUXGVR3y > > Other equipment I do: > > # for (( i=0; i < 1000; i++ )); do ppp -ddial intnet ; done > > My System: > > Intel Motherboard Server S5500BC with Dual Processor Xeon(R) CPU E5606 @ > 2.13GHz > 8Gb ram > > I do not understand programming in Cor Assembly. But could someone tell me > if what happened was a system problem or hardware? > > Best regards, > > Gondim > > ___ > freebsd-stable@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-stable > To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org" ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
Possible DoS in mpd 5.6 pppoe server
Hi all, I'm doing tests with mpdas pppoeserver. Tried to simulate an attack of 1000 connections using an incorrect login and after a certain time can cause a kernel panic in the system. Below the panicgenerated: http://pastebin.com/nUXGVR3y Other equipment I do: # for (( i=0; i < 1000; i++ )); do ppp -ddial intnet ; done My System: Intel Motherboard Server S5500BC with Dual Processor Xeon(R) CPU E5606 @ 2.13GHz 8Gb ram I do not understand programming in Cor Assembly. But could someone tell me if what happened was a system problem or hardware? Best regards, Gondim ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"