Re: ospfd/ospf6d causing denial of service(?)

Tue, 24 May 2011 11:16:23 -0700 

On Mon, May 23, 2011 at 9:59 AM, Chris Wopat <m...@falz.net> wrote:
> Had a strange issue overnight. In short I had two OpenBSD boxes acting
> as routers denial of service my network with OSPFv3 multicast packets.

This happened again today. This time it was on a third OpenBSD box.
The last time it happened it was happening what appeared to be
simultaneously from two freshly installed 4.9 AMD64 boxes. This box is
the same install and similar configuration as before.

 This time we were able to capture a sniff as well as a ktrace.

    http://falz.net/static/openbsd/ktrace-openbsd-49-2011-05-24.out (~170mb)
    http://falz.net/static/openbsd/sniff-openbsd-49-2011-05-24.pcap (~50mb)

The pcap file above shows 604941 packets in a period of 9.4
seconds(!). All of the packets are:

66.170.7.139 > 224.0.0.5: OSPFv2-ls_upd 28: rtrid 66.170.0.14 backbone
[tos 0xc0] [ttl 1]

66.170.7.139 is one of two IPs on the problematic OpenBSD box. 0.14 is
the loopback (lo1) on that box. If you want to see a screen cap of the
interesting parts of the packets here's a screenshot from wireshark:

    http://falz.net/static/openbsd/wireshark-packet-screenshot.png

These are the first two packets. They're all OSPF type 4 Link State
updates. During a part of the timeperiod where we had the issue we
thought it may have been soem sort of spanning tree issue since it
jumped back and forth between the two VLANs that this server is
attached to. You can see in the dump that the OSPF Auth Crypto
Sequence Number increments and the Auth data changes in each packet so
they definitely appear to be unique packets. Here's packet counts from
the switch it uplinks to. blue is out, so originating from the device:

    http://falz.net/static/openbsd/openbsd-em0-pps-graph.png
    http://falz.net/static/openbsd/openbsd-em1-pps-graph.png

This shows what we saw, it originates on em0 and moved to em1. I'd
love to hear from Claudio/Esben or any OpenOSPFD users, especially
those running 4.9 since it appears that there were several ospfd
updates in 4.9. While things are stable at the moment I'm going to
potentially disable ospfd tonight and switch BGP to a less redundant
manner. If I can confirm there's something wrong in 4.9 I'll just go
to 4.8 instead.

--Chris

Reply via email to