On Mon, May 23, 2011 at 9:59 AM, Chris Wopat <m...@falz.net> wrote: > Had a strange issue overnight. In short I had two OpenBSD boxes acting > as routers denial of service my network with OSPFv3 multicast packets.
This happened again today. This time it was on a third OpenBSD box. The last time it happened it was happening what appeared to be simultaneously from two freshly installed 4.9 AMD64 boxes. This box is the same install and similar configuration as before. This time we were able to capture a sniff as well as a ktrace. http://falz.net/static/openbsd/ktrace-openbsd-49-2011-05-24.out (~170mb) http://falz.net/static/openbsd/sniff-openbsd-49-2011-05-24.pcap (~50mb) The pcap file above shows 604941 packets in a period of 9.4 seconds(!). All of the packets are: 66.170.7.139 > 224.0.0.5: OSPFv2-ls_upd 28: rtrid 66.170.0.14 backbone [tos 0xc0] [ttl 1] 66.170.7.139 is one of two IPs on the problematic OpenBSD box. 0.14 is the loopback (lo1) on that box. If you want to see a screen cap of the interesting parts of the packets here's a screenshot from wireshark: http://falz.net/static/openbsd/wireshark-packet-screenshot.png These are the first two packets. They're all OSPF type 4 Link State updates. During a part of the timeperiod where we had the issue we thought it may have been soem sort of spanning tree issue since it jumped back and forth between the two VLANs that this server is attached to. You can see in the dump that the OSPF Auth Crypto Sequence Number increments and the Auth data changes in each packet so they definitely appear to be unique packets. Here's packet counts from the switch it uplinks to. blue is out, so originating from the device: http://falz.net/static/openbsd/openbsd-em0-pps-graph.png http://falz.net/static/openbsd/openbsd-em1-pps-graph.png This shows what we saw, it originates on em0 and moved to em1. I'd love to hear from Claudio/Esben or any OpenOSPFD users, especially those running 4.9 since it appears that there were several ospfd updates in 4.9. While things are stable at the moment I'm going to potentially disable ospfd tonight and switch BGP to a less redundant manner. If I can confirm there's something wrong in 4.9 I'll just go to 4.8 instead. --Chris