Re: missing SYN_RECV in netstat
Peter J. Philipp wrote: > Hi, > > On the NANOG list there is a thread about something synflooding: > https://mailman.nanog.org/pipermail/nanog/2019-August/102713.html > > Most of my hosts are synflooded, and I was wondering why my OpenBSD > hosts don't show any SYN_RECV states in a netstat -nafinet. I had to tcpdump > to see a synflood happening on port 53 on one of my hosts, have to > still check the other one. Could there be a bad pf rule I'm > using? I suspect this is a worm of sorts or something. But the's the way you avoid the resource congestion: You don't create expensive global state which requires a while bunch of resource allocation, data structure shuffling, and locking.
Re: missing SYN_RECV in netstat
On Tue, Aug 20, 2019 at 07:36:11PM +0200, Peter J. Philipp wrote: > Hi, > > On the NANOG list there is a thread about something synflooding: > https://mailman.nanog.org/pipermail/nanog/2019-August/102713.html > > Most of my hosts are synflooded, and I was wondering why my OpenBSD > hosts don't show any SYN_RECV states in a netstat -nafinet. I had to tcpdump > to see a synflood happening on port 53 on one of my hosts, have to > still check the other one. Could there be a bad pf rule I'm > using? I suspect this is a worm of sorts or something. > > While not an emergency, it is inconvenient to pick out the synflooders > with tcpdump. Is there any better tools? netstat does not show SYN_RECV states because those are hold in the syncache and need to finish the 3-way handshake before showing up in netstat. I normally use tcpdump to identify synfloods but pfctl -ss will probably show them as well (up to the moment where pf decides to switch to syncookies). -- :wq Claudio
Re: missing SYN_RECV in netstat
Never mind, I exited airhead mode. pfctl -ss does what I need. However I approached things from non-root perspective and pfctl requires root privs. Sometimes I surprise myself that I have root. Cheers, -peter On 8/20/19 7:36 PM, Peter J. Philipp wrote: Hi, On the NANOG list there is a thread about something synflooding: https://mailman.nanog.org/pipermail/nanog/2019-August/102713.html Most of my hosts are synflooded, and I was wondering why my OpenBSD hosts don't show any SYN_RECV states in a netstat -nafinet. I had to tcpdump to see a synflood happening on port 53 on one of my hosts, have to still check the other one. Could there be a bad pf rule I'm using? I suspect this is a worm of sorts or something. While not an emergency, it is inconvenient to pick out the synflooders with tcpdump. Is there any better tools? -peter
missing SYN_RECV in netstat
Hi, On the NANOG list there is a thread about something synflooding: https://mailman.nanog.org/pipermail/nanog/2019-August/102713.html Most of my hosts are synflooded, and I was wondering why my OpenBSD hosts don't show any SYN_RECV states in a netstat -nafinet. I had to tcpdump to see a synflood happening on port 53 on one of my hosts, have to still check the other one. Could there be a bad pf rule I'm using? I suspect this is a worm of sorts or something. While not an emergency, it is inconvenient to pick out the synflooders with tcpdump. Is there any better tools? -peter
