Massive 1 ip address NAT, high CPU usage



  • Hi All,

    Pls give me excuse if this is not the right place to post the question:

    I have problem with high cpu usage of pfsense 2.0.1, after doing some investigation we found something interesting

    [2.0.1-RELEASE]#netstat -tna
    tcp4      6      0 58.221.43.221.hosts2-n 10.10.223.153.4969    CLOSE_WAIT
    tcp4      6      0 58.221.43.221.hosts2-n 10.10.223.153.4970    CLOSE_WAIT
    tcp4      6      0 58.221.43.221.hosts2-n 10.10.223.153.4956    CLOSE_WAIT
    tcp4      0      0 67.228.228.213-s.http  10.10.223.153.4942    CLOSE_WAIT
    tcp4      6      0 67.228.228.213-s.http  10.10.223.153.4941    CLOSE_WAIT
    tcp4      6      0 67.228.228.213-s.http  10.10.223.153.4938    CLOSE_WAIT
    tcp4      6      0 58.221.43.221.hosts2-n 10.10.223.153.4928    CLOSE_WAIT
    tcp4      6      0 58.221.43.221.hosts2-n 10.10.223.153.4903    CLOSE_WAIT
    tcp4      6      0 58.221.43.221.hosts2-n 10.10.223.153.4899    CLOSE_WAIT
    tcp4      6      0 58.221.43.221.hosts2-n 10.10.223.153.4888    CLOSE_WAIT
    tcp4      0      0 67.228.228.213-s.http  10.10.223.153.4876    CLOSE_WAIT
    tcp4      0      0 67.228.228.213-s.http  10.10.223.153.4870    CLOSE_WAIT
    tcp4      6      0 67.228.228.213-s.http  10.10.223.153.4869    CLOSE_WAIT
    tcp4      0      0 58.221.43.221.hosts2-n 10.10.223.153.4863    CLOSE_WAIT
    tcp4      6      0 58.221.43.221.hosts2-n 10.10.223.153.4858    CLOSE_WAIT
    tcp4      0      0 58.221.43.221.hosts2-n 10.10.223.153.4841    CLOSE_WAIT
    tcp4      6      0 67.228.228.213-s.http  10.10.223.153.4836    CLOSE_WAIT
    tcp4      6      0 67.228.228.213-s.http  10.10.223.153.4835    CLOSE_WAIT
    tcp4      6      0 58.221.43.221.hosts2-n 10.10.223.153.4833    CLOSE_WAIT
    tcp4      6      0 58.221.43.221.hosts2-n 10.10.223.153.4825    CLOSE_WAIT
    tcp4      0      0 67.228.228.213-s.http  10.10.223.153.4811    CLOSE_WAIT
    tcp4      6      0 67.228.228.213-s.http  10.10.223.153.4809    CLOSE_WAIT
    tcp4      0      0 67.228.228.213-s.http  10.10.223.153.4808    CLOSE_WAIT
    tcp4      6      0 58.221.43.221.hosts2-n 10.10.223.153.4803    CLOSE_WAIT
    tcp4      6      0 58.221.43.221.hosts2-n 10.10.223.153.4802    CLOSE_WAIT
    tcp4      0      0 199.2.137.238.8088    10.10.223.153.4792    ESTABLISHED
    tcp4      6      0 67.228.228.213-s.http  10.10.223.153.4785    CLOSE_WAIT
    tcp4      6      0 58.221.43.221.hosts2-n 10.10.223.153.4783    CLOSE_WAIT
    tcp4      6      0 67.228.228.213-s.http  10.10.223.153.4777    CLOSE_WAIT
    tcp4      0      0 58.221.43.221.hosts2-n 10.10.223.153.4774    CLOSE_WAIT

    so cut off the network of pc with this ipddr(10.10.223.153) to access to network because we dont know what we can block them in pfsense. After that everything work fine as normal so we think that's a massive NAT problem to our pfsense.

    Please kindly advise how to prevent or solve this problem?

    Thx
    Makara



  • That looks like a virus or trojan's work. Or worse a bot. I would check that PC to see what it has running (while being unplugged from the network).



  • Check Diagnostics>States for a better picture (or pfctl -ss). That's almost certainly a host infected with some kind of DDoS bot. Anything you allow to open massive numbers of new connections is going to have an impact on your firewall regardless of what it is. Limiting states per host, and as tight as possible of egress filtering, helps keep such things in check when they happen.


Locked