Massive 1 ip address NAT, high CPU usage
-
Hi All,
Pls give me excuse if this is not the right place to post the question:
I have problem with high cpu usage of pfsense 2.0.1, after doing some investigation we found something interesting
[2.0.1-RELEASE]#netstat -tna
tcp4 6 0 58.221.43.221.hosts2-n 10.10.223.153.4969 CLOSE_WAIT
tcp4 6 0 58.221.43.221.hosts2-n 10.10.223.153.4970 CLOSE_WAIT
tcp4 6 0 58.221.43.221.hosts2-n 10.10.223.153.4956 CLOSE_WAIT
tcp4 0 0 67.228.228.213-s.http 10.10.223.153.4942 CLOSE_WAIT
tcp4 6 0 67.228.228.213-s.http 10.10.223.153.4941 CLOSE_WAIT
tcp4 6 0 67.228.228.213-s.http 10.10.223.153.4938 CLOSE_WAIT
tcp4 6 0 58.221.43.221.hosts2-n 10.10.223.153.4928 CLOSE_WAIT
tcp4 6 0 58.221.43.221.hosts2-n 10.10.223.153.4903 CLOSE_WAIT
tcp4 6 0 58.221.43.221.hosts2-n 10.10.223.153.4899 CLOSE_WAIT
tcp4 6 0 58.221.43.221.hosts2-n 10.10.223.153.4888 CLOSE_WAIT
tcp4 0 0 67.228.228.213-s.http 10.10.223.153.4876 CLOSE_WAIT
tcp4 0 0 67.228.228.213-s.http 10.10.223.153.4870 CLOSE_WAIT
tcp4 6 0 67.228.228.213-s.http 10.10.223.153.4869 CLOSE_WAIT
tcp4 0 0 58.221.43.221.hosts2-n 10.10.223.153.4863 CLOSE_WAIT
tcp4 6 0 58.221.43.221.hosts2-n 10.10.223.153.4858 CLOSE_WAIT
tcp4 0 0 58.221.43.221.hosts2-n 10.10.223.153.4841 CLOSE_WAIT
tcp4 6 0 67.228.228.213-s.http 10.10.223.153.4836 CLOSE_WAIT
tcp4 6 0 67.228.228.213-s.http 10.10.223.153.4835 CLOSE_WAIT
tcp4 6 0 58.221.43.221.hosts2-n 10.10.223.153.4833 CLOSE_WAIT
tcp4 6 0 58.221.43.221.hosts2-n 10.10.223.153.4825 CLOSE_WAIT
tcp4 0 0 67.228.228.213-s.http 10.10.223.153.4811 CLOSE_WAIT
tcp4 6 0 67.228.228.213-s.http 10.10.223.153.4809 CLOSE_WAIT
tcp4 0 0 67.228.228.213-s.http 10.10.223.153.4808 CLOSE_WAIT
tcp4 6 0 58.221.43.221.hosts2-n 10.10.223.153.4803 CLOSE_WAIT
tcp4 6 0 58.221.43.221.hosts2-n 10.10.223.153.4802 CLOSE_WAIT
tcp4 0 0 199.2.137.238.8088 10.10.223.153.4792 ESTABLISHED
tcp4 6 0 67.228.228.213-s.http 10.10.223.153.4785 CLOSE_WAIT
tcp4 6 0 58.221.43.221.hosts2-n 10.10.223.153.4783 CLOSE_WAIT
tcp4 6 0 67.228.228.213-s.http 10.10.223.153.4777 CLOSE_WAIT
tcp4 0 0 58.221.43.221.hosts2-n 10.10.223.153.4774 CLOSE_WAITso cut off the network of pc with this ipddr(10.10.223.153) to access to network because we dont know what we can block them in pfsense. After that everything work fine as normal so we think that's a massive NAT problem to our pfsense.
Please kindly advise how to prevent or solve this problem?
Thx
Makara -
That looks like a virus or trojan's work. Or worse a bot. I would check that PC to see what it has running (while being unplugged from the network).
-
Check Diagnostics>States for a better picture (or pfctl -ss). That's almost certainly a host infected with some kind of DDoS bot. Anything you allow to open massive numbers of new connections is going to have an impact on your firewall regardless of what it is. Limiting states per host, and as tight as possible of egress filtering, helps keep such things in check when they happen.