Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Massive 1 ip address NAT, high CPU usage

    Scheduled Pinned Locked Moved NAT
    3 Posts 3 Posters 2.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      makara
      last edited by

      Hi All,

      Pls give me excuse if this is not the right place to post the question:

      I have problem with high cpu usage of pfsense 2.0.1, after doing some investigation we found something interesting

      [2.0.1-RELEASE]#netstat -tna
      tcp4      6      0 58.221.43.221.hosts2-n 10.10.223.153.4969    CLOSE_WAIT
      tcp4      6      0 58.221.43.221.hosts2-n 10.10.223.153.4970    CLOSE_WAIT
      tcp4      6      0 58.221.43.221.hosts2-n 10.10.223.153.4956    CLOSE_WAIT
      tcp4      0      0 67.228.228.213-s.http  10.10.223.153.4942    CLOSE_WAIT
      tcp4      6      0 67.228.228.213-s.http  10.10.223.153.4941    CLOSE_WAIT
      tcp4      6      0 67.228.228.213-s.http  10.10.223.153.4938    CLOSE_WAIT
      tcp4      6      0 58.221.43.221.hosts2-n 10.10.223.153.4928    CLOSE_WAIT
      tcp4      6      0 58.221.43.221.hosts2-n 10.10.223.153.4903    CLOSE_WAIT
      tcp4      6      0 58.221.43.221.hosts2-n 10.10.223.153.4899    CLOSE_WAIT
      tcp4      6      0 58.221.43.221.hosts2-n 10.10.223.153.4888    CLOSE_WAIT
      tcp4      0      0 67.228.228.213-s.http  10.10.223.153.4876    CLOSE_WAIT
      tcp4      0      0 67.228.228.213-s.http  10.10.223.153.4870    CLOSE_WAIT
      tcp4      6      0 67.228.228.213-s.http  10.10.223.153.4869    CLOSE_WAIT
      tcp4      0      0 58.221.43.221.hosts2-n 10.10.223.153.4863    CLOSE_WAIT
      tcp4      6      0 58.221.43.221.hosts2-n 10.10.223.153.4858    CLOSE_WAIT
      tcp4      0      0 58.221.43.221.hosts2-n 10.10.223.153.4841    CLOSE_WAIT
      tcp4      6      0 67.228.228.213-s.http  10.10.223.153.4836    CLOSE_WAIT
      tcp4      6      0 67.228.228.213-s.http  10.10.223.153.4835    CLOSE_WAIT
      tcp4      6      0 58.221.43.221.hosts2-n 10.10.223.153.4833    CLOSE_WAIT
      tcp4      6      0 58.221.43.221.hosts2-n 10.10.223.153.4825    CLOSE_WAIT
      tcp4      0      0 67.228.228.213-s.http  10.10.223.153.4811    CLOSE_WAIT
      tcp4      6      0 67.228.228.213-s.http  10.10.223.153.4809    CLOSE_WAIT
      tcp4      0      0 67.228.228.213-s.http  10.10.223.153.4808    CLOSE_WAIT
      tcp4      6      0 58.221.43.221.hosts2-n 10.10.223.153.4803    CLOSE_WAIT
      tcp4      6      0 58.221.43.221.hosts2-n 10.10.223.153.4802    CLOSE_WAIT
      tcp4      0      0 199.2.137.238.8088    10.10.223.153.4792    ESTABLISHED
      tcp4      6      0 67.228.228.213-s.http  10.10.223.153.4785    CLOSE_WAIT
      tcp4      6      0 58.221.43.221.hosts2-n 10.10.223.153.4783    CLOSE_WAIT
      tcp4      6      0 67.228.228.213-s.http  10.10.223.153.4777    CLOSE_WAIT
      tcp4      0      0 58.221.43.221.hosts2-n 10.10.223.153.4774    CLOSE_WAIT

      so cut off the network of pc with this ipddr(10.10.223.153) to access to network because we dont know what we can block them in pfsense. After that everything work fine as normal so we think that's a massive NAT problem to our pfsense.

      Please kindly advise how to prevent or solve this problem?

      Thx
      Makara

      1 Reply Last reply Reply Quote 0
      • P
        podilarius
        last edited by

        That looks like a virus or trojan's work. Or worse a bot. I would check that PC to see what it has running (while being unplugged from the network).

        1 Reply Last reply Reply Quote 0
        • C
          cmb
          last edited by

          Check Diagnostics>States for a better picture (or pfctl -ss). That's almost certainly a host infected with some kind of DDoS bot. Anything you allow to open massive numbers of new connections is going to have an impact on your firewall regardless of what it is. Limiting states per host, and as tight as possible of egress filtering, helps keep such things in check when they happen.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.