[OmniOS-discuss] OmniOS DOS'd my entire network

Schweiss, Chip chip at innovates.com
Tue May 9 20:40:35 UTC 2017 

Here's the screen shot:

Given the rarity of this, I wouldn't be surprised it never happens again to
me.   The major difficulty was locating the offending system.   All we were
finding was very poor TCP connections everywhere on or network.  Even VLANs
that were not active on the server, but trunked on its switch ports.

That mac address corresponds to another OmniOS server, that is not part of
the same HA cluster as this one.   It has not been shut down since the
incident.

-Chip





On Tue, May 9, 2017 at 3:22 PM, Dan McDonald <danmcd at omniti.com> wrote:

>
> > On May 9, 2017, at 3:32 PM, Schweiss, Chip <chip at innovates.com> wrote:
> >
> > This was a first for me and extremely painful to locate.
> >
> > In the middle of the night between last Friday and Saturday, I started
> getting down alerts from most of my network.   It took 4 engineers
> including myself 9 hours to pinpoint the source of the problem.
> >
> > The problem turned out to be one of my OmniOS boxes sending out pure
> garbage constantly on layer 2 out the 10G network ports.   This disrupted
> ARP caches on every machine on every VLAN that was trunked on these ports,
> not just the VLANs that were configured on the server.   The switches
> reported every port healthy and without error.   The traffic on the bad
> port was not high either, just severely disruptive.
>
> Whoa!  On L2 (like non-TCP/IP ethernet frames)?
>
> > The affected OmniOS box appear to be healthy, as it was still serving
> the VM data stores for over 350 virtual machines.   However, it like every
> other service on the network appeared to be up and down repeatedly, but NFS
> kept on recovering gracefully.
> >
> > The only thing that finally identified this server was when one of us
> plug a monitor to the console and saw "WARNING: proxy ARP problem?"
> happening so fast that it took taking a cellphone picture of it a high
> frame rate to read it.   Powering off this server, cleared the problem for
> the entire network, and its pools were taken over by its HA sister.
>
> If it's easy to do so, unplug or "ifconfig down" the interface next time
> this happens.
>
> > Googling for that warning brings up nothing useful.
> >
> > Has anyone ever seen a problem like this?   How did you locate it?
>
> Should search src.illumos.org, you'll find this:
>
>         http://src.illumos.org/source/xref/illumos-gate/usr/src/uts/
> common/inet/ip/ip_arp.c#1449
>
> We appear to be freaking out over another node having our IP.  The only
> caller with AR_CN_BOGON is after ip_nce_resolve_all() returns AR_BOGON.
>
> I wonder if some other entity had the same IP, and they
> fed-back-upon-each-other negatively?
>
> The message you cite should show an IP address with it:
>
>         "proxy ARP problem?  Node '%s' is using %s on %s",
>
> where the %s-es are MAC-address, IP-address, and interface-name
> respectively.  You didn't get examples with your digital camera, did you?
>
> Dan
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://omniosce.org/ml-archive/attachments/20170509/e7164d8c/attachment.html>

More information about the OmniOS-discuss mailing list