Re: Limiting icmp unreach response from 231 to 200 packets per second

From: Tillman (tillman@seekingfire.com)
Date: 01/21/03


Date: Tue, 21 Jan 2003 10:13:57 -0600
From: Tillman <tillman@seekingfire.com>
To: freebsd-security@FreeBSD.ORG

On Tue, Jan 21, 2003 at 10:00:08AM -0600, Martin McCormick wrote:
> On rare occasions, a FreeBSD system in our network has
> been known to print the example shown in the subject at a furious
> rate for a short time and then things get back to normal.
>
> Is that what the effects of a ping flood look like?

``Limiting icmp unreach response from 231 to 200 packets per second''

What you're seeing is the kernel limiting ICMP responses to 200/second.
If there are more than 200 ICMP requests per second, and you have
net.inet.icmp.icmplim set to 200 via sysctl (the default value), this
occurs.

This could be a ICMP flood attack. It could also be legimate traffic.
For your network, what would you consider to be a normal number of ICMP
requests per second?

231 packets/second is actually pretty slow if you're on a high speed
local network, so in that situation it's unlikely to be a deliberate
ping flood. I've had network monitoring tools that were badly configured
do something that looked much like this.

- Tillman

-- 
Page 41: Two of the most important Unix traditions are to share and to
help people.
	- Harley Hahn, _The Unix Companion_
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message


Relevant Pages

  • Re: Removing ping/icmp from a network
    ... A ping sweep isn't the only way to do network exploration. ... ICMP is a protocol, not a service. ... Security by design is always best, but hiding the presence of a device ...
    (Security-Basics)
  • Re: How to prevent system from replying to Ping (ICMP Echo) requests?
    ... blocking ICMP does not impact anything useful ... large corporation broke their "VPN" by disallowing echo requests. ... > network from unknown locations, but, as I'm smarter than that, I set the ... The "stealth those pings" scenario would seem to really only ...
    (comp.security.firewalls)
  • Re: Removing ping/icmp from a network
    ... You can limit ICMP. ... And I did say, as well as others, allow from trusted sources. ... the network and the answer is: ... servers I do allow some ICMP messages to/from ...
    (Security-Basics)
  • Re: Ok to let all ICMP traffic through firewall?
    ... >>need to have ICMP responses form our networks get it, ... so now you are saying that you block outgoing ICMP ... > Tell me - what is the risk of sending an ICMP packet to anyone? ... it's not a general risk to your network because they ...
    (comp.security.misc)
  • Re: Ok to let all ICMP traffic through firewall?
    ... >>need to have ICMP responses form our networks get it, ... so now you are saying that you block outgoing ICMP ... > Tell me - what is the risk of sending an ICMP packet to anyone? ... it's not a general risk to your network because they ...
    (comp.security.firewalls)