Re: Limiting icmp unreach response from 231 to 200 packets per second

From: Tillman (tillman@seekingfire.com)
Date: 01/21/03 

Date: Tue, 21 Jan 2003 10:32:18 -0600
From: Tillman <tillman@seekingfire.com>
To: freebsd-security@FreeBSD.ORG

On Wed, Jan 22, 2003 at 02:27:15AM +1000, Andy Farkas wrote:
>
> > > > On rare occasions, a FreeBSD system in our network has
> > > > been known to print the example shown in the subject at a furious
> > > > rate for a short time and then things get back to normal.
> > > >
> > > > Is that what the effects of a ping flood look like?
> > >
>
> Yes, that's exactly what happens when ping-flooded.
>
> Note that only root can ping-flood.
>
> > It could be a ping flood, but if its happening after named dies, its more
> > likely your kernel sending back messages to all the hosts asking for DNS
> > requests. i.e. since named is dead, you had 231 DNS requests coming in per
> > second. The kernel, limits its response to the first 200 hosts, sending
> > back a message saying there is nothing listening on that port.
>
> He is talking about icmp packets - nothing to do with named.

Yes, it is. TCP issues a tcp reset packet when the prot is unavailable -
UDP can't do that, so it issues an ICMP port unreachable (which is what
he was limiting). It wasn't an ICMP echo response, which would be the
typical response to a ping flood.

-T 

-- 
"Our opinions become fixed at the point where we stopped thinking."
	- Renan
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message