Date: Fri, 22 Dec 2000 19:20:13 -0800 (PST) From: dima@unixfreak.org To: FreeBSD-gnats-submit@freebsd.org Subject: docs/23787: [PATCH] New FAQ entry about icmp-response bandwidth limit Message-ID: <200012230320.eBN3KDN14505@spike.unixfreak.org> Resent-Message-ID: <200012230330.eBN3U1l95656@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 23787
>Category: docs
>Synopsis: [PATCH] New FAQ entry about icmp-response bandwidth limit
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: freebsd-doc
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: change-request
>Submitter-Id: current-users
>Arrival-Date: Fri Dec 22 19:30:01 PST 2000
>Closed-Date:
>Last-Modified:
>Originator:
>Release: FreeBSD 5.0-20001219-CURRENT i386
>Organization:
Private
>Environment:
System: FreeBSD spike.unixfreak.org 5.0-20001219-CURRENT FreeBSD 5.0-20001219-CURRENT #0: Tue Dec 19 20:42:22 PST 2000 dima@spike.unixfreak.org:/usr/home/dima/w/f/src/sys/compile/SPIKE i386
>Description:
The kernel limits ICMP and TCP RST responses to lessen the effect of
denial of service attacks and other malicious practices. The message
emmited when the limit takes effect is something like "icmp-response
bandwidth limit 300/200 pps". For some reason, the "response" part
escapes people the they read it, causing them to think their bandwidth
is limited, and complain on freebsd-questions.
>How-To-Repeat:
Read freebsd-questions for a while.
>Fix:
Apply the following patch to doc/en_US.ISO_8859-1/books/faq/book.sgml.
Index: book.sgml
===================================================================
RCS file: /st/src/FreeBSD/doc/en_US.ISO_8859-1/books/faq/book.sgml,v
retrieving revision 1.129
diff -u -r1.129 book.sgml
--- book.sgml 2000/12/05 13:18:16 1.129
+++ book.sgml 2000/12/23 00:28:10
@@ -8023,6 +8023,63 @@
</answer>
</qandaentry>
+
+ <qandaentry>
+ <question id="icmp-response-bw-limit">
+ <para>What are these messages about <quote>icmp-response
+ bandwidth limit 300/200 pps</quote> in my log
+ files?</para>
+ </question>
+
+ <answer>
+ <para>This is the kernel telling you that some activity is
+ provoking it to send more ICMP or TCP reset (RST)
+ responses than it thinks it should. ICMP responses are
+ often generated as a result of attempted connections to
+ unused UDP ports. TCP resets are generated as a result of
+ attempted connections to unopened TCP ports. Among
+ others, these are the kinds of activities which may cause
+ these messages:</para>
+
+ <itemizedlist>
+ <listitem>
+ <para>Brute-force denial of service (DoS) attacks (as
+ opposed to single-packet attacks which exploit a
+ specific vulnerability).</para>
+ </listitem>
+
+ <listitem>
+ <para>Port scans which attempt to connect to every port
+ possible (as opposed to only trying some well-known
+ ports).</para>
+ </listitem>
+ </itemizedlist>
+
+ <para>The first number in the message tells you how many
+ packets the kernel would've sent if the limit wasn't in
+ place, and the second number tells you the limit. You can
+ control the limit using the
+ <varname>net.inet.icmp.icmplim</varname> sysctl variable
+ like this, where <literal>300</literal> is the limit in
+ packets per second:</para>
+
+ <screen>&prompt.root; <userinput>sysctl -w net.inet.icmp.icmplim=300</userinput></screen>
+
+ <para>If you don't want to see messages about this in your
+ log files, but you still want the kernel to do response
+ limiting, you can use the
+ <varname>net.inet.icmp.icmplim_output</varname> sysctl
+ variable to disable the output like this:</para>
+
+ <screen>&prompt.root; <userinput>sysctl -w net.inet.icmp.icmplim_output=0</userinput></screen>
+
+ <para>Finally, if you want to disable response limiting, you
+ can set the <varname>net.inet.icmp.icmplim</varname>
+ sysctl variable (see above for an example) to
+ <literal>0</literal>. Disabling response limiting is
+ discouraged for the reasons listed above.</para>
+ </answer>
+ </qandaentry>
</qandaset>
</chapter>
>Release-Note:
>Audit-Trail:
>Unformatted:
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-doc" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200012230320.eBN3KDN14505>