From owner-freebsd-questions@FreeBSD.ORG Tue May 13 06:49:27 2003 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AFFEB37B401 for ; Tue, 13 May 2003 06:49:26 -0700 (PDT) Received: from smtp.infracaninophile.co.uk (ns0.infracaninophile.co.uk [81.2.69.218]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0225143F3F for ; Tue, 13 May 2003 06:49:25 -0700 (PDT) (envelope-from m.seaman@infracaninophile.co.uk) Received: from happy-idiot-talk.infracaninophile.co.uk (localhost [127.0.0.1]) h4DDnBJG055656 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 13 May 2003 14:49:11 +0100 (BST) (envelope-from matthew@happy-idiot-talk.infracaninophile.co.uk) Received: (from matthew@localhost)h4DDnB3K055651; Tue, 13 May 2003 14:49:11 +0100 (BST) (envelope-from matthew) Date: Tue, 13 May 2003 14:49:11 +0100 From: Matthew Seaman To: Olga Zenkova Message-ID: <20030513134911.GA55215@happy-idiot-talk.infracaninophile.co.uk> Mail-Followup-To: Matthew Seaman , Olga Zenkova , freebsd-questions@freebsd.org References: <20030513133202.78310.qmail@web9605.mail.yahoo.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="envbJBWh7q8WU6mo" Content-Disposition: inline In-Reply-To: <20030513133202.78310.qmail@web9605.mail.yahoo.com> User-Agent: Mutt/1.5.4i X-Spam-Status: No, hits=-35.6 required=5.0 tests=EMAIL_ATTRIBUTION,IN_REP_TO,PGP_SIGNATURE_2,REFERENCES, REPLY_WITH_QUOTES,USER_AGENT_MUTT version=2.53 X-Spam-Checker-Version: SpamAssassin 2.53 (1.174.2.15-2003-03-30-exp) cc: freebsd-questions@freebsd.org Subject: Re: icmp-response bandwidth limit X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 13 May 2003 13:49:28 -0000 --envbJBWh7q8WU6mo Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, May 13, 2003 at 06:32:02AM -0700, Olga Zenkova wrote: > Hi all! > Please help. Get a lot of messages: "/kernel: > icmp-response bandwidth limit nnn", where nnn is some > different from time to time number. Have much traffic. > Please help. What's happening? Someone is flooding you with packets a lot of which are for ports where there is no program listening, and your kernel is trying to respond by sending out ICMP 'port unreachable' packets, but it refuses to fill up too much outgoing bandwidth by doing that. You should run tcpdump to capture some of the traffic and examine it for clues as to what's going on. This can be someone port-scanning you or a deliberate attempt to DoS you or it may be the result of some machine being infected by a Worm program or it can be the result of a simple mistake or hardware failure somewhere in your site or a nearby network. In the short term you can suppress the ICMP response by: # sysctl net.inet.tcp.blackhole=3D2 # sysctl net.inet.udp.blackhole=3D1 (See blackhole(4), sysctl(8) and sysctl.conf(5)), but for general use, ipfw(8) or ipf(8) are your friends. Cheers, Matthew --=20 Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks Savill Way PGP: http://www.infracaninophile.co.uk/pgpkey Marlow Tel: +44 1628 476614 Bucks., SL7 1TH UK --envbJBWh7q8WU6mo Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (FreeBSD) iD8DBQE+wPfXdtESqEQa7a0RAkhCAKCP7P6dEj2YVdbcvNbDCPrveGtNVQCdFJAZ d8EBXn3pH934/FLhf5ipFIs= =P+6Q -----END PGP SIGNATURE----- --envbJBWh7q8WU6mo--