From owner-freebsd-security Mon Aug 28 13:56: 3 2000 Delivered-To: freebsd-security@freebsd.org Received: from mail.kyx.net (cr95838-b.crdva1.bc.wave.home.com [24.113.50.147]) by hub.freebsd.org (Postfix) with ESMTP id CFC8C37B42C for ; Mon, 28 Aug 2000 13:55:52 -0700 (PDT) Received: from smp.kyx.net (unknown [10.22.22.45]) by mail.kyx.net (Postfix) with SMTP id 711891DC03; Mon, 28 Aug 2000 04:59:34 -0700 (PDT) From: Dragos Ruiu Organization: kyx.net To: Alfred Perlstein , "Col.Panic" Subject: Re: your mail (fwd) Date: Mon, 28 Aug 2000 13:54:41 -0700 X-Mailer: KMail [version 1.0.29.2] Content-Type: text/plain Cc: freebsd-security@FreeBSD.ORG References: <20000828111254.S1209@fw.wintelcom.net> In-Reply-To: <20000828111254.S1209@fw.wintelcom.net> MIME-Version: 1.0 Message-Id: <0008281356040S.20616@smp.kyx.net> Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I get this message regularly whenever I use an application that generates a lot of ICMP from a FreeBSD machine, like when I UDP nmap a FreeBSD target for instance. --dr On Mon, 28 Aug 2000, Alfred Perlstein wrote: > > > Sep 19 00:17:56 shell /kernel: icmp-response bandwidth limit 3505/200 pps > > > Sep 19 00:17:57 shell /kernel: icmp-response bandwidth limit 3503/200 pps > > > Sep 19 00:17:58 shell /kernel: icmp-response bandwidth limit 3505/200 pps > > > Sep 19 00:17:59 shell /kernel: icmp-response bandwidth limit 3502/200 pps > > * Col.Panic [000828 11:09] wrote: > > I have an interesting appendage to add to this answer. I have ICMP shut > > down at the router, and I get the same messages from my new 4.1-STABLE > > system. I can understand if somebody is spoofing ICMP packets, but if > > they are, how are the replies getting to my machine? > > > > I've looked into it, and there isn't anybody logged into the machine for > > when this occurs. I'm at a loss. > > It's an icmp _response_ limit, meaning it limits the amount of icmp > error messages your machine will generate in repsonse to bogus > connections or listen queue overflows. > > most likely an ACK/SYN attack of some sort or a server unable to > handle its listen queue (incomiming connections) > > -Alfred > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- dursec.com ltd. / kyx.net - we're from the future pgp fingerprint: 18C7 E37C 2F94 E251 F18E B7DC 2B71 A73E D2E8 A56D pgp key: http://www.dursec.com/drkey.asc To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message