From owner-freebsd-security Mon Aug 28 16:41:31 2000 Delivered-To: freebsd-security@freebsd.org Received: from elvis.mu.org (elvis.mu.org [207.154.226.10]) by hub.freebsd.org (Postfix) with ESMTP id B05FE37B43C for ; Mon, 28 Aug 2000 16:41:27 -0700 (PDT) Received: by elvis.mu.org (Postfix, from userid 1088) id 632C02B259; Mon, 28 Aug 2000 18:41:22 -0500 (CDT) Date: Mon, 28 Aug 2000 18:41:22 -0500 From: Dave McKay To: Dragos Ruiu Cc: Alfred Perlstein , "Col.Panic" , freebsd-security@FreeBSD.ORG Subject: Re: your mail (fwd) Message-ID: <20000828184122.A83217@elvis.mu.org> References: <20000828111254.S1209@fw.wintelcom.net> <0008281356040S.20616@smp.kyx.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2i In-Reply-To: <0008281356040S.20616@smp.kyx.net>; from dr@kyx.net on Mon, Aug 28, 2000 at 01:54:41PM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org An nmap scan doesn't generate 3500 icmp's per second, or 3500 of any packet per second. Dragos Ruiu (dr@kyx.net) wrote: > I get this message regularly whenever I use an application that generates > a lot of ICMP from a FreeBSD machine, like when I UDP nmap a FreeBSD > target for instance. --dr > > On Mon, 28 Aug 2000, Alfred Perlstein wrote: > > > > Sep 19 00:17:56 shell /kernel: icmp-response bandwidth limit 3505/200 pps > > > > Sep 19 00:17:57 shell /kernel: icmp-response bandwidth limit 3503/200 pps > > > > Sep 19 00:17:58 shell /kernel: icmp-response bandwidth limit 3505/200 pps > > > > Sep 19 00:17:59 shell /kernel: icmp-response bandwidth limit 3502/200 pps > > > > * Col.Panic [000828 11:09] wrote: > > > I have an interesting appendage to add to this answer. I have ICMP shut > > > down at the router, and I get the same messages from my new 4.1-STABLE > > > system. I can understand if somebody is spoofing ICMP packets, but if > > > they are, how are the replies getting to my machine? > > > > > > I've looked into it, and there isn't anybody logged into the machine for > > > when this occurs. I'm at a loss. > > > > It's an icmp _response_ limit, meaning it limits the amount of icmp > > error messages your machine will generate in repsonse to bogus > > connections or listen queue overflows. > > > > most likely an ACK/SYN attack of some sort or a server unable to > > handle its listen queue (incomiming connections) > > > > -Alfred > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > -- > dursec.com ltd. / kyx.net - we're from the future > pgp fingerprint: 18C7 E37C 2F94 E251 F18E B7DC 2B71 A73E D2E8 A56D > pgp key: http://www.dursec.com/drkey.asc > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- Dave McKay Network Engineer - Google Inc. dave@mu.org - dave@google.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message