From owner-freebsd-questions@FreeBSD.ORG  Wed Jun 22 03:12:31 2005
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
X-Original-To: freebsd-questions@freebsd.org
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 366B316A41C
	for <freebsd-questions@freebsd.org>;
	Wed, 22 Jun 2005 03:12:31 +0000 (GMT)
	(envelope-from troyg@digitek-solutions.com)
Received: from mx1.digitek-solutions.com (mx1.digitek-solutions.com
	[69.45.225.18]) by mx1.FreeBSD.org (Postfix) with SMTP id D8B0343D55
	for <freebsd-questions@freebsd.org>;
	Wed, 22 Jun 2005 03:12:30 +0000 (GMT)
	(envelope-from troyg@digitek-solutions.com)
Received: (qmail 81759 invoked from network); 22 Jun 2005 03:11:06 -0000
Received: from cable-66-190-210-97.sli.la.charter.com (HELO ?192.168.0.8?)
	(66.190.210.97)
	by mx1.digitek-solutions.com with SMTP; 22 Jun 2005 03:11:06 -0000
Message-ID: <42B8D72C.1080609@digitek-solutions.com>
Date: Tue, 21 Jun 2005 22:12:44 -0500
From: "Troy G." <troyg@digitek-solutions.com>
User-Agent: Mozilla Thunderbird 1.0.2 (Windows/20050317)
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: freebsd-questions@freebsd.org
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Subject: Possible Attack?
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 22 Jun 2005 03:12:31 -0000

Hi all,

I was going through a few servers tonight and came across this in 
/var/log/messages.  This particular server functions mainly as our 
primary webserver.  Its running  FreeBSD 4.8-RELEASE.  I decided to take 
a closer look to see what was generating these entries by loading up 
trafshow.  I noticed quite a bit of icmp requests coming in.  I created 
an access-list on the cisco and filtered icmp to this host and the 
messages kept logging.  It's obvious I didn't see any icmp anymore on 
the server but is this system under a heavy load?  I dont see the load 
being that high according to top.  Any suggestions?

Jun 21 21:50:55 mx1 /kernel: Limiting closed port RST response from 230 
to 200 packets per second
Jun 21 21:51:23 mx1 /kernel: Limiting closed port RST response from 222 
to 200 packets per second
Jun 21 21:53:02 mx1 /kernel: Limiting closed port RST response from 230 
to 200 packets per second

TIA,

Troy