Date: Thu, 4 Nov 2004 12:18:08 -0600 From: Nathan Kinkade <nkinkade@ub.edu.bz> To: freebsd-questions@freebsd.org Subject: kernel: Limiting open port RST Message-ID: <20041104181808.GR13601@gentoo-npk.bmp.ub>
next in thread | raw e-mail | index | archive | help
--qcTtWMBd/uZDG7+Y Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable I am getting a tremendous amount of messages on a particular server saying something close to: kernel: Limiting open port RST response from 302 to 200 packets/sec I understand the reasons for the message, but I'm having a hard time tracking down a possible point source. Neither ethereal nor tcpdump seem to be picking up any packets with the TCP RST bit set. I have tried this, for example: # tcpdump 'tcp[tcpflags] & tcp-rst =3D 1' =2E.. but get nothing. I have also tried adding a logging rule to ipfw, such as: # ipfw add allow log tcp from me to any tcpflags rst However, the logged results don't appear to be correct. Log messages do show up in /var/log/security, but at the rate of about 1 message every 4 or 5 seconds, which doesn't seem consistent with a rate limit of 200 packets/sec being implemented. Basically, I'm wanting to find out if the machine(s) causing this are coming from the internal network, or outside. And if coming from inside, which machine is flooding the server with bogus SYN requests to non-listening ports. TCP and UDP blackhole sysctls are also already setup, and it appears that the RST packets are being sent out to internet hosts with a dstport of 80. The machine being affected is running squid. Does anyone have advice on this? =20 Thanks, Nathan --=20 PGP Public Key: pgp.mit.edu:11371/pks/lookup?op=3Dget&search=3D0xD8527E49 --qcTtWMBd/uZDG7+Y Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFBinJgO0ZIEthSfkkRAlJ9AKDNvIa+KwgkBSd6PpdmTcur4Yg0sgCg5sqT vjGP3ouvDJ7zgGwYTt7ZVUE= =2qDa -----END PGP SIGNATURE----- --qcTtWMBd/uZDG7+Y--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20041104181808.GR13601>