Date: Sat, 29 Apr 2000 21:20:11 -0500 (CDT) From: Mike Silbersack <silby@silby.com> To: net@freebsd.org Subject: Additional rate limiting for icmp Message-ID: <Pine.BSF.4.21.0004292052400.753-200000@achilles.silby.com>
next in thread | raw e-mail | index | archive | help
[-- Attachment #1 --]
I've thrown together a patch that extends icmp_bandlim to limit the rate
of icmp echo and tstamp responses. I've tested it on my 3.4 box, though
the patch appears to apply to 4 and current equally well; there haven't
been any significant changes to the codepath. I haven't tested its
operation on a 4 or current box yet.
At the same time, I've enhanced the logging so that you can see which type
of response it is rate limiting (icmp unreach / rst / echo / tstamp).
Note that since each type of response is limited by a seperate bucket,
this patch won't affect the operation of the existing icmp unreach / rst
rate limting at all. A echo flood won't cause rst to be suppressed.
While the patch doesn't totally negate the effect of being flooded with
icmp echo or tstamp requests, it does ensure that you don't waste your
outgoing bandwidth responding to a bogus flood, and should help boxes
handle such floods better.
I'd appreciate it if someone could review this patch and see if it's ready
to be committed to current/4/3.
Thanks,
Mike "Silby" Silbersack
[-- Attachment #2 --]
*** ip_icmp.c.3.4 Fri Apr 28 16:20:55 2000
--- ip_icmp.c.3.4.silby Sat Apr 29 20:58:28 2000
***************
*** 410,415 ****
--- 410,419 ----
icmpstat.icps_bmcastecho++;
break;
}
+ #ifdef ICMP_BANDLIM
+ if (badport_bandlim(2) < 0)
+ break;
+ #endif
icp->icmp_type = ICMP_ECHOREPLY;
goto reflect;
***************
*** 423,428 ****
--- 427,436 ----
icmpstat.icps_badlen++;
break;
}
+ #ifdef ICMP_BANDLIM
+ if (badport_bandlim(3) < 0)
+ break;
+ #endif
icp->icmp_type = ICMP_TSTAMPREPLY;
icp->icmp_rtime = iptime();
icp->icmp_ttime = icp->icmp_rtime; /* bogus, do later! */
***************
*** 767,772 ****
--- 775,782 ----
* For now we separate the TCP and UDP subsystems w/ different 'which'
* values. We may eventually remove this separation (and simplify the
* code further).
+ *
+ * 0 == UDP, 1 == TCP, 2 == ICMP_ECHO, 3 == ICMP_TSTAMP
*
* Note that the printing of the error message is delayed so we can
* properly print the icmp error rate that the system was trying to do
***************
*** 775,793 ****
* delay with more complex code.
*/
int
badport_bandlim(int which)
{
! static int lticks[2];
! static int lpackets[2];
int dticks;
/*
* Return ok status if feature disabled or argument out of
* ranage.
*/
! if (icmplim <= 0 || which >= 2 || which < 0)
return(0);
dticks = ticks - lticks[which];
--- 785,806 ----
* delay with more complex code.
*/
+ #define numpackettypes 4
+
int
badport_bandlim(int which)
{
! static int lticks[numpackettypes];
! static int lpackets[numpackettypes];
int dticks;
+ const char *packettype[] = {"icmp port unreachable","RST","icmp echo","icmp tstamp"};
/*
* Return ok status if feature disabled or argument out of
* ranage.
*/
! if (icmplim <= 0 || which >= numpackettypes || which < 0)
return(0);
dticks = ticks - lticks[which];
***************
*** 797,803 ****
if ((unsigned int)dticks > hz) {
if (lpackets[which] > icmplim) {
! printf("icmp-response bandwidth limit %d/%d pps\n",
lpackets[which],
icmplim
);
--- 810,817 ----
if ((unsigned int)dticks > hz) {
if (lpackets[which] > icmplim) {
! printf("%s-response bandwidth limit %d/%d pps\n",
! packettype[which],
lpackets[which],
icmplim
);
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.0004292052400.753-200000>