From owner-freebsd-net@FreeBSD.ORG  Thu Jan 22 10:28:50 2004
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 584B616A4CE
	for <freebsd-net@freebsd.org>; Thu, 22 Jan 2004 10:28:50 -0800 (PST)
Received: from mailtoaster1.pipeline.ch (mailtoaster1.pipeline.ch
	[62.48.0.70])	by mx1.FreeBSD.org (Postfix) with ESMTP id 305AB43D39
	for <freebsd-net@freebsd.org>; Thu, 22 Jan 2004 10:28:48 -0800 (PST)
	(envelope-from andre@freebsd.org)
Received: (qmail 62698 invoked from network); 22 Jan 2004 18:28:47 -0000
Received: from unknown (HELO freebsd.org) ([62.48.0.47])
          (envelope-sender <andre@freebsd.org>)
          by mailtoaster1.pipeline.ch (qmail-ldap-1.03) with SMTP
          for <freebsd-net@freebsd.org>; 22 Jan 2004 18:28:47 -0000
Message-ID: <4010165F.2080507@freebsd.org>
Date: Thu, 22 Jan 2004 19:28:47 +0100
From: Andre Oppermann <andre@freebsd.org>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US;
	rv:1.6) Gecko/20040113
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: freebsd-net@freebsd.org
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
Subject: Rate limiting icmp host unreachable replies?
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 22 Jan 2004 18:28:50 -0000

I'm having a FreeBSD router here that has many networks connected to it which
are only sparsely populated.  These days I get network scans (deliberate and
worms scanning for new targets) every second or so going through every IP in
my netblocks.  The router is faithfully generating ICMP host unreachable replies
to all these scans for each and every unreachable destination IP.

I wonder whether it is justifyable to rate limit the icmp host unreachable replies
just like the other icmp stuff to 200 (default) per second?  Should help alot if
the next SQL slammer is coming around and you get thousands of packets per second
for unreachable destinations.

Comments and opinions welcome!

PS: I've already coded it and it works nicely.

-- 
Andre