From owner-freebsd-security  Mon Apr 15 12:28:27 2002
Delivered-To: freebsd-security@freebsd.org
Received: from patrocles.silby.com (d140.as14.nwbl0.wi.voyager.net [169.207.136.14])
	by hub.freebsd.org (Postfix) with ESMTP id 2A85537B405
	for <freebsd-security@FreeBSD.ORG>; Mon, 15 Apr 2002 12:28:21 -0700 (PDT)
Received: from patrocles.silby.com (localhost [127.0.0.1])
	by patrocles.silby.com (8.12.2/8.12.2) with ESMTP id g3G1S2Lx006591;
	Mon, 15 Apr 2002 20:28:02 -0500 (CDT)
	(envelope-from silby@silby.com)
Received: from localhost (silby@localhost)
	by patrocles.silby.com (8.12.2/8.12.2/Submit) with ESMTP id g3G1RrKV006588;
	Mon, 15 Apr 2002 20:27:57 -0500 (CDT)
X-Authentication-Warning: patrocles.silby.com: silby owned process doing -bs
Date: Mon, 15 Apr 2002 20:27:53 -0500 (CDT)
From: Mike Silbersack <silby@silby.com>
To: Andrew Johns <johnsa@kpi.com.au>
Cc: Sheldon Hearn <sheldonh@starjuice.net>,
	Christoph Kukulies <kuku@gilberto.physik.rwth-aachen.de>,
	<freebsd-security@FreeBSD.ORG>
Subject: Re: Limiting closed port RST response from 381 to 200 p
In-Reply-To: <3CBAE191.9010200@kpi.com.au>
Message-ID: <20020415201908.O5071-100000@patrocles.silby.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org


On Tue, 16 Apr 2002, Andrew Johns wrote:

> Actually Sheldon I think that's a great idea - helps with
> syslog DoS somewhat as well.  Anybody else care to contemplate
> making it either a default or sysctl (ICMP_BANDLIMIT_DOSLIMIT?)
>
> AJ

As the messages are limited to once per second, it's not really a syslog
DoS.  Just an annoyance, as Sheldon mentions.  I think that seeing the
rate is useful, although having a sysctl which allows one to switch over
to the format Sheldon uses could be useful.  I have considered MFCing the
sysctl which disables the display of these messages and making off the
default, given that many people seem to panic when seeing "limiting blah".

As the rate of incoming packets seems pretty steady, I'd wager that
Christoph is being scanned by nmap or some similar tool.  A true DoS would
probably involve a much higher packet rate.

Mike "Silby" Silbersack


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message