From owner-freebsd-questions Wed Feb 9 11:20: 3 2000 Delivered-To: freebsd-questions@freebsd.org Received: from fw.wintelcom.net (ns1.wintelcom.net [209.1.153.20]) by builder.freebsd.org (Postfix) with ESMTP id BF14741B7 for ; Wed, 9 Feb 2000 11:19:57 -0800 (PST) Received: (from bright@localhost) by fw.wintelcom.net (8.9.3/8.9.3) id LAA07673; Wed, 9 Feb 2000 11:45:59 -0800 (PST) Date: Wed, 9 Feb 2000 11:45:58 -0800 From: Alfred Perlstein To: John Cc: freebsd-questions@FreeBSD.ORG Subject: Re: ICMP_BANDLIM Message-ID: <20000209114558.B17536@fw.wintelcom.net> References: <4.1.20000209133845.0094c1c0@mail.udel.edu> <4.1.20000209133845.0094c1c0@mail.udel.edu> <20000209112923.Y17536@fw.wintelcom.net> <4.1.20000209140745.009d5810@mail.udel.edu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0.1i In-Reply-To: <4.1.20000209140745.009d5810@mail.udel.edu>; from papalia@udel.edu on Wed, Feb 09, 2000 at 02:10:55PM -0500 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG * John [000209 11:40] wrote: > >> Hey all... > >> > >> With all the attacks going on on yahoo, ebay, etrade, etc, it reminded of a > >> question I had a while back but forgot to ask... > >> > >> What exactly does the "ICMP_BANDLIM" kernel option do to provide > >> 'protection'? Not much in the LINT file on it, and I can't search, so I > >> thought I'd ask :) > > > >It restricts the amount of responces you will send in responce to bad > >packets. > > > >If someone is sending you 100mbit of grabage down your pipe, you don't > >want to overload the system and connection by forcing it to respond > >to each and every packet. > > So, in other words, it's pretty much a choke you put on your reponse (ex: > answer only 1 in every 1,000 ping requests you get from a particular IP ?). more like X per second, you'll only respond to the first 100/200/whatever packets you get in a second, see: ~ % sysctl -a | grep icmp net.inet.icmp.maskrepl: 0 net.inet.icmp.icmplim: 200 <------ here net.inet.icmp.drop_redirect: 0 net.inet.icmp.log_redirect: 0 net.inet.icmp.bmcastecho: 0 > If so, are there dynamic settings to it? Or is just a single kernel option > with no settings? And I'm also assuming that ICMP_BANDLIM is also a > stopper for ALL network traffic (overload), not just particular items? You can use sysctl to twiddle the limit. You can also try a patch I have for 3.x which is Warner's work backported from 4.0, I'd like to know if this 'helps' at all: http://www.freebsd.org/~alfred/releng3_tcp_fix.diff -Alfred To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message