Date: Mon, 5 Nov 2001 19:07:28 -0600 (CST) From: Mike Silbersack <silby@silby.com> To: <cjclark@alum.mit.edu> Cc: Luigi Rizzo <rizzo@aciri.org>, <freebsd-net@FreeBSD.ORG> Subject: Re: limiting outgoing ICMP's Message-ID: <20011105190408.F31486-100000@achilles.silby.com> In-Reply-To: <20011105165448.D745@blossom.cjclark.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, 5 Nov 2001, Crist J. Clark wrote: > On Mon, Nov 05, 2001 at 09:07:35AM -0800, Luigi Rizzo wrote: > > There seems to be no knob to limit outgoing icmp's (redirects, no > > route, and the like). Wouldn't it be the case to add a sysctl > > variable to rate-limit or disable such messages ? I do not think > > it makes a lot of sense to let our routers become reflectors for > > certain types of DoS attacks. > > The a quick look at ip_icmp.c seems to indicate ICMP_BANDLIM only > watches echo replies, unreachables, and timestamp responses (and TCP > RSTs (?!), which aren't actually ICMP). I guess it would be straight > forward to cover all ICMP error messages, > > Redirect > Source Quench > Time Exceeded > Parameter Problem > > As well as query responses for, > > Information > Address Mask > > To cover everything. I don't think each type needs its own rate > limiting knob. > > I am not sure of how much use being able to turn off individual types > might be. You can always run a firewall on the host to block 'em. > -- > Crist J. Clark | cjclark@alum.mit.edu I (or whoever's interested) could add rate limiting for those types in about 5 minutes. The only issue is testing; I didn't have a setup to test those types, and were unaware that they could be easily abused, hence I did not add them last time I was in there. True, RSTs aren't icmp, but it wdidn't seem worth it to rename the function. :) Mike "Silby" Silbersack To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011105190408.F31486-100000>