From owner-freebsd-net  Mon Nov  5 17: 7:34 2001
Delivered-To: freebsd-net@freebsd.org
Received: from silby.com (cb34181-a.mdsn1.wi.home.com [24.14.173.39])
	by hub.freebsd.org (Postfix) with ESMTP id 0446D37B405
	for <freebsd-net@FreeBSD.ORG>; Mon,  5 Nov 2001 17:07:30 -0800 (PST)
Received: (qmail 31596 invoked by uid 1000); 6 Nov 2001 01:07:28 -0000
Received: from localhost (sendmail-bs@127.0.0.1)
  by localhost with SMTP; 6 Nov 2001 01:07:28 -0000
Date: Mon, 5 Nov 2001 19:07:28 -0600 (CST)
From: Mike Silbersack <silby@silby.com>
To: <cjclark@alum.mit.edu>
Cc: Luigi Rizzo <rizzo@aciri.org>, <freebsd-net@FreeBSD.ORG>
Subject: Re: limiting outgoing ICMP's
In-Reply-To: <20011105165448.D745@blossom.cjclark.org>
Message-ID: <20011105190408.F31486-100000@achilles.silby.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-net@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-net.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-net>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-net>
X-Loop: FreeBSD.org


On Mon, 5 Nov 2001, Crist J. Clark wrote:

> On Mon, Nov 05, 2001 at 09:07:35AM -0800, Luigi Rizzo wrote:
> > There seems to be no knob to limit outgoing icmp's (redirects, no
> > route, and the like).  Wouldn't it be the case to add a sysctl
> > variable to rate-limit or disable such messages ?  I do not think
> > it makes a lot of sense to let our routers become reflectors for
> > certain types of DoS attacks.
>
> The a quick look at ip_icmp.c seems to indicate ICMP_BANDLIM only
> watches echo replies, unreachables, and timestamp responses (and TCP
> RSTs (?!), which aren't actually ICMP). I guess it would be straight
> forward to cover all ICMP error messages,
>
>   Redirect
>   Source Quench
>   Time Exceeded
>   Parameter Problem
>
> As well as query responses for,
>
>   Information
>   Address Mask
>
> To cover everything. I don't think each type needs its own rate
> limiting knob.
>
> I am not sure of how much use being able to turn off individual types
> might be. You can always run a firewall on the host to block 'em.
> --
> Crist J. Clark                     |     cjclark@alum.mit.edu

I (or whoever's interested) could add rate limiting for those types in
about 5 minutes.  The only issue is testing; I didn't have a setup to test
those types, and were unaware that they could be easily abused, hence I
did not add them last time I was in there.

True, RSTs aren't icmp, but it wdidn't seem worth it to rename the
function. :)

Mike "Silby" Silbersack


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message