Date: Mon, 5 Nov 2001 18:48:57 -0800 From: Luigi Rizzo <rizzo@aciri.org> To: Mike Silbersack <silby@silby.com> Cc: cjclark@alum.mit.edu, freebsd-net@FreeBSD.ORG Subject: Re: limiting outgoing ICMP's Message-ID: <20011105184856.B79198@iguana.aciri.org> In-Reply-To: <20011105190408.F31486-100000@achilles.silby.com> References: <20011105165448.D745@blossom.cjclark.org> <20011105190408.F31486-100000@achilles.silby.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Am i wrong or all of the ICMP_BANDLIM stuff only deals with _incoming_ ICMP messages, and udp badport ? I see no way to intercept calls to icmp_error(), which is invoked both by ip_input and ip_fw. BTW, why the check to badport_bandlim is not moved inside icmp_error itself ? For the records, the problem came out when sending packets to a FreeBSD router box which did not have a default route nor a route for the intended destination of the packet. Pretty easy to test. cheers luigi On Mon, Nov 05, 2001 at 07:07:28PM -0600, Mike Silbersack wrote: > > On Mon, 5 Nov 2001, Crist J. Clark wrote: > > > On Mon, Nov 05, 2001 at 09:07:35AM -0800, Luigi Rizzo wrote: > > > There seems to be no knob to limit outgoing icmp's (redirects, no > > > route, and the like). Wouldn't it be the case to add a sysctl > > > variable to rate-limit or disable such messages ? I do not think > > > it makes a lot of sense to let our routers become reflectors for > > > certain types of DoS attacks. > > > > The a quick look at ip_icmp.c seems to indicate ICMP_BANDLIM only > > watches echo replies, unreachables, and timestamp responses (and TCP > > RSTs (?!), which aren't actually ICMP). I guess it would be straight > > forward to cover all ICMP error messages, > > > > Redirect > > Source Quench > > Time Exceeded > > Parameter Problem > > > > As well as query responses for, > > > > Information > > Address Mask > > > > To cover everything. I don't think each type needs its own rate > > limiting knob. > > > > I am not sure of how much use being able to turn off individual types > > might be. You can always run a firewall on the host to block 'em. > > -- > > Crist J. Clark | cjclark@alum.mit.edu > > I (or whoever's interested) could add rate limiting for those types in > about 5 minutes. The only issue is testing; I didn't have a setup to test > those types, and were unaware that they could be easily abused, hence I > did not add them last time I was in there. > > True, RSTs aren't icmp, but it wdidn't seem worth it to rename the > function. :) > > Mike "Silby" Silbersack > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011105184856.B79198>