From owner-freebsd-bugs Sat Dec 2 12: 0: 9 2000 Delivered-To: freebsd-bugs@hub.freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id DA97B37B404 for ; Sat, 2 Dec 2000 12:00:02 -0800 (PST) Received: (from gnats@localhost) by freefall.freebsd.org (8.11.1/8.11.1) id eB2K02M96139; Sat, 2 Dec 2000 12:00:02 -0800 (PST) (envelope-from gnats) Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id BF30837B400 for ; Sat, 2 Dec 2000 11:57:30 -0800 (PST) Received: (from nobody@localhost) by freefall.freebsd.org (8.11.1/8.11.1) id eB2JvUt95911; Sat, 2 Dec 2000 11:57:30 -0800 (PST) (envelope-from nobody) Message-Id: <200012021957.eB2JvUt95911@freefall.freebsd.org> Date: Sat, 2 Dec 2000 11:57:30 -0800 (PST) From: silby@silby.com To: freebsd-gnats-submit@FreeBSD.org X-Send-Pr-Version: www-1.0 Subject: kern/23240: Proposed enhancement to icmp/rst rate limiting code in verbosity and functionality Sender: owner-freebsd-bugs@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >Number: 23240 >Category: kern >Synopsis: Proposed enhancement to icmp/rst rate limiting code in verbosity and functionality >Confidential: no >Severity: non-critical >Priority: medium >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: change-request >Submitter-Id: current-users >Arrival-Date: Sat Dec 02 12:00:02 PST 2000 >Closed-Date: >Last-Modified: >Originator: Mike Silbersack >Release: 5.0-CURRENT >Organization: >Environment: >Description: The current icmp/rst rate limiting code works well to slow the rate of outgoing RST and icmp unreachables, but has two flaws: 1. The messages generated during rate limiting are inexact and confusing to many. 2. ICMP echo and tstamp requests are not rate limited. Fixing these two flaws will allow those under attack to be more informed, and ensure that pingfloods will be less of a problem. >How-To-Repeat: >Fix: A patch is available at http://www.silby.com/patches/ratelimit-enhancement-2.patch This patch enhances the rate limiting to include echo and tstamp requests as well as provide a more verbose report of what's happening, as follows: Suppressing udp flood/scan: 212/200 pps Suppressing outgoing RST due to port scan: 202/200 pps Suppressing outgoing RST due to ACK flood: 19725/200 pps Suppressing ping flood: 230/200 pps Suppressing icmp tstamp flood: 210/200 pps Note that "port scan" and "ACK flood" are great oversimplifications. However, they are useful simplifications in that they give a good, simple explanation to what's happening for junior sysadmins. People doing investigation of a heavy DoS will have to use packet sniffers to get exact information, as before. A previous version of this patch passed a quick review by green and bosko, the only changes made were cosmetic. >Release-Note: >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message