From owner-freebsd-stable  Wed Apr 18 13: 7:39 2001
Delivered-To: freebsd-stable@freebsd.org
Received: from resnet.uoregon.edu (resnet.uoregon.edu [128.223.122.47])
	by hub.freebsd.org (Postfix) with ESMTP id 1CA2737B424
	for <freebsd-stable@FreeBSD.ORG>; Wed, 18 Apr 2001 13:07:37 -0700 (PDT)
	(envelope-from dwhite@resnet.uoregon.edu)
Received: from localhost (dwhite@localhost)
	by resnet.uoregon.edu (8.10.1/8.10.1) with ESMTP id f3IK7XF83081;
	Wed, 18 Apr 2001 13:07:34 -0700 (PDT)
Date: Wed, 18 Apr 2001 13:07:33 -0700 (PDT)
From: Doug White <dwhite@resnet.uoregon.edu>
To: Michael Grant <mg-fbsd@grant.org>
Cc: <freebsd-stable@FreeBSD.ORG>
Subject: Re: open port RST response messages
In-Reply-To: <200104170846.KAA22298@splat.grant.org>
Message-ID: <Pine.BSF.4.33.0104181306300.81356-100000@resnet.uoregon.edu>
X-All-Your-Base: are belong to us
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-stable@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

On Tue, 17 Apr 2001, Michael Grant wrote:

> I'm getting loads of messages like these in my logs:
>
> /kernel: Limiting open port RST response from 990 to 200 packets per second
>
> What's going on here, is someone sending sending me the RST packet or
> is it my server that's RSTing an open connection?
>
> Whatever it is, it's not constant, I've sat there with tcpdump waiting
> and watching and have never seen hugh numbers of TCP RST packets going
> by:
>
> tcpdump 'tcp[13] & 0x04 != 0'

It means someone is SYN flooding a closed port on your box. The system
rate-limits the replies to reduce the damage.  You can tune it with
sysctl, but that's a lot of traffic .. you should probably tcpdump and see
what bozo is banging on it.

Doug White                    |  FreeBSD: The Power to Serve
dwhite@resnet.uoregon.edu     |  www.FreeBSD.org


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message