From owner-freebsd-security Tue Jan 21 8:11:11 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9520937B401 for ; Tue, 21 Jan 2003 08:11:08 -0800 (PST) Received: from mail.seekingfire.com (coyote.seekingfire.com [24.72.10.212]) by mx1.FreeBSD.org (Postfix) with ESMTP id 580B643F13 for ; Tue, 21 Jan 2003 08:11:05 -0800 (PST) (envelope-from tillman@seekingfire.com) Received: from blues.seekingfire.prv (blues.seekingfire.prv [192.168.23.211]) by mail.seekingfire.com (Postfix) with ESMTP id 82F8427B for ; Tue, 21 Jan 2003 10:10:58 -0600 (CST) Received: (from tillman@localhost) by blues.seekingfire.prv (8.11.6/8.11.6) id h0LGDvC09558 for freebsd-security@FreeBSD.ORG; Tue, 21 Jan 2003 10:13:57 -0600 Date: Tue, 21 Jan 2003 10:13:57 -0600 From: Tillman To: freebsd-security@FreeBSD.ORG Subject: Re: Limiting icmp unreach response from 231 to 200 packets per second Message-ID: <20030121101357.A9405@seekingfire.com> References: <200301211600.h0LG08vD022507@dc.cis.okstate.edu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <200301211600.h0LG08vD022507@dc.cis.okstate.edu>; from martin@dc.cis.okstate.edu on Tue, Jan 21, 2003 at 10:00:08AM -0600 X-Urban-Legend: There is lots of hidden information in headers Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, Jan 21, 2003 at 10:00:08AM -0600, Martin McCormick wrote: > On rare occasions, a FreeBSD system in our network has > been known to print the example shown in the subject at a furious > rate for a short time and then things get back to normal. > > Is that what the effects of a ping flood look like? ``Limiting icmp unreach response from 231 to 200 packets per second'' What you're seeing is the kernel limiting ICMP responses to 200/second. If there are more than 200 ICMP requests per second, and you have net.inet.icmp.icmplim set to 200 via sysctl (the default value), this occurs. This could be a ICMP flood attack. It could also be legimate traffic. For your network, what would you consider to be a normal number of ICMP requests per second? 231 packets/second is actually pretty slow if you're on a high speed local network, so in that situation it's unlikely to be a deliberate ping flood. I've had network monitoring tools that were badly configured do something that looked much like this. - Tillman -- Page 41: Two of the most important Unix traditions are to share and to help people. - Harley Hahn, _The Unix Companion_ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message