Date: Tue, 21 Jan 2003 10:13:57 -0600 From: Tillman <tillman@seekingfire.com> To: freebsd-security@FreeBSD.ORG Subject: Re: Limiting icmp unreach response from 231 to 200 packets per second Message-ID: <20030121101357.A9405@seekingfire.com> In-Reply-To: <200301211600.h0LG08vD022507@dc.cis.okstate.edu>; from martin@dc.cis.okstate.edu on Tue, Jan 21, 2003 at 10:00:08AM -0600 References: <200301211600.h0LG08vD022507@dc.cis.okstate.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Jan 21, 2003 at 10:00:08AM -0600, Martin McCormick wrote: > On rare occasions, a FreeBSD system in our network has > been known to print the example shown in the subject at a furious > rate for a short time and then things get back to normal. > > Is that what the effects of a ping flood look like? ``Limiting icmp unreach response from 231 to 200 packets per second'' What you're seeing is the kernel limiting ICMP responses to 200/second. If there are more than 200 ICMP requests per second, and you have net.inet.icmp.icmplim set to 200 via sysctl (the default value), this occurs. This could be a ICMP flood attack. It could also be legimate traffic. For your network, what would you consider to be a normal number of ICMP requests per second? 231 packets/second is actually pretty slow if you're on a high speed local network, so in that situation it's unlikely to be a deliberate ping flood. I've had network monitoring tools that were badly configured do something that looked much like this. - Tillman -- Page 41: Two of the most important Unix traditions are to share and to help people. - Harley Hahn, _The Unix Companion_ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030121101357.A9405>