From owner-freebsd-current  Fri Apr 12 14:21:34 1996
Return-Path: owner-current
Received: (from root@localhost)
          by freefall.freebsd.org (8.7.3/8.7.3) id OAA28704
          for current-outgoing; Fri, 12 Apr 1996 14:21:34 -0700 (PDT)
Received: from irz301.inf.tu-dresden.de (irz301.inf.tu-dresden.de [141.76.1.11])
          by freefall.freebsd.org (8.7.3/8.7.3) with SMTP id OAA28630
          for <freebsd-current@FreeBSD.org>; Fri, 12 Apr 1996 14:21:21 -0700 (PDT)
Received: from sax.sax.de by irz301.inf.tu-dresden.de (8.6.12/8.6.12-s1) with ESMTP id XAA09316 for <freebsd-current@FreeBSD.org>; Fri, 12 Apr 1996 23:20:44 +0200
Received: by sax.sax.de (8.6.11/8.6.12-s1) with UUCP
	id XAA05346 for freebsd-current@FreeBSD.org; Fri, 12 Apr 1996 23:20:44 +0200
Received: (from j@localhost) by uriah.heep.sax.de (8.7.5/8.6.9) id WAA11307 for freebsd-current@FreeBSD.org; Fri, 12 Apr 1996 22:45:45 +0200 (MET DST)
From: J Wunsch <j@uriah.heep.sax.de>
Message-Id: <199604122045.WAA11307@uriah.heep.sax.de>
Subject: Re: log_in_vain stuff
To: freebsd-current@FreeBSD.org (FreeBSD-current users)
Date: Fri, 12 Apr 1996 22:45:44 +0200 (MET DST)
Reply-To: joerg_wunsch@uriah.heep.sax.de (Joerg Wunsch)
In-Reply-To: <9391.829083934@critter.tfs.com> from "Poul-Henning Kamp" at Apr 9, 96 09:05:34 pm
X-Phone: +49-351-2012 669
X-Mailer: ELM [version 2.4 PL24 ME8a]
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Sender: owner-current@FreeBSD.org
X-Loop: FreeBSD.org
Precedence: bulk

As Poul-Henning Kamp wrote:

> > You need to figure out a way to rate-limit these messages, otherwise you
> > can trivially knock a box into the ground with a packet generator.
> syslogd should rate-limit, not the kernel.

It does, but you're sometimes overflowing the kernel message buffer
(as it seems to me), before syslog can fetch them all:

Apr 11 23:39:33 uriah /kernel: Connection attempt to UDP 127.0.0.1:32123 from 127.0.0.1:2079
Apr 11 23:39:33 uriah /kernel: n attempt to UDP 127.0.0.1:32123 from 127.0.0.1:2079
Apr 11 23:39:33 uriah /kernel: Connection attempt to UDP 127.0.0.1:32123 from 127.0.0.1:2079
Apr 11 23:39:33 uriah last message repeated 61 times
Apr 11 23:39:33 uriah /kernel: n attempt to UDP 127.0.0.1:32123 from 127.0.0.1:2079
Apr 11 23:39:33 uriah /kernel: Connection attempt to UDP 127.0.0.1:32123 from 127.0.0.1:2079
Apr 11 23:39:33 uriah last message repeated 61 times
Apr 11 23:39:33 uriah /kernel: n attempt to UDP 127.0.0.1:32123 from 127.0.0.1:2079
Apr 11 23:39:33 uriah /kernel: Connection attempt to UDP 127.0.0.1:32123 from 127.0.0.1:2079
Apr 11 23:39:33 uriah last message repeated 61 times
Apr 11 23:39:33 uriah /kernel: n attempt to UDP 127.0.0.1:32123 from 127.0.0.1:2079
Apr 11 23:39:33 uriah /kernel: Connection attempt to UDP 127.0.0.1:32123 from 127.0.0.1:2079
Apr 11 23:39:35 uriah last message repeated 557 times

This has been caused by a simple perl script that shot 1000 ``sendto''s
to port 32123.  You notice the crippled messages above, as well as the
fact that only 750 attempts out of 1000 have been logged at all.

-- 
cheers, J"org

joerg_wunsch@uriah.heep.sax.de -- http://www.sax.de/~joerg/ -- NIC: JW11-RIPE
Never trust an operating system you don't have sources for. ;-)