Date: Tue, 21 Jan 2003 11:24:24 -0500 From: Mike Tancsa <mike@sentex.net> To: Tillman <tillman@seekingfire.com>, freebsd-security@FreeBSD.ORG Subject: Re: Limiting icmp unreach response from 231 to 200 packets per second Message-ID: <5.2.0.9.0.20030121111802.060ee170@marble.sentex.ca> In-Reply-To: <20030121101357.A9405@seekingfire.com> References: <200301211600.h0LG08vD022507@dc.cis.okstate.edu> <200301211600.h0LG08vD022507@dc.cis.okstate.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
At 10:13 AM 21/01/2003 -0600, Tillman wrote:
>On Tue, Jan 21, 2003 at 10:00:08AM -0600, Martin McCormick wrote:
> > On rare occasions, a FreeBSD system in our network has
> > been known to print the example shown in the subject at a furious
> > rate for a short time and then things get back to normal.
> >
> > Is that what the effects of a ping flood look like?
>
>``Limiting icmp unreach response from 231 to 200 packets per second''
>
>What you're seeing is the kernel limiting ICMP responses to 200/second.
>If there are more than 200 ICMP requests per second, and you have
>net.inet.icmp.icmplim set to 200 via sysctl (the default value), this
>occurs.
It could be a ping flood, but if its happening after named dies, its more
likely your kernel sending back messages to all the hosts asking for DNS
requests. i.e. since named is dead, you had 231 DNS requests coming in per
second. The kernel, limits its response to the first 200 hosts, sending
back a message saying there is nothing listening on that port.
---Mike
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5.2.0.9.0.20030121111802.060ee170>