From owner-freebsd-security Tue Jan 21 8:20:44 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AD07137B401 for ; Tue, 21 Jan 2003 08:20:41 -0800 (PST) Received: from lava.sentex.ca (pyroxene.sentex.ca [199.212.134.18]) by mx1.FreeBSD.org (Postfix) with ESMTP id A31DD43F13 for ; Tue, 21 Jan 2003 08:20:39 -0800 (PST) (envelope-from mike@sentex.net) Received: from simian.sentex.net (simeon.sentex.ca [192.168.43.27]) by lava.sentex.ca (8.12.6/8.12.6) with ESMTP id h0LGL1fc094300; Tue, 21 Jan 2003 11:21:01 -0500 (EST) (envelope-from mike@sentex.net) Message-Id: <5.2.0.9.0.20030121111802.060ee170@marble.sentex.ca> X-Sender: mdtpop@marble.sentex.ca (Unverified) X-Mailer: QUALCOMM Windows Eudora Version 5.2.0.9 Date: Tue, 21 Jan 2003 11:24:24 -0500 To: Tillman , freebsd-security@FreeBSD.ORG From: Mike Tancsa Subject: Re: Limiting icmp unreach response from 231 to 200 packets per second In-Reply-To: <20030121101357.A9405@seekingfire.com> References: <200301211600.h0LG08vD022507@dc.cis.okstate.edu> <200301211600.h0LG08vD022507@dc.cis.okstate.edu> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed X-Virus-Scanned: By Sentex Communications (lava/20020517) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 10:13 AM 21/01/2003 -0600, Tillman wrote: >On Tue, Jan 21, 2003 at 10:00:08AM -0600, Martin McCormick wrote: > > On rare occasions, a FreeBSD system in our network has > > been known to print the example shown in the subject at a furious > > rate for a short time and then things get back to normal. > > > > Is that what the effects of a ping flood look like? > >``Limiting icmp unreach response from 231 to 200 packets per second'' > >What you're seeing is the kernel limiting ICMP responses to 200/second. >If there are more than 200 ICMP requests per second, and you have >net.inet.icmp.icmplim set to 200 via sysctl (the default value), this >occurs. It could be a ping flood, but if its happening after named dies, its more likely your kernel sending back messages to all the hosts asking for DNS requests. i.e. since named is dead, you had 231 DNS requests coming in per second. The kernel, limits its response to the first 200 hosts, sending back a message saying there is nothing listening on that port. ---Mike To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message