From owner-freebsd-security  Tue Jan 21  8:27:24 2003
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 5049E37B401
	for <freebsd-security@FreeBSD.ORG>; Tue, 21 Jan 2003 08:27:22 -0800 (PST)
Received: from franky.speednet.com.au (franky.speednet.com.au [203.57.65.5])
	by mx1.FreeBSD.org (Postfix) with ESMTP id F312F43F65
	for <freebsd-security@FreeBSD.ORG>; Tue, 21 Jan 2003 08:27:17 -0800 (PST)
	(envelope-from andyf@speednet.com.au)
Received: from hewey.af.speednet.com.au (hewey.af.speednet.com.au [203.38.96.242])
	by franky.speednet.com.au (8.12.6/8.12.6) with ESMTP id h0LGRGmD054721;
	Wed, 22 Jan 2003 03:27:16 +1100 (EST)
	(envelope-from andyf@speednet.com.au)
Received: from hewey.af.speednet.com.au (hewey.af.speednet.com.au [172.22.2.1])
	by hewey.af.speednet.com.au (8.12.6/8.12.6) with ESMTP id h0LGRFdI054400;
	Wed, 22 Jan 2003 02:27:15 +1000 (EST)
	(envelope-from andyf@speednet.com.au)
Date: Wed, 22 Jan 2003 02:27:15 +1000 (EST)
From: Andy Farkas <andyf@speednet.com.au>
X-X-Sender: andyf@hewey.af.speednet.com.au
To: Mike Tancsa <mike@sentex.net>
Cc: Tillman <tillman@seekingfire.com>, <freebsd-security@FreeBSD.ORG>
Subject: Re: Limiting icmp unreach response from 231 to 200 packets per 
 second
In-Reply-To: <5.2.0.9.0.20030121111802.060ee170@marble.sentex.ca>
Message-ID: <20030122022350.A54298-100000@hewey.af.speednet.com.au>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org


> > >       On rare occasions, a FreeBSD system in our network has
> > > been known to print the example shown in the subject at a furious
> > > rate for a short time and then things get back to normal.
> > >
> > >       Is that what the effects of a ping flood look like?
> >

Yes, that's exactly what happens when ping-flooded.

Note that only root can ping-flood.

> It could be a ping flood, but if its happening after named dies, its more
> likely your kernel sending back messages to all the hosts asking for DNS
> requests. i.e. since named is dead, you had 231 DNS requests coming in per
> second.  The kernel, limits its response to the first 200 hosts, sending
> back a message saying there is nothing listening on that port.

He is talking about icmp packets - nothing to do with named.

--

 :{ andyf@speednet.com.au

        Andy Farkas
    System Administrator
   Speednet Communications
 http://www.speednet.com.au/




To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message