From owner-freebsd-security Tue Jan 21 8:29:33 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4483737B401 for ; Tue, 21 Jan 2003 08:29:31 -0800 (PST) Received: from mail.seekingfire.com (coyote.seekingfire.com [24.72.10.212]) by mx1.FreeBSD.org (Postfix) with ESMTP id DAE9E43EB2 for ; Tue, 21 Jan 2003 08:29:27 -0800 (PST) (envelope-from tillman@seekingfire.com) Received: from blues.seekingfire.prv (blues.seekingfire.prv [192.168.23.211]) by mail.seekingfire.com (Postfix) with ESMTP id C86AF7E for ; Tue, 21 Jan 2003 10:29:18 -0600 (CST) Received: (from tillman@localhost) by blues.seekingfire.prv (8.11.6/8.11.6) id h0LGWIp09938 for freebsd-security@FreeBSD.ORG; Tue, 21 Jan 2003 10:32:18 -0600 Date: Tue, 21 Jan 2003 10:32:18 -0600 From: Tillman To: freebsd-security@FreeBSD.ORG Subject: Re: Limiting icmp unreach response from 231 to 200 packets per second Message-ID: <20030121103218.C9405@seekingfire.com> References: <5.2.0.9.0.20030121111802.060ee170@marble.sentex.ca> <20030122022350.A54298-100000@hewey.af.speednet.com.au> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <20030122022350.A54298-100000@hewey.af.speednet.com.au>; from andyf@speednet.com.au on Wed, Jan 22, 2003 at 02:27:15AM +1000 X-Urban-Legend: There is lots of hidden information in headers Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, Jan 22, 2003 at 02:27:15AM +1000, Andy Farkas wrote: > > > > > On rare occasions, a FreeBSD system in our network has > > > > been known to print the example shown in the subject at a furious > > > > rate for a short time and then things get back to normal. > > > > > > > > Is that what the effects of a ping flood look like? > > > > > Yes, that's exactly what happens when ping-flooded. > > Note that only root can ping-flood. > > > It could be a ping flood, but if its happening after named dies, its more > > likely your kernel sending back messages to all the hosts asking for DNS > > requests. i.e. since named is dead, you had 231 DNS requests coming in per > > second. The kernel, limits its response to the first 200 hosts, sending > > back a message saying there is nothing listening on that port. > > He is talking about icmp packets - nothing to do with named. Yes, it is. TCP issues a tcp reset packet when the prot is unavailable - UDP can't do that, so it issues an ICMP port unreachable (which is what he was limiting). It wasn't an ICMP echo response, which would be the typical response to a ping flood. -T -- "Our opinions become fixed at the point where we stopped thinking." - Renan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message