From owner-freebsd-security  Tue Jan 21  8:38:31 2003
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 50BF837B401
	for <freebsd-security@FreeBSD.ORG>; Tue, 21 Jan 2003 08:38:29 -0800 (PST)
Received: from dc.cis.okstate.edu (dc.cis.okstate.edu [139.78.100.219])
	by mx1.FreeBSD.org (Postfix) with ESMTP id C123543F5B
	for <freebsd-security@FreeBSD.ORG>; Tue, 21 Jan 2003 08:38:28 -0800 (PST)
	(envelope-from martin@dc.cis.okstate.edu)
Received: from dc.cis.okstate.edu (localhost.cis.okstate.edu [127.0.0.1])
	by dc.cis.okstate.edu (8.12.6/8.12.6) with ESMTP id h0LGcSvD028812
	for <freebsd-security@FreeBSD.ORG>; Tue, 21 Jan 2003 10:38:28 -0600 (CST)
	(envelope-from martin@dc.cis.okstate.edu)
Message-Id: <200301211638.h0LGcSvD028812@dc.cis.okstate.edu>
To: freebsd-security@FreeBSD.ORG
Subject: Re: Limiting icmp unreach response from 231 to 200 packets per second 
Date: Tue, 21 Jan 2003 10:38:28 -0600
From: Martin McCormick <martin@dc.cis.okstate.edu>
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

Mike Tancsa writes:
>It could be a ping flood, but if its happening after named dies, its more 
>likely your kernel sending back messages to all the hosts asking for DNS 
>requests. i.e. since named is dead, you had 231 DNS requests coming in per 
>second.  The kernel, limits its response to the first 200 hosts, sending 
>back a message saying there is nothing listening on that port.

	That is extremely likely.  I don't know why named died as
it is usually as tough as iron, but we sometimes get over 400,000
requests per hour at peak times so this may have been the result
rather than the cause.  It is hard to tell exactly when the named
process stopped but it could have been as early as the first
messages. there have been no more ICMP limitations since I
restarted bind.

	Again, many thanks to all of you in the best UNIX
tradition.

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message