From owner-freebsd-security  Tue Jan 21  8:41:23 2003
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id E5ED937B401
	for <freebsd-security@FreeBSD.ORG>; Tue, 21 Jan 2003 08:41:21 -0800 (PST)
Received: from out0.mx.nwbl.wi.voyager.net (out0.mx.nwbl.wi.voyager.net [169.207.3.118])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 7BC7943F13
	for <freebsd-security@FreeBSD.ORG>; Tue, 21 Jan 2003 08:41:21 -0800 (PST)
	(envelope-from silby@silby.com)
Received: from [10.1.1.6] (d110.as8.nwbl0.wi.voyager.net [169.207.132.110])
	by out0.mx.nwbl.wi.voyager.net (Postfix) with ESMTP
	id 080B2833D5; Tue, 21 Jan 2003 10:41:20 -0600 (CST)
Date: Tue, 21 Jan 2003 10:48:58 -0600 (CST)
From: Mike Silbersack <silby@silby.com>
To: Martin McCormick <martin@dc.cis.okstate.edu>
Cc: freebsd-security@FreeBSD.ORG
Subject: Re: Limiting icmp unreach response from 231 to 200 packets per second
In-Reply-To: <200301211600.h0LG08vD022507@dc.cis.okstate.edu>
Message-ID: <20030121104626.Y2194-100000@patrocles.silby.com>
References: <200301211600.h0LG08vD022507@dc.cis.okstate.edu>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org


On Tue, 21 Jan 2003, Martin McCormick wrote:

> 	On rare occasions, a FreeBSD system in our network has
> been known to print the example shown in the subject at a furious
> rate for a short time and then things get back to normal.
>
> 	Is that what the effects of a ping flood look like?
>
> 	On one system running bind9, the named process died after
> the syslog message said that packets had reached 243 per second,
> but I was able to restart it within seconds of its crash.
> Only the named process crashed, not the system.
>
> 	Any ideas as to what this is?
>
> Martin McCormick WB5AGZ  Stillwater, OK
> OSU Center for Computing and Information Services Network Operations Group

This is not a ping flood, as others have reported.  ICMP unreach packets
are sent in response to incoming UDP packets to a port which has no
service running on it.

Here's what's happening:

1.  BIND crashes.
2.  DNS requests keep coming in, at a rate of 231 per second.
3.  FreeBSD limits the number of icmp unreach responses, and tells you.
4.  You restart BIND, and messages go away.

I can't answer why step #1 occured, but I can assure you that #2 through
#4 are natural results of #1, and are nothing to worry about it.

Mike "Silby" Silbersack

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message