From owner-freebsd-net  Tue Nov 12 19: 6:21 2002
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id BDBCD37B401
	for <freebsd-net@freebsd.org>; Tue, 12 Nov 2002 19:06:20 -0800 (PST)
Received: from out3.mx.nwbl.wi.voyager.net (out3.mx.nwbl.wi.voyager.net [169.207.3.121])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 4706143E75
	for <freebsd-net@freebsd.org>; Tue, 12 Nov 2002 19:06:20 -0800 (PST)
	(envelope-from silby@silby.com)
Received: from [10.1.1.6] (d102.as9.nwbl0.wi.voyager.net [169.207.132.230])
	by out3.mx.nwbl.wi.voyager.net (Postfix) with ESMTP
	id 864F377BC6; Tue, 12 Nov 2002 21:06:11 -0600 (CST)
Date: Tue, 12 Nov 2002 21:11:43 -0600 (CST)
From: Mike Silbersack <silby@silby.com>
To: Tony Finch <dot@dotat.at>
Cc: freebsd-net@freebsd.org
Subject: Re: forwarded message on Source Quench Packets.
In-Reply-To: <E18BcxO-0000fM-00@chiark.greenend.org.uk>
Message-ID: <20021112210823.U5029-100000@patrocles.silby.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-net@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-net.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-net>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-net>
X-Loop: FreeBSD.org


On Tue, 12 Nov 2002, Tony Finch wrote:

> Mike Silbersack <silby@silby.com> wrote:
> >
> >I can see how these source quench messages would cause problems if a DoS
> >is being routed through a FreeBSD router, and I think that your patch
> >makes sense.  Are there any objections to me committing this in a few
> >days?
>
> Doesn't FreeBSD rate-limit ICMP as required by the RFC? If there is a
> but it's that the rate-limiting isn't happening, not that source-quench
> packets are being generated. If it's important that FreeBSD routers not
> generate them then it should be a sysctl option.
>
> Tony.

FreeBSD the host rate limits some ICMP packets.  FreeBSD the router
doesn't have any rate limiting implemented.  Using the same function to
limit both would be easy, but seperate buckets and limits would have to be
created, as the limits for a router would presumably need to be higher.

What I'm going to do is make the source quench packets a sysctl which
defaults to off.  If you want to investigate the possibility of
ratelimiting other responses, you're quite welcome to do so; only minor
modifications to badport_bandlim will be necessary.  The concerns I have
are that some responses (such as need frag) might be harmful to rate
limit, so examine every case carefully.

Mike "Silby" Silbersack


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message