Date: Fri, 30 Mar 2001 21:58:32 -0800 (PST) From: Tom <tom@uniserve.com> To: Nader Turki <nturki@adelphia.net> Cc: freebsd-questions@FreeBSD.ORG, freebsd-stable@FreeBSD.ORG Subject: Re: Limiting closed port RST response Message-ID: <Pine.BSF.4.10.10103302152130.11153-100000@athena.uniserve.ca> In-Reply-To: <3AC57013.7801BB31@adelphia.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, 31 Mar 2001, Nader Turki wrote: > Mar 30 18:43:03 shell /kernel: Limiting closed port RST response from > 1883 to 200 packets per second Someone/something is attempted to open a socket to port that nothing is listening on. The standard response is to send a RST (reset). This is the usual sort of "Connection refused" type of response. Since the machie was sending 1883 RSTs per second, the kernel has limited it to 200 packets per second. This is a DoS defence built into the kernel. > Mar 30 20:56:03 shell /kernel: xl0: promiscuous mode enabled > Mar 30 20:56:42 shell /kernel: xl0: promiscuous mode disabled Do you know what is doing this? This should only happen when running a ethernet sniffer like tcpdump. ... > the isp is telling me that it's going out of the machine. nobody got > root but me and even after i killed all the procs. it kept doing the > same thing. You should find out what is attempting to open a port on your system. It could be a SYN flood. Your machine is responding by sending RSTs, as it should. Running tcpdump from the console, with everything shutdown, should tell exactly what it is. You can build a kernel that violates the standard, and does not send RST in response to a SYN on a closed port. It silently ignores it instead. This would prevent the RST problem, but not stop the attack. > hope someone can help me soon. > > thanks, > > nader Tom To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.10.10103302152130.11153-100000>