Date: Mon, 28 Aug 2000 11:12:54 -0700 From: Alfred Perlstein <bright@wintelcom.net> To: "Col.Panic" <panic@satan.antix.org> Cc: freebsd-security@FreeBSD.ORG Subject: Re: your mail (fwd) Message-ID: <20000828111254.S1209@fw.wintelcom.net> In-Reply-To: <Pine.BSF.4.21.0008281105250.60987-100000@satan.antix.org>; from panic@satan.antix.org on Mon, Aug 28, 2000 at 11:09:02AM -0700 References: <Pine.BSF.4.21.0008281105250.60987-100000@satan.antix.org>
next in thread | previous in thread | raw e-mail | index | archive | help
> > Sep 19 00:17:56 shell /kernel: icmp-response bandwidth limit 3505/200 pps > > Sep 19 00:17:57 shell /kernel: icmp-response bandwidth limit 3503/200 pps > > Sep 19 00:17:58 shell /kernel: icmp-response bandwidth limit 3505/200 pps > > Sep 19 00:17:59 shell /kernel: icmp-response bandwidth limit 3502/200 pps * Col.Panic <panic@satan.antix.org> [000828 11:09] wrote: > I have an interesting appendage to add to this answer. I have ICMP shut > down at the router, and I get the same messages from my new 4.1-STABLE > system. I can understand if somebody is spoofing ICMP packets, but if > they are, how are the replies getting to my machine? > > I've looked into it, and there isn't anybody logged into the machine for > when this occurs. I'm at a loss. It's an icmp _response_ limit, meaning it limits the amount of icmp error messages your machine will generate in repsonse to bogus connections or listen queue overflows. most likely an ACK/SYN attack of some sort or a server unable to handle its listen queue (incomiming connections) -Alfred To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20000828111254.S1209>