From owner-freebsd-questions  Wed May 12 17:57:53 1999
Delivered-To: freebsd-questions@freebsd.org
Received: from inet.chip-web.com (c1003518-a.plstn1.sfba.home.com [24.1.82.47])
	by hub.freebsd.org (Postfix) with SMTP id 78CF014CFD
	for <freebsd-questions@freebsd.org>; Wed, 12 May 1999 17:57:50 -0700 (PDT)
	(envelope-from ludwigp@toy.chip-web.com)
Received: (qmail 22171 invoked from network); 13 May 1999 00:57:49 -0000
Received: from speedy.chip-web.com (HELO speedy) (172.16.1.1)
  by inet.chip-web.com with SMTP; 13 May 1999 00:57:49 -0000
Message-Id: <4.1.19990512175317.00a6ecb0@mail-r>
X-Sender: ludwigp@toy.chip-web.com (Unverified)
X-Mailer: QUALCOMM Windows Eudora Pro Version 4.1 
Date: Wed, 12 May 1999 17:58:08 -0700
To: Kiril Mitev <kiril@ideaglobal.com>, freebsd-questions@freebsd.org
From: Ludwig Pummer <ludwigp@toy.chip-web.com>
Subject: Re: ICMP bandwidth limiter
In-Reply-To: <199905121039.LAA24194@idea.co.uk>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

At 03:39 AM 5/12/1999 , Kiril Mitev wrote:
>Hi,
>
>this came up on the console, presumably because
>I have the ICMP_BANDLIM options in my kernel:
>
>icmp-response bandwidth limit 118/100 pps
>icmp-response bandwidth limit 106/100 pps
>icmp-response bandwidth limit 101/100 pps
>icmp-response bandwidth limit 112/100 pps
>icmp-response bandwidth limit 120/100 pps
>.......
>
>which sort of raises a few question :-)
>
>1. is there any way of raising the built-in limit
>to, say, 120 (whatever that number means), and if yes,
>is there a risk of being "pinged-out"
>2. is there any way of catching the IP from which 
>the flood ping is coming from ?
>3. should I ask on -security ?

When I upgraded to 3.1-S and looked through the kernel config and saw this,
I became interested (mostly because there didn't seem to be any tunable
options). I searched the mailing list archives (-questions, -stable,
-current, -isp) and found a thread where ICMP_BANDLIM was being discussed.

IIRC, it doesn't need to be tunable. ICMP_BANDLIM limits only ICMP error
messages, like (i think) port unreachable or network unreachable or
something like that (pings are echo messages).

The only time (in my considerable short experience with this option
enabled) when I saw this come up was when I was doing a nessus port scan of
one machine. The machine doing the scanning kept printing these messages.

You could probably run tcpdump and friends and see where it's coming from.

What would you ask -security ?

--Ludwig Pummer ( ludwigp@bigfoot.com ) ICQ UIN: 692441


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message