From owner-freebsd-questions  Fri Mar 30 21:58:41 2001
Delivered-To: freebsd-questions@freebsd.org
Received: from mail2.uniserve.com (mail2.uniserve.com [204.244.156.10])
	by hub.freebsd.org (Postfix) with ESMTP
	id D4DB737B71A; Fri, 30 Mar 2001 21:58:36 -0800 (PST)
	(envelope-from tom@uniserve.com)
Received: from mail2.uniserve.com ([204.244.156.10])
	by mail2.uniserve.com with esmtp (Exim 3.13 #1)
	id 14jEPA-0006EH-00; Fri, 30 Mar 2001 21:58:32 -0800
Date: Fri, 30 Mar 2001 21:58:32 -0800 (PST)
From: Tom <tom@uniserve.com>
X-Sender: tom@athena.uniserve.ca
To: Nader Turki <nturki@adelphia.net>
Cc: freebsd-questions@FreeBSD.ORG, freebsd-stable@FreeBSD.ORG
Subject: Re: Limiting closed port RST response
In-Reply-To: <3AC57013.7801BB31@adelphia.net>
Message-ID: <Pine.BSF.4.10.10103302152130.11153-100000@athena.uniserve.ca>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG


On Sat, 31 Mar 2001, Nader Turki wrote:

> Mar 30 18:43:03 shell /kernel: Limiting closed port RST response from
> 1883 to 200 packets per second

  Someone/something is attempted to open a socket to port that nothing is
listening on.  The standard response is to send a RST (reset).  This is
the usual sort of "Connection refused" type of response.

  Since the machie was sending 1883 RSTs per second, the kernel has
limited it to 200 packets per second.  This is a DoS defence built into
the kernel.

> Mar 30 20:56:03 shell /kernel: xl0: promiscuous mode enabled
> Mar 30 20:56:42 shell /kernel: xl0: promiscuous mode disabled

  Do you know what is doing this?  This should only happen when running a
ethernet sniffer like tcpdump.

...
> the isp is telling me that it's going out of the machine. nobody got
> root but me and even after i killed all the procs. it kept doing the
> same thing.

  You should find out what is attempting to open a port on your system.
It could be a SYN flood.  Your machine is responding by sending RSTs, as
it should.  Running tcpdump from the console, with everything shutdown,
should tell exactly what it is.

  You can build a kernel that violates the standard, and does not send RST
in response to a SYN on a closed port.  It silently ignores it instead.
This would prevent the RST problem, but not stop the attack.

> hope someone can help me soon.
> 
> thanks,
> 
> nader


Tom


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message