Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 26 Jan 2000 20:55:50 -0700 (MST)
From:      Brett Glass <brett@lariat.org>
To:        security@freebsd.org
Subject:   Riddle me this
Message-ID:  <200001270355.UAA01355@lariat.lariat.org>
next in thread | raw e-mail | index | archive | help 
A fellow here in town asked me to look at a machine which he thought had been
attacked. Sure enough, when I checked the logs, I saw

Jan 24 19:18:59 victim /kernel: icmp-response bandwidth limit 108/100 pps
Jan 24 19:19:37 victim /kernel: icmp-response bandwidth limit 115/100 pps
Jan 24 19:19:38 victim /kernel: icmp-response bandwidth limit 131/100 pps
Jan 24 19:19:39 victim /kernel: icmp-response bandwidth limit 135/100 pps
Jan 24 19:19:40 victim /kernel: icmp-response bandwidth limit 104/100 pps
Jan 24 19:20:12 victim /kernel: icmp-response bandwidth limit 146/100 pps
Jan 24 19:20:13 victim /kernel: icmp-response bandwidth limit 127/100 pps
Jan 24 19:20:14 victim /kernel: icmp-response bandwidth limit 127/100 pps
Jan 24 19:20:15 victim /kernel: icmp-response bandwidth limit 118/100 pps

which means that ICMP bandwidth limiting had kicked in. Probably stream.c, I
thought. While this seemed to be keeping the system alive, I noted that the
machine was also acting as a router for a private subnet with some Windows
machines on it.  So, since multicast IP wasn't in use, I added IPFW rules that
blocked multicast addresses on all interfaces:

00049 deny ip from 224.0.0.0/4 to any via any
00050 deny ip from any to 224.0.0.0/4 via any

So far, so good. But a couple of days later, when I checked the logs, I saw:

Jan 26 15:23:49 victim natd[125]: failed to write packet back (No route to host)

Maybe I'm just dense this evening and the cause of the message is obvious, but
I can't figure out what would have generated this message. The system has a
static default route to the upstream ISP's router.

Is this a side effect of the rules I added? Or of something else?

--Brett Glass


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200001270355.UAA01355>