From owner-freebsd-security Sat Jan 27 8: 2:48 2001 Delivered-To: freebsd-security@freebsd.org Received: from public.ndh.com (public.ndh.net [195.94.90.21]) by hub.freebsd.org (Postfix) with ESMTP id 8AE7337B400 for ; Sat, 27 Jan 2001 08:02:30 -0800 (PST) Received: from localhost (port2248.duesseldorf.ndh.net [195.227.37.248]) by public.ndh.com (8.9.3/8.8.0) with ESMTP id RAA14060 for ; Sat, 27 Jan 2001 17:02:27 +0100 (MET) Received: from tmseck by localhost with local (Exim 3.20 #1) id 14MXmM-0000Cr-00 for freebsd-security@FreeBSD.ORG; Sat, 27 Jan 2001 17:00:42 +0100 Date: Sat, 27 Jan 2001 17:00:42 +0100 From: Thomas Seck To: freebsd-security@freebsd.org Subject: Re: ICMP attacks Message-ID: <20010127170042.A737@basildon.homerun> Mail-Followup-To: Thomas Seck , freebsd-security@FreeBSD.ORG References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from mit@mitayai.net on Fr , Jan 26, 2001 at 04:44:51am -0500 Organization: Die Teilchenbeschleuniger Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fr , Jan 26, 2001 at 04:44:51am -0500, Will Mitayai Keeso Rowe wrote: > > icmp-response bandwidth limit 205/200 pps > > icmp-response bandwidth limit 264/200 pps > > icmp-response bandwidth limit 269/200 pps > > icmp-response bandwidth limit 273/200 pps > > icmp-response bandwidth limit 273/200 pps > > icmp-response bandwidth limit 271/200 pps > > icmp-response bandwidth limit 261/200 pps > > icmp-response bandwidth limit 268/200 pps > > icmp-response bandwidth limit 205/200 pps > > icmp-response bandwidth limit 223/200 pps > > Is there any way to trace the people that are causing this? It's becoming a > daily occurance and it's beginning to irritate me. One is probably just running a portscan against you. The reason you see these messages is because a well behaving system generates an ICMP "port unreachable" message for every port that does not listen for incoming connections. To prevent you from generic ICMP based attacks that try to eat up your bandwidth, the ICMP_BANDLIM parameter was introduced in the GENERIC kernel. Some scanning programs, e.g. nmap, generate a large number of requests, thus triggering more replies than ICMP_BANDLIM allows to get out. [1] This is nothing to worry about, imho. Regards, Thomas Seck [1] If this is in any way not precise enough, do not beat me - I am not a kernel hacker. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message