Date: Thu, 3 Dec 1998 12:23:21 -0800 (PST) From: Matt Dillon <dillon@FreeBSD.ORG> To: cvs-committers@FreeBSD.ORG, cvs-all@FreeBSD.ORG Subject: cvs commit: src/sys/netinet icmp_var.h ip_icmp.c tcp_input.c udp_usrreq.c Message-ID: <199812032023.MAA02215@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
dillon 1998/12/03 12:23:21 PST
Modified files:
sys/netinet icmp_var.h ip_icmp.c tcp_input.c
udp_usrreq.c
Log:
Reviewed by: freebsd-current
Add ICMP_BANDLIM option and 'net.inet.icmp.icmplim' sysctl. If option
is specified in kernel config, icmplim defaults to 100 pps. Setting it
to 0 will disable the feature. This feature limits ICMP error responses
for packets sent to bad tcp or udp ports, which does a lot to help the
machine handle network D.O.S. attacks.
The kernel will report packet rates that exceed the limit at a rate of
one kernel printf per second. There is one issue in regards to the
'tail end' of an attack... the kernel will not output the last report
until some unrelated and valid icmp error packet is return at some
point after the attack is over. This is a minor reporting issue only.
Revision Changes Path
1.10 +17 -1 src/sys/netinet/icmp_var.h
1.32 +80 -1 src/sys/netinet/ip_icmp.c
1.82 +8 -2 src/sys/netinet/tcp_input.c
1.49 +7 -1 src/sys/netinet/udp_usrreq.c
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe cvs-all" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199812032023.MAA02215>