From owner-cvs-all Thu Dec 3 12:22:43 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id MAA16730 for cvs-all-outgoing; Thu, 3 Dec 1998 12:22:43 -0800 (PST) (envelope-from owner-cvs-all@FreeBSD.ORG) Received: from freefall.freebsd.org (freefall.FreeBSD.ORG [204.216.27.21]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id MAA16725; Thu, 3 Dec 1998 12:22:41 -0800 (PST) (envelope-from dillon@FreeBSD.org) From: Matt Dillon Received: (from dillon@localhost) by freefall.freebsd.org (8.8.8/8.8.5) id MAA02215; Thu, 3 Dec 1998 12:23:21 -0800 (PST) Date: Thu, 3 Dec 1998 12:23:21 -0800 (PST) Message-Id: <199812032023.MAA02215@freefall.freebsd.org> To: cvs-committers@FreeBSD.ORG, cvs-all@FreeBSD.ORG Subject: cvs commit: src/sys/netinet icmp_var.h ip_icmp.c tcp_input.c udp_usrreq.c Sender: owner-cvs-all@FreeBSD.ORG Precedence: bulk dillon 1998/12/03 12:23:21 PST Modified files: sys/netinet icmp_var.h ip_icmp.c tcp_input.c udp_usrreq.c Log: Reviewed by: freebsd-current Add ICMP_BANDLIM option and 'net.inet.icmp.icmplim' sysctl. If option is specified in kernel config, icmplim defaults to 100 pps. Setting it to 0 will disable the feature. This feature limits ICMP error responses for packets sent to bad tcp or udp ports, which does a lot to help the machine handle network D.O.S. attacks. The kernel will report packet rates that exceed the limit at a rate of one kernel printf per second. There is one issue in regards to the 'tail end' of an attack... the kernel will not output the last report until some unrelated and valid icmp error packet is return at some point after the attack is over. This is a minor reporting issue only. Revision Changes Path 1.10 +17 -1 src/sys/netinet/icmp_var.h 1.32 +80 -1 src/sys/netinet/ip_icmp.c 1.82 +8 -2 src/sys/netinet/tcp_input.c 1.49 +7 -1 src/sys/netinet/udp_usrreq.c To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe cvs-all" in the body of the message