Date: Tue, 21 Jan 2003 10:48:58 -0600 (CST) From: Mike Silbersack <silby@silby.com> To: Martin McCormick <martin@dc.cis.okstate.edu> Cc: freebsd-security@FreeBSD.ORG Subject: Re: Limiting icmp unreach response from 231 to 200 packets per second Message-ID: <20030121104626.Y2194-100000@patrocles.silby.com> In-Reply-To: <200301211600.h0LG08vD022507@dc.cis.okstate.edu> References: <200301211600.h0LG08vD022507@dc.cis.okstate.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, 21 Jan 2003, Martin McCormick wrote: > On rare occasions, a FreeBSD system in our network has > been known to print the example shown in the subject at a furious > rate for a short time and then things get back to normal. > > Is that what the effects of a ping flood look like? > > On one system running bind9, the named process died after > the syslog message said that packets had reached 243 per second, > but I was able to restart it within seconds of its crash. > Only the named process crashed, not the system. > > Any ideas as to what this is? > > Martin McCormick WB5AGZ Stillwater, OK > OSU Center for Computing and Information Services Network Operations Group This is not a ping flood, as others have reported. ICMP unreach packets are sent in response to incoming UDP packets to a port which has no service running on it. Here's what's happening: 1. BIND crashes. 2. DNS requests keep coming in, at a rate of 231 per second. 3. FreeBSD limits the number of icmp unreach responses, and tells you. 4. You restart BIND, and messages go away. I can't answer why step #1 occured, but I can assure you that #2 through #4 are natural results of #1, and are nothing to worry about it. Mike "Silby" Silbersack To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030121104626.Y2194-100000>