Date: Tue, 21 Jan 2003 17:24:31 -0200 From: "Ronan Lucio" <ronan@melim.com.br> To: "Mike Silbersack" <silby@silby.com>, "Martin McCormick" <martin@dc.cis.okstate.edu> Cc: <freebsd-security@FreeBSD.ORG> Subject: Re: Limiting icmp unreach response from 231 to 200 packets per second Message-ID: <014b01c2c182$b93b5da0$34a8a8c0@melim.com.br> References: <200301211600.h0LG08vD022507@dc.cis.okstate.edu> <20030121104626.Y2194-100000@patrocles.silby.com>
next in thread | previous in thread | raw e-mail | index | archive | help
> This is not a ping flood, as others have reported. ICMP unreach packets > are sent in response to incoming UDP packets to a port which has no > service running on it. > > Here's what's happening: > > 1. BIND crashes. > 2. DNS requests keep coming in, at a rate of 231 per second. > 3. FreeBSD limits the number of icmp unreach responses, and tells you. > 4. You restart BIND, and messages go away. > > I can't answer why step #1 occured, but I can assure you that #2 through > #4 are natural results of #1, and are nothing to worry about it. I think a good solution is install a DJB DNS Cache and leave it just to answer DNS queries. The dnscache machine could even point to a DNS Server running Bind9. http://cr.yp.to/djbdns.html Ronan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?014b01c2c182$b93b5da0$34a8a8c0>