From owner-freebsd-security  Mon Apr 15  6:37:37 2002
Delivered-To: freebsd-security@freebsd.org
Received: from axl.seasidesoftware.co.za (axl.seasidesoftware.co.za [196.31.7.201])
	by hub.freebsd.org (Postfix) with ESMTP id 784AB37B400
	for <freebsd-security@freebsd.org>; Mon, 15 Apr 2002 06:37:29 -0700 (PDT)
Received: from sheldonh (helo=axl.seasidesoftware.co.za)
	by axl.seasidesoftware.co.za with local-esmtp (Exim 3.33 #1)
	id 16x6jL-0003K5-00; Mon, 15 Apr 2002 15:41:15 +0200
From: Sheldon Hearn <sheldonh@starjuice.net>
To: Christoph Kukulies <kuku@gilberto.physik.rwth-aachen.de>
Cc: freebsd-security@freebsd.org
Subject: Re: Limiting closed port RST response from 381 to 200 p 
In-reply-to: Your message of "Mon, 15 Apr 2002 09:03:01 +0200."
             <200204150703.g3F731k18347@gil.physik.rwth-aachen.de> 
Date: Mon, 15 Apr 2002 15:41:15 +0200
Message-ID: <12776.1018878075@axl.seasidesoftware.co.za>
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org



On Mon, 15 Apr 2002 09:03:01 +0200, Christoph Kukulies wrote:

> It looks like the machine is being attacked. Is there a way to trap
> the attacker?
> 
> Apr 12 10:32:24 host /kernel: Limiting closed port RST response from 336 to 200 packets per second

Unlikely, as the source addresses are almost certainly forged.

I use the following RELENG_4-relative patch to allow syslog message
coalescing, e.g.:

[time] fwadmin3 /kernel: Limiting icmp ping response to 200 packets per second
[time] fwadmin3 last message repeated 29 times
[time] fwadmin3 last message repeated 17 times

You lose the "severity at a glance" value of the messages this way, but
I don't find them useful enough to warrant the mess in
/var/log/messages.

Ciao,
Sheldon.

Index: ip_icmp.c
===================================================================
RCS file: /home/ncvs/src/sys/netinet/ip_icmp.c,v
retrieving revision 1.39.2.16
diff -u -d -r1.39.2.16 ip_icmp.c
--- ip_icmp.c	22 Mar 2002 16:54:18 -0000	1.39.2.16
+++ ip_icmp.c	15 Apr 2002 13:39:53 -0000
@@ -862,9 +862,8 @@
 
 	if ((unsigned int)dticks > hz) {
 		if (lpackets[which] > icmplim) {
-			printf("%s from %d to %d packets per second\n",
+			printf("%s to %d packets per second\n",
 				bandlimittype[which],
-				lpackets[which],
 				icmplim
 			);
 		}

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message