Date: Fri, 28 Jul 2006 10:40:12 +0300 From: Nikos Vassiliadis <nvass@teledomenet.gr> To: freebsd-questions@freebsd.org Cc: User Freebsd <freebsd@hub.org> Subject: Re: icmp packets - disabling via sysctl, or cisco switch ... ? Message-ID: <200607281040.13292.nvass@teledomenet.gr> In-Reply-To: <20060728002433.E17979@ganymede.hub.org> References: <20060728001202.W17979@ganymede.hub.org> <20060728002433.E17979@ganymede.hub.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Friday 28 July 2006 06:26, User Freebsd wrote:
> Just an appendum, but this is what I'm seeing in /var/log/messages right
> now:
>
> Jul 28 00:22:37 io kernel: Limiting icmp unreach response from 6255 to 200
> packets/sec Jul 28 00:22:38 io kernel: Limiting icmp unreach response from
> 6515 to 200 packets/sec Jul 28 00:22:39 io kernel: Limiting icmp unreach
> response from 6646 to 200 packets/sec ^C
>
> And its been going on for several hours now ... :(
Yes it is just FreeBSD behaving cleverly and limiting the number
of ICMP replies. These two sysctls are of interest:
net.inet.icmp.icmplim: Maximum number of ICMP responses per second
net.inet.icmp.icmplim_output: Enable rate limiting of ICMP responses
Somebody is probably flood pinging your server. You can do
several things.
1) block particular (addresses|proto) from your upstream router.
This way "bad" traffic will not reach your box.
2) block particular (addresses|proto) from your box. This
way the "attacker" will not know if your box is up and running.
Not much gain, since traffic will load your box anyway.
Limit the number of ICMP replies to 5 or 10 per second. Won't
help at all with your situation, but it is a good value for normal
use.
HTH, Nikos
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200607281040.13292.nvass>