From owner-freebsd-net Mon Nov 5 16:55:20 2001 Delivered-To: freebsd-net@freebsd.org Received: from albatross.prod.itd.earthlink.net (albatross.mail.pas.earthlink.net [207.217.120.120]) by hub.freebsd.org (Postfix) with ESMTP id D021C37B405 for ; Mon, 5 Nov 2001 16:55:17 -0800 (PST) Received: from dialup-209.245.130.246.dial1.sanjose1.level3.net ([209.245.130.246] helo=blossom.cjclark.org) by albatross.prod.itd.earthlink.net with esmtp (Exim 3.33 #1) id 160uWJ-0000Zv-00; Mon, 05 Nov 2001 16:55:17 -0800 Received: (from cjc@localhost) by blossom.cjclark.org (8.11.6/8.11.3) id fA60snk01385; Mon, 5 Nov 2001 16:54:49 -0800 (PST) (envelope-from cjc) Date: Mon, 5 Nov 2001 16:54:49 -0800 From: "Crist J. Clark" To: Luigi Rizzo Cc: freebsd-net@FreeBSD.ORG Subject: Re: limiting outgoing ICMP's Message-ID: <20011105165448.D745@blossom.cjclark.org> Reply-To: cjclark@alum.mit.edu References: <20011105090735.A75119@iguana.aciri.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20011105090735.A75119@iguana.aciri.org>; from rizzo@aciri.org on Mon, Nov 05, 2001 at 09:07:35AM -0800 X-URL: http://people.freebsd.org/~cjc/ Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Mon, Nov 05, 2001 at 09:07:35AM -0800, Luigi Rizzo wrote: > There seems to be no knob to limit outgoing icmp's (redirects, no > route, and the like). Wouldn't it be the case to add a sysctl > variable to rate-limit or disable such messages ? I do not think > it makes a lot of sense to let our routers become reflectors for > certain types of DoS attacks. The a quick look at ip_icmp.c seems to indicate ICMP_BANDLIM only watches echo replies, unreachables, and timestamp responses (and TCP RSTs (?!), which aren't actually ICMP). I guess it would be straight forward to cover all ICMP error messages, Redirect Source Quench Time Exceeded Parameter Problem As well as query responses for, Information Address Mask To cover everything. I don't think each type needs its own rate limiting knob. I am not sure of how much use being able to turn off individual types might be. You can always run a firewall on the host to block 'em. -- Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message