Date: Mon, 5 Nov 2001 16:54:49 -0800 From: "Crist J. Clark" <cristjc@earthlink.net> To: Luigi Rizzo <rizzo@aciri.org> Cc: freebsd-net@FreeBSD.ORG Subject: Re: limiting outgoing ICMP's Message-ID: <20011105165448.D745@blossom.cjclark.org> In-Reply-To: <20011105090735.A75119@iguana.aciri.org>; from rizzo@aciri.org on Mon, Nov 05, 2001 at 09:07:35AM -0800 References: <20011105090735.A75119@iguana.aciri.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Nov 05, 2001 at 09:07:35AM -0800, Luigi Rizzo wrote:
> There seems to be no knob to limit outgoing icmp's (redirects, no
> route, and the like). Wouldn't it be the case to add a sysctl
> variable to rate-limit or disable such messages ? I do not think
> it makes a lot of sense to let our routers become reflectors for
> certain types of DoS attacks.
The a quick look at ip_icmp.c seems to indicate ICMP_BANDLIM only
watches echo replies, unreachables, and timestamp responses (and TCP
RSTs (?!), which aren't actually ICMP). I guess it would be straight
forward to cover all ICMP error messages,
Redirect
Source Quench
Time Exceeded
Parameter Problem
As well as query responses for,
Information
Address Mask
To cover everything. I don't think each type needs its own rate
limiting knob.
I am not sure of how much use being able to turn off individual types
might be. You can always run a firewall on the host to block 'em.
--
Crist J. Clark | cjclark@alum.mit.edu
| cjclark@jhu.edu
http://people.freebsd.org/~cjc/ | cjc@freebsd.org
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011105165448.D745>