Skip site navigation (1)Skip section navigation (2) 
Date:      Sat, 2 Dec 2000 11:57:30 -0800 (PST)
From:      silby@silby.com
To:        freebsd-gnats-submit@FreeBSD.org
Subject:   kern/23240: Proposed enhancement to icmp/rst rate limiting code in verbosity and functionality
Message-ID:  <200012021957.eB2JvUt95911@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help 

>Number:         23240
>Category:       kern
>Synopsis:       Proposed enhancement to icmp/rst rate limiting code in verbosity and functionality
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Sat Dec 02 12:00:02 PST 2000
>Closed-Date:
>Last-Modified:
>Originator:     Mike Silbersack
>Release:        5.0-CURRENT
>Organization:
>Environment:
>Description:
The current icmp/rst rate limiting code works well to slow the rate of outgoing RST and icmp unreachables, but has two flaws:

1.  The messages generated during rate limiting are inexact and confusing to many.

2.  ICMP echo and tstamp requests are not rate limited.

Fixing these two flaws will allow those under attack to be more informed, and ensure that pingfloods will be less of a problem.
>How-To-Repeat:

>Fix:
A patch is available at http://www.silby.com/patches/ratelimit-enhancement-2.patch

This patch enhances the rate limiting to include echo and tstamp requests as well as provide a more verbose report of what's happening, as follows:


       Suppressing udp flood/scan: 212/200 pps
       Suppressing outgoing RST due to port scan: 202/200 pps
       Suppressing outgoing RST due to ACK flood: 19725/200 pps
       Suppressing ping flood: 230/200 pps
       Suppressing icmp tstamp flood: 210/200 pps

Note that "port scan" and "ACK flood" are great oversimplifications.  However, they are useful simplifications in that they give a good, simple explanation to what's happening for junior sysadmins.  People doing investigation of a heavy DoS will have to use packet sniffers to get exact information, as before.

A previous version of this patch passed a quick review by green and bosko, the only changes made were cosmetic.

>Release-Note:
>Audit-Trail:
>Unformatted:


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200012021957.eB2JvUt95911>