Date: Tue, 12 Nov 2002 21:11:43 -0600 (CST) From: Mike Silbersack <silby@silby.com> To: Tony Finch <dot@dotat.at> Cc: freebsd-net@freebsd.org Subject: Re: forwarded message on Source Quench Packets. Message-ID: <20021112210823.U5029-100000@patrocles.silby.com> In-Reply-To: <E18BcxO-0000fM-00@chiark.greenend.org.uk>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, 12 Nov 2002, Tony Finch wrote: > Mike Silbersack <silby@silby.com> wrote: > > > >I can see how these source quench messages would cause problems if a DoS > >is being routed through a FreeBSD router, and I think that your patch > >makes sense. Are there any objections to me committing this in a few > >days? > > Doesn't FreeBSD rate-limit ICMP as required by the RFC? If there is a > but it's that the rate-limiting isn't happening, not that source-quench > packets are being generated. If it's important that FreeBSD routers not > generate them then it should be a sysctl option. > > Tony. FreeBSD the host rate limits some ICMP packets. FreeBSD the router doesn't have any rate limiting implemented. Using the same function to limit both would be easy, but seperate buckets and limits would have to be created, as the limits for a router would presumably need to be higher. What I'm going to do is make the source quench packets a sysctl which defaults to off. If you want to investigate the possibility of ratelimiting other responses, you're quite welcome to do so; only minor modifications to badport_bandlim will be necessary. The concerns I have are that some responses (such as need frag) might be harmful to rate limit, so examine every case carefully. Mike "Silby" Silbersack To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20021112210823.U5029-100000>