ICMP-floods

[Chuck Swiger]

On Mar 20, 2007, at 3:31 PM, Jon Otterholm wrote:
> Basically I have a admin-net where all routers and switches are
> connected. On this net I have a nagios-machine for surveillance  
> (running
> FreeBSD). Sometimes when my Nagios sends icmp-echo-replies to  
> equipment
> on my admin-net my FreeBSD-routers replies with a icmp-redirect (even
> though the echo-reply is not destined for the routers). This  
> wouldn't be
> a problem if the routers would just send a single icmp-redirect, the
> problem is that they (sometimes more than one) send out  about  
> 15000 of
> them in reply to a single echo.
>
> All FreeBSD-machines are 6.2-RELEASE
>
> When setting net.inet.ip.redirect=0 on my routers, the icmp-redirects
> disappear, but instead I get a large amount of ICMP-time-exceed  
> from my
> routers.

The information you've provided strongly suggests either problems  
with the netmasks being used, or a routing loop, or some combination  
of both.  ICMP time-exceeded messages happen when the packets have  
been shuffled around, decrementing the TTL at each hop, until it  
reaches zero.  ICMP redirects happen when a machine sends traffic to  
a router where the router knows that the sending machine can reach  
the intended destination more directly via some other path.

-- 
-Chuck