icmp-response bandwidth limit

Matthew Seaman m.seaman at infracaninophile.co.uk
Tue May 13 06:49:28 PDT 2003

On Tue, May 13, 2003 at 06:32:02AM -0700, Olga Zenkova wrote:
> Hi all!
> Please help. Get a lot of messages: "/kernel:
> icmp-response bandwidth limit nnn", where nnn is some
> different from time to time number. Have much traffic.
> Please help. What's happening?

Someone is flooding you with packets a lot of which are for ports
where there is no program listening, and your kernel is trying to
respond by sending out ICMP 'port unreachable' packets, but it refuses
to fill up too much outgoing bandwidth by doing that.

You should run tcpdump to capture some of the traffic and examine it
for clues as to what's going on.  This can be someone port-scanning
you or a deliberate attempt to DoS you or it may be the result of some
machine being infected by a Worm program or it can be the result of a
simple mistake or hardware failure somewhere in your site or a nearby

In the short term you can suppress the ICMP response by:

    # sysctl net.inet.tcp.blackhole=2
    # sysctl net.inet.udp.blackhole=1

(See blackhole(4), sysctl(8) and sysctl.conf(5)), but for general use,
ipfw(8) or ipf(8) are your friends.



Dr Matthew J Seaman MA, D.Phil.                       26 The Paddocks
                                                      Savill Way
PGP: http://www.infracaninophile.co.uk/pgpkey         Marlow
Tel: +44 1628 476614                                  Bucks., SL7 1TH UK
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20030513/ad6e5cda/attachment.bin

More information about the freebsd-questions mailing list