kernel: Limiting open port RST
Nathan Kinkade
nkinkade at ub.edu.bz
Thu Nov 4 10:25:04 PST 2004
I am getting a tremendous amount of messages on a particular server
saying something close to:
kernel: Limiting open port RST response from 302 to 200 packets/sec
I understand the reasons for the message, but I'm having a hard time
tracking down a possible point source. Neither ethereal nor tcpdump
seem to be picking up any packets with the TCP RST bit set. I have
tried this, for example:
# tcpdump 'tcp[tcpflags] & tcp-rst = 1'
... but get nothing. I have also tried adding a logging rule to ipfw,
such as:
# ipfw add allow log tcp from me to any tcpflags rst
However, the logged results don't appear to be correct. Log messages do
show up in /var/log/security, but at the rate of about 1 message every 4
or 5 seconds, which doesn't seem consistent with a rate limit of 200
packets/sec being implemented.
Basically, I'm wanting to find out if the machine(s) causing this are
coming from the internal network, or outside. And if coming from
inside, which machine is flooding the server with bogus SYN requests to
non-listening ports. TCP and UDP blackhole sysctls are also already
setup, and it appears that the RST packets are being sent out to
internet hosts with a dstport of 80. The machine being affected is
running squid.
Does anyone have advice on this?
Thanks,
Nathan
--
PGP Public Key: pgp.mit.edu:11371/pks/lookup?op=get&search=0xD8527E49
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20041104/584e0592/attachment.bin
More information about the freebsd-questions
mailing list