icmp packets - disabling via sysctl, or cisco switch ... ?

Nikos Vassiliadis nvass at teledomenet.gr
Fri Jul 28 07:42:23 UTC 2006


On Friday 28 July 2006 06:26, User Freebsd wrote:
> Just an appendum, but this is what I'm seeing in /var/log/messages right
> now:
>
> Jul 28 00:22:37 io kernel: Limiting icmp unreach response from 6255 to 200
> packets/sec Jul 28 00:22:38 io kernel: Limiting icmp unreach response from
> 6515 to 200 packets/sec Jul 28 00:22:39 io kernel: Limiting icmp unreach
> response from 6646 to 200 packets/sec ^C
>
> And its been going on for several hours now ... :(

Yes it is just FreeBSD behaving cleverly and limiting the number
of ICMP replies. These two sysctls are of interest:
net.inet.icmp.icmplim: Maximum number of ICMP responses per second
net.inet.icmp.icmplim_output: Enable rate limiting of ICMP responses

Somebody is probably flood pinging your server. You can do
several things.
1) block particular (addresses|proto) from your upstream router.
     This way "bad" traffic will not reach your box.
2) block particular (addresses|proto) from your box. This
     way the "attacker" will not know if your box is up and running.
     Not much gain, since traffic will load your box anyway.

Limit the number of ICMP replies to 5 or 10 per second. Won't
help at all with your situation, but it is a good value for normal
use.

HTH, Nikos


More information about the freebsd-questions mailing list