Attachment #12254 for bug #23787

View | Details | Raw Unified | Return to bug 23787
Collapse All | Expand All





        </answer>
      </qandaentry>

      <qandaentry>
        <question id="icmp-response-bw-limit">
          <para>What are these messages about <quote>icmp-response
            bandwidth limit 300/200 pps</quote> in my log
            files?</para>
        </question>

        <answer>
          <para>This is the kernel telling you that some activity is
            provoking it to send more ICMP or TCP reset (RST)
            responses than it thinks it should.  ICMP responses are
            often generated as a result of attempted connections to
            unused UDP ports.  TCP resets are generated as a result of
            attempted connections to unopened TCP ports.  Among
            others, these are the kinds of activities which may cause
            these messages:</para>

          <itemizedlist>
            <listitem>
              <para>Brute-force denial of service (DoS) attacks (as
              opposed to single-packet attacks which exploit a
              specific vulnerability).</para>
            </listitem>

            <listitem>
              <para>Port scans which attempt to connect to every port
                possible (as opposed to only trying some well-known
                ports).</para>
            </listitem>
          </itemizedlist>

          <para>The first number in the message tells you how many
            packets the kernel would've sent if the limit wasn't in
            place, and the second number tells you the limit.  You can
            control the limit using the
            <varname>net.inet.icmp.icmplim</varname> sysctl variable
            like this, where <literal>300</literal> is the limit in
            packets per second:</para>

          <screen>&prompt.root; <userinput>sysctl -w net.inet.icmp.icmplim=300</userinput></screen>

          <para>If you don't want to see messages about this in your
            log files, but you still want the kernel to do response
            limiting, you can use the
            <varname>net.inet.icmp.icmplim_output</varname> sysctl
            variable to disable the output like this:</para>

          <screen>&prompt.root; <userinput>sysctl -w net.inet.icmp.icmplim_output=0</userinput></screen>

          <para>Finally, if you want to disable response limiting, you
            can set the <varname>net.inet.icmp.icmplim</varname>
            sysctl variable (see above for an example) to
            <literal>0</literal>.  Disabling response limiting is
            discouraged for the reasons listed above.</para>
        </answer>
      </qandaentry>
    </qandaset>
  </chapter>

Return to bug 23787

Lines 8023-8028 Link Here

(-)book.sgml (+57 lines)
8023		8023
8024	</answer>	8024	</answer>
8025	</qandaentry>	8025	</qandaentry>
		8026
		8027	<qandaentry>
		8028	<question id="icmp-response-bw-limit">
		8029	<para>What are these messages about <quote>icmp-response
		8030	bandwidth limit 300/200 pps</quote> in my log
		8031	files?</para>
		8032	</question>
		8033
		8034	<answer>
		8035	<para>This is the kernel telling you that some activity is
		8036	provoking it to send more ICMP or TCP reset (RST)
		8037	responses than it thinks it should. ICMP responses are
		8038	often generated as a result of attempted connections to
		8039	unused UDP ports. TCP resets are generated as a result of
		8040	attempted connections to unopened TCP ports. Among
		8041	others, these are the kinds of activities which may cause
		8042	these messages:</para>
		8043
		8044	<itemizedlist>
		8045	<listitem>
		8046	<para>Brute-force denial of service (DoS) attacks (as
		8047	opposed to single-packet attacks which exploit a
		8048	specific vulnerability).</para>
		8049	</listitem>
		8050
		8051	<listitem>
		8052	<para>Port scans which attempt to connect to every port
		8053	possible (as opposed to only trying some well-known
		8054	ports).</para>
		8055	</listitem>
		8056	</itemizedlist>
		8057
		8058	<para>The first number in the message tells you how many
		8059	packets the kernel would've sent if the limit wasn't in
		8060	place, and the second number tells you the limit. You can
		8061	control the limit using the
		8062	<varname>net.inet.icmp.icmplim</varname> sysctl variable
		8063	like this, where <literal>300</literal> is the limit in
		8064	packets per second:</para>
		8065
		8066	<screen>&prompt.root; <userinput>sysctl -w net.inet.icmp.icmplim=300</userinput></screen>
		8067
		8068	<para>If you don't want to see messages about this in your
		8069	log files, but you still want the kernel to do response
		8070	limiting, you can use the
		8071	<varname>net.inet.icmp.icmplim_output</varname> sysctl
		8072	variable to disable the output like this:</para>
		8073
		8074	<screen>&prompt.root; <userinput>sysctl -w net.inet.icmp.icmplim_output=0</userinput></screen>
		8075
		8076	<para>Finally, if you want to disable response limiting, you
		8077	can set the <varname>net.inet.icmp.icmplim</varname>
		8078	sysctl variable (see above for an example) to
		8079	<literal>0</literal>. Disabling response limiting is
		8080	discouraged for the reasons listed above.</para>
		8081	</answer>
		8082	</qandaentry>
8026	</qandaset>	8083	</qandaset>
8027	</chapter>	8084	</chapter>