Rate limiting icmp host unreachable replies?
Mike Silbersack
silby at silby.com
Thu Jan 22 11:03:04 PST 2004
On Thu, 22 Jan 2004, Andre Oppermann wrote:
> I'm having a FreeBSD router here that has many networks connected to it which
> are only sparsely populated. These days I get network scans (deliberate and
> worms scanning for new targets) every second or so going through every IP in
> my netblocks. The router is faithfully generating ICMP host unreachable replies
> to all these scans for each and every unreachable destination IP.
>
> I wonder whether it is justifyable to rate limit the icmp host unreachable replies
> just like the other icmp stuff to 200 (default) per second? Should help alot if
> the next SQL slammer is coming around and you get thousands of packets per second
> for unreachable destinations.
>
> Comments and opinions welcome!
I like this a lot, and I would be willing to write up an implementation!
> PS: I've already coded it and it works nicely.
>
> --
> Andre
Doh! Well, I guess we'll just have to go with your implementation then.
:)
Mike "Silby" Silbersack
More information about the freebsd-net
mailing list