diff options
author | dillon <dillon@FreeBSD.org> | 1998-12-03 20:23:21 +0000 |
---|---|---|
committer | dillon <dillon@FreeBSD.org> | 1998-12-03 20:23:21 +0000 |
commit | ed174536c85f9159d64ee64eaf7002b16279b3fd (patch) | |
tree | 368eefe11e166259d27aeca0ec8b00b285376566 /sys/netinet/ip_icmp.c | |
parent | 7816963044a09fc6405ed92a07d6600ba0e7cd33 (diff) | |
download | FreeBSD-src-ed174536c85f9159d64ee64eaf7002b16279b3fd.zip FreeBSD-src-ed174536c85f9159d64ee64eaf7002b16279b3fd.tar.gz |
Reviewed by: freebsd-current
Add ICMP_BANDLIM option and 'net.inet.icmp.icmplim' sysctl. If option
is specified in kernel config, icmplim defaults to 100 pps. Setting it
to 0 will disable the feature. This feature limits ICMP error responses
for packets sent to bad tcp or udp ports, which does a lot to help the
machine handle network D.O.S. attacks.
The kernel will report packet rates that exceed the limit at a rate of
one kernel printf per second. There is one issue in regards to the
'tail end' of an attack... the kernel will not output the last report
until some unrelated and valid icmp error packet is return at some
point after the attack is over. This is a minor reporting issue only.
Diffstat (limited to 'sys/netinet/ip_icmp.c')
-rw-r--r-- | sys/netinet/ip_icmp.c | 81 |
1 files changed, 80 insertions, 1 deletions
diff --git a/sys/netinet/ip_icmp.c b/sys/netinet/ip_icmp.c index 186b8e6..5541363 100644 --- a/sys/netinet/ip_icmp.c +++ b/sys/netinet/ip_icmp.c @@ -31,7 +31,7 @@ * SUCH DAMAGE. * * @(#)ip_icmp.c 8.2 (Berkeley) 1/4/94 - * $Id: ip_icmp.c,v 1.30 1998/05/26 11:34:30 dg Exp $ + * $Id: ip_icmp.c,v 1.31 1998/09/15 10:49:03 jkoshy Exp $ */ #include <sys/param.h> @@ -69,10 +69,23 @@ static int icmpmaskrepl = 0; SYSCTL_INT(_net_inet_icmp, ICMPCTL_MASKREPL, maskrepl, CTLFLAG_RW, &icmpmaskrepl, 0, ""); +#ifdef ICMP_BANDLIM + + /* + * ICMP error-response bandwidth limiting + */ + +static int icmplim = 100; +SYSCTL_INT(_net_inet_icmp, ICMPCTL_ICMPLIM, icmplim, CTLFLAG_RW, + &icmplim, 0, ""); + +#endif + static int icmpbmcastecho = 0; SYSCTL_INT(_net_inet_icmp, OID_AUTO, bmcastecho, CTLFLAG_RW, &icmpbmcastecho, 0, ""); + #ifdef ICMPPRINTFS int icmpprintfs = 0; #endif @@ -704,3 +717,69 @@ ip_next_mtu(mtu, dir) } } #endif + +#ifdef ICMP_BANDLIM + +/* + * badport_bandlim() - check for ICMP bandwidth limit + * + * Return 0 if it is ok to send an ICMP error response, -1 if we have + * hit our bandwidth limit and it is not ok. + * + * If icmplim is <= 0, the feature is disabled and 0 is returned. + * + * For now we separate the TCP and UDP subsystems w/ different 'which' + * values. We may eventually remove this separation (and simplify the + * code further). + * + * Note that the printing of the error message is delayed so we can + * properly print the icmp error rate that the system was trying to do + * (i.e. 22000/100 pps, etc...). This can cause long delays in printing + * the 'final' error, but it doesn't make sense to solve the printing + * delay with more complex code. + */ + +int +badport_bandlim(int which) +{ + static int lticks[2]; + static int lpackets[2]; + int dticks; + + /* + * Return ok status if feature disabled or argument out of + * ranage. + */ + + if (icmplim <= 0 || which >= 2 || which < 0) + return(0); + dticks = ticks - lticks[which]; + + /* + * reset stats when cumulative dt exceeds one second. + */ + + if ((unsigned int)dticks > hz) { + if (lpackets[which] > icmplim) { + printf("icmp-response bandwidth limit %d/%d pps\n", + lpackets[which], + icmplim + ); + } + lticks[which] = ticks; + lpackets[which] = 0; + } + + /* + * bump packet count + */ + + if (++lpackets[which] > icmplim) { + return(-1); + } + return(0); +} + +#endif + + |