Reviewed by: freebsd-current

    Add ICMP_BANDLIM option and 'net.inet.icmp.icmplim' sysctl.  If option
    is specified in kernel config, icmplim defaults to 100 pps.  Setting it
    to 0 will disable the feature.  This feature limits ICMP error responses
    for packets sent to bad tcp or udp ports, which does a lot to help the
    machine handle network D.O.S. attacks.

    The kernel will report packet rates that exceed the limit at a rate of
    one kernel printf per second.  There is one issue in regards to the
    'tail end' of an attack... the kernel will not output the last report
    until some unrelated and valid icmp error packet is return at some
    point after the attack is over.  This is a minor reporting issue only.

1 files changed, 8 insertions, 2 deletions

diff --git a/sys/netinet/tcp_reass.c b/sys/netinet/tcp_reass.c
index bb88d1639..97d1983 100644
--- a/sys/netinet/tcp_reass.c
+++ b/sys/netinet/tcp_reass.c
@@ -31,10 +31,10 @@
  * SUCH DAMAGE.
  *
  *	@(#)tcp_input.c	8.12 (Berkeley) 5/24/95
- *	$Id: tcp_input.c,v 1.80 1998/08/24 07:47:39 dfr Exp $
+ *	$Id: tcp_input.c,v 1.81 1998/09/11 16:04:03 wollman Exp $
  */
 
-#include "opt_ipfw.h"	/* for ipfw_fwd */
+#include "opt_ipfw.h"		/* for ipfw_fwd		*/
 #include "opt_tcpdebug.h"
 
 #include <sys/param.h>
@@ -57,8 +57,10 @@
 #include <netinet/in.h>
 #include <netinet/in_systm.h>
 #include <netinet/ip.h>
+#include <netinet/ip_icmp.h>	/* for ICMP_BANDLIM		*/
 #include <netinet/in_pcb.h>
 #include <netinet/ip_var.h>
+#include <netinet/icmp_var.h>	/* for ICMP_BANDLIM		*/
 #include <netinet/tcp.h>
 #include <netinet/tcp_fsm.h>
 #include <netinet/tcp_seq.h>
@@ -397,6 +399,10 @@ findpcb:
 			    buf, ntohs(ti->ti_dport), inet_ntoa(ti->ti_src),
 			    ntohs(ti->ti_sport));
 		}
+#ifdef ICMP_BANDLIM
+		if (badport_bandlim(1) < 0)
+			goto drop;
+#endif
 		goto dropwithreset;
 	}
 	tp = intotcpcb(inp);