From ed174536c85f9159d64ee64eaf7002b16279b3fd Mon Sep 17 00:00:00 2001 From: dillon Date: Thu, 3 Dec 1998 20:23:21 +0000 Subject: Reviewed by: freebsd-current Add ICMP_BANDLIM option and 'net.inet.icmp.icmplim' sysctl. If option is specified in kernel config, icmplim defaults to 100 pps. Setting it to 0 will disable the feature. This feature limits ICMP error responses for packets sent to bad tcp or udp ports, which does a lot to help the machine handle network D.O.S. attacks. The kernel will report packet rates that exceed the limit at a rate of one kernel printf per second. There is one issue in regards to the 'tail end' of an attack... the kernel will not output the last report until some unrelated and valid icmp error packet is return at some point after the attack is over. This is a minor reporting issue only. --- sys/netinet/icmp_var.h | 18 +++++++++++++++++- 1 file changed, 17 insertions(+), 1 deletion(-) (limited to 'sys/netinet/icmp_var.h') diff --git a/sys/netinet/icmp_var.h b/sys/netinet/icmp_var.h index 13b778e..8c3a500 100644 --- a/sys/netinet/icmp_var.h +++ b/sys/netinet/icmp_var.h @@ -31,12 +31,14 @@ * SUCH DAMAGE. * * @(#)icmp_var.h 8.1 (Berkeley) 6/10/93 - * $Id: icmp_var.h,v 1.8 1997/08/25 16:29:25 wollman Exp $ + * $Id: icmp_var.h,v 1.9 1997/09/07 05:26:34 bde Exp $ */ #ifndef _NETINET_ICMP_VAR_H_ #define _NETINET_ICMP_VAR_H_ +#include "opt_icmp_bandlim.h" /* for ICMP_BANDLIM */ + /* * Variables related to this implementation * of the internet control message protocol. @@ -63,12 +65,26 @@ struct icmpstat { */ #define ICMPCTL_MASKREPL 1 /* allow replies to netmask requests */ #define ICMPCTL_STATS 2 /* statistics (read-only) */ + +#ifdef ICMP_BANDLIM +#define ICMPCTL_ICMPLIM 3 +#define ICMPCTL_MAXID 4 +#define ICMP_BANDLIM_INFO { "icmplim", CTLTYPE_INT }, +#else #define ICMPCTL_MAXID 3 +#define ICMP_BANDLIM_INFO +#endif + #define ICMPCTL_NAMES { \ { 0, 0 }, \ { "maskrepl", CTLTYPE_INT }, \ { "stats", CTLTYPE_STRUCT }, \ + ICMP_BANDLIM_INFO \ } +#ifdef ICMP_BANDLIM +extern int badport_bandlim __P((int)); +#endif + #endif -- cgit v1.1