Re: Strange kernel messages
Colin J. Raven wrote: > Hi all! > I occasionally get these in my daily security run output (which is > worrying in itself) > > Limiting closed port RST response from 1629 to 200 packets per second > > the number of these can range from one or two, to sometimes 25 - 30 > although the latter case is rarer. Usually there's about six or so. > These don't arrive every day, usually about once per week on average. You get those when someone nmaps you. What I do aside from FreeBSD's builtin anti-DOS stuff is; 1. Blackholeing 2.portsentry (it is kinda a honey pot but has some pretty neat features) > > Is this an OS response to an attempted attack, limiting potential DDOS > damage? yes it is. How heavily loaded is your server? >That's how I'm reading it, but of course I'm guessing. If that > *is* so, what mechanism is doing this? Others have answered this question allready ;) > > FreeBSD 4.11 STABLE > > Regards & TIA > -Colin > > > ___ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to > "[EMAIL PROTECTED]" > ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Strange kernel messages
On May 14 at 09:19, Daniel Gerzo responded helpfully: Limiting closed port RST response from 1629 to 200 packets per second your kernel is limitting number of icmp ping requests to 200, someone is possibly trying to ping -f you. You can also decrease/increase this limit with net.inet.icmp.icmplim and: On May 14 at 09:35, Erik Trulsson also launched this into the bitstream: See the FAQ: http://www.freebsd.org/doc/en_US.ISO8859-1/books/faq/networking.html#ICMP-RESPONSE-BW-LIMIT Daniel & Erik; many thanks for your responses! Most helpful and illuminating. I'm glad to know the cause/cure for this Regards & Thanks, -Colin ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Strange kernel messages
On Sat, May 14, 2005 at 09:14:20AM +0200, Colin J. Raven wrote: > Hi all! > I occasionally get these in my daily security run output (which is > worrying in itself) > > Limiting closed port RST response from 1629 to 200 packets per second > > the number of these can range from one or two, to sometimes 25 - 30 > although the latter case is rarer. Usually there's about six or so. > These don't arrive every day, usually about once per week on average. > > Is this an OS response to an attempted attack, limiting potential DDOS > damage? That's how I'm reading it, but of course I'm guessing. If that > *is* so, what mechanism is doing this? > > FreeBSD 4.11 STABLE See the FAQ: http://www.freebsd.org/doc/en_US.ISO8859-1/books/faq/networking.html#ICMP-RESPONSE-BW-LIMIT -- Erik Trulsson [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Strange kernel messages
Hello Colin, Saturday, May 14, 2005, 9:14:20 AM, you thoughtfully wrote the following: > Hi all! > I occasionally get these in my daily security run output (which is > worrying in itself) > Limiting closed port RST response from 1629 to 200 packets per second > the number of these can range from one or two, to sometimes 25 - 30 > although the latter case is rarer. Usually there's about six or so. > These don't arrive every day, usually about once per week on average. > Is this an OS response to an attempted attack, limiting potential DDOS > damage? That's how I'm reading it, but of course I'm guessing. If that > *is* so, what mechanism is doing this? your kernel is limitting number of icmp ping requests to 200, someone is possibly trying to ping -f you. You can also decrease/increase this limit with net.inet.icmp.icmplim > FreeBSD 4.11 STABLE > Regards & TIA > -Colin -- Best Regards, DanGer, ICQ: 261701668 | e-mail protecting at: http://www.2pu.net/ http://danger.rulez.sk | proxy list at:http://www.proxy-web.com/ | FreeBSD - The Power to Serve! [ i locked the door to my own cell, and i lost the key ]
Re: strange kernel messages..
Thank you Simon. Simon Barner wrote: Roberto Nunnari wrote: Hello. Please send replies also to my mailbox, as I'm not on this list. Can anybody tell me what are these messages about? Are them just informational or do I have to worry? Aug 2 18:23:59 web kernel: lock order reversal Aug 2 18:23:59 web kernel: 1st 0xc07066e0 UMA lock (UMA lock) @ /usr/src/sys/vm/uma_core.c:1200 Aug 2 18:23:59 web kernel: 2nd 0xc0c31100 system map (system map) @ /usr/src/sys/vm/vm_map.c:2210 Aug 2 19:12:21 web kernel: lock order reversal Aug 2 19:12:21 web kernel: 1st 0xc8c1c39c vm object (vm object) @ /usr/src/sys/vm/swap_pager.c:1323 Aug 2 19:12:21 web kernel: 2nd 0xc0705b80 swap_pager swhash (swap_pager swhash) @ /usr/src/sys/vm/swap_pager.c:1838 Aug 2 19:12:21 web kernel: 3rd 0xc6853108 vm object (vm object) @ /usr/src/sys/vm/uma_core.c:873 This is a so-called lock order reversal (LOR). To learn more about LORs in general and specifically about the one you are seeing, please see here: http://sources.zabbadoz.net/freebsd/lor.html --> # 007 Simon -- Roberto Nunnari -software engineer- mailto:[EMAIL PROTECTED] Scuola Universitaria Professionale della Svizzera Italiana Dipartimento Tecnologie Innovative http://www.dti.supsi.ch SUPSI-DTI Via Cantonaletel: +41-91-6108561 6928 Manno """ fax: +41-91-6108570 Switzerland (o o) ===oOO==(_)==OOo ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: strange kernel messages..
Roberto Nunnari wrote: > Hello. > > Please send replies also to my mailbox, as I'm not on this list. > > Can anybody tell me what are these messages about? Are them > just informational or do I have to worry? > > Aug 2 18:23:59 web kernel: lock order reversal > Aug 2 18:23:59 web kernel: 1st 0xc07066e0 UMA lock (UMA lock) @ > /usr/src/sys/vm/uma_core.c:1200 > Aug 2 18:23:59 web kernel: 2nd 0xc0c31100 system map (system map) @ > /usr/src/sys/vm/vm_map.c:2210 > Aug 2 19:12:21 web kernel: lock order reversal > Aug 2 19:12:21 web kernel: 1st 0xc8c1c39c vm object (vm object) @ > /usr/src/sys/vm/swap_pager.c:1323 > Aug 2 19:12:21 web kernel: 2nd 0xc0705b80 swap_pager swhash (swap_pager > swhash) @ /usr/src/sys/vm/swap_pager.c:1838 > Aug 2 19:12:21 web kernel: 3rd 0xc6853108 vm object (vm object) @ > /usr/src/sys/vm/uma_core.c:873 This is a so-called lock order reversal (LOR). To learn more about LORs in general and specifically about the one you are seeing, please see here: http://sources.zabbadoz.net/freebsd/lor.html --> # 007 Simon signature.asc Description: Digital signature