查看文章
 
Limiting open port RST response from 952 to 200 packets per second
2007-04-23 13:19

【现象】
/var/log/messages:Apr 21 21:58:02 host.wuhuren.com /kernel: Limiting open port RST response from 952 to 200 packets per second
/var/log/messages:Apr 21 21:58:23 host.wuhuren.com /kernel: Limiting open port RST response from 682 to 200 packets per second
/var/log/messages:Apr 21 22:02:14 host.wuhuren.com /kernel: Limiting open port RST response from 331 to 200 packets per second
/var/log/dmesg.yesterday:Limiting open port RST response from 952 to 200 packets per second
/var/log/dmesg.yesterday:Limiting open port RST response from 1132 to 200 packets per second
/var/log/dmesg.yesterday:Limiting open port RST response from 1087 to 200 packets per second
/var/log/dmesg.yesterday:Limiting open port RST response from 1041 to 200 packets per second
/var/log/dmesg.yesterday:Limiting open port RST response from 1111 to 200 packets per second
/var/log/dmesg.yesterday:Limiting open port RST response from 1033 to 200 packets per second
/var/log/dmesg.yesterday:Limiting open port RST response from 1149 to 200 packets per second
/var/log/dmesg.yesterday:Limiting open port RST response from 1061 to 200 packets per second
/var/log/dmesg.yesterday:Limiting open port RST response from 1077 to 200 packets per second
/var/log/dmesg.yesterday:Limiting open port RST response from 1166 to 200 packets per second
/var/log/dmesg.yesterday:Limiting open port RST response from 915 to 200 packets per second
/var/log/dmesg.yesterday:Limiting open port RST response from 985 to 200 packets per second


【说明】

FreeBSD中sysctl有个icmplim变量,缺省值为200。还有个icmplim_output控制它是否输出。如果为1,就输出你看到的信息,为0,就没有输出。

在sysctl中如下:
net.inet.icmp.icmplim: 200
net.inet.icmp.icmplim_output: 1

icmplim的含义好像是规定内核每秒接受ICMP包的最大数量。你看到的信息是由内核中的一个函数通过测试每秒接受ICMP包的实际最大数量所打印的。
当实际的数量大于icmplim时就会打印你看到的信息。952表示当前实际接受的数量,200就是你的缺省数量。
这种信息只是让你知道系统曾经的状态。你这里的信息意思是:曾经有个时候,你机器中的ICMP不可达包的数量每秒达到了952.

涉及具体的代码如下:
/*
* badport_bandlim() - check for ICMP bandwidth limit
*
*         Return 0 if it is ok to send an ICMP error response, -1 if we have
*         hit our bandwidth limit and it is not ok.   
*
*         If icmplim is <= 0, the feature is disabled and 0 is returned.
*

*         For now we separate the TCP and UDP subsystems w/ different 'which'
*         values.     We may eventually remove this separation (and simplify the
*         code further).
*
*         Note that the printing of the error message is delayed so we can
*         properly print the icmp error rate that the system was trying to do
*         (i.e. 22000/100 pps, etc...).     This can cause long delays in     printing
*         the 'final' error, but it doesn't make sense to solve the printing  
*         delay with more complex code.
*/

int
badport_bandlim(int which)
{
           static int lticks[BANDLIM_MAX + 1];
           static int lpackets[BANDLIM_MAX + 1];
           int dticks;
           const char *bandlimittype[] = {
                   "Limiting icmp unreach response",
                   "Limiting icmp ping response",
                   "Limiting icmp tstamp response",
                   "Limiting closed port RST response",
                   "Limiting open port RST response"
                   };

           /*
            * Return ok status if feature disabled or argument out of
            * ranage.
            */

           if (icmplim <= 0 || which > BANDLIM_MAX || which < 0)
                   return(0);
           dticks = ticks - lticks[which];

           /*
            * reset stats when cumulative dt exceeds one second.
            */

           if ((unsigned int)dticks > hz) {
                   if (lpackets[which] > icmplim && icmplim_output) {
                           printf("%s from %d to %d packets per second\n",
                                   bandlimittype[which],
                                   lpackets[which],
                                   icmplim
                           );
                   }
                   lticks[which] = ticks;
                   lpackets[which] = 0;
           }

           /*
            * bump packet count .bump means add
            */

           if (++lpackets[which] > icmplim) {
                   return(-1);
           }
           return(0);
}


【解释】
这是由于某些主机正试图快速的访问你的主机上一些没有开放的端口,你的主机正在回复RST报文。
这是正常的反应。但是FreeBSD内核限制了每秒钟回复RST报文的数量,以防止发生可能的DoS攻击。例如,如果攻击者通过伪造源IP来向你的未开端口发送大量连接请求,
就可能诱使你的主机向该主机发送RST报文。这可能导致受害主机所在网络的带宽占用。如果你不想看到上述信息,你可以通过打开黑洞模式来停止响应RST报文。
这也可以减缓远程攻击者对你的主机的扫描速度。


【处理】

你可以使用如下命令来打开balckhole支持:
#sysctl -w net.inet.tcp.blackhole=2
#sysctl -w net.inet.udp.blackhole=1

也可以在/etc/sysctl.conf中增加下列选项:
net.inet.tcp.blackhole=2
net.inet.udp.blackhole=1
使这种模式每次启动后都生效。

【补充一下】

FreeBSD 系统中有一个 blackhole 的功能。

blackhole sysctl(8) MIB 用来控制当对一些没有 socket 监听的 TCP 或者 UDP port 接收到连接请求时所操作的行为,你可以使用 man blackhole 获得详细的信息,当设置这个选项後,对那些连接没有 socket 监听的 TCP 或者 UDP 通讯埠的连接,系统将马上丢弃这个包而不发 RST 包。


类别:Freebsd||添加到搜藏 |分享到i贴吧|浏览(1411)|评论 (0)
 
最近读者:
 
网友评论:
发表评论:
姓 名:
网址或邮箱: (选填)
内 容:
     

   
帮助中心 | 空间客服 | 投诉中心 | 空间协议
©2012 Baidu