Limiting open port RST response

[hurricane_sh]

My server got the following messages:

+Limiting open port RST response from 213 to 200 packets/sec
+Limiting open port RST response from 206 to 200 packets/sec

This is the first time I see these messages, what caused these messages, port scan or normal traffic? Should I raise the value of net.inet.icmp.icmplim? Thanks!

 

[SirDice]

A RST is not done via ICMP. So setting icmplim is useless in this regard.

Something or someone is sending a lot of SYN packets to closed ports. A closed port responds with a RST. You need to find out who or what's causing this. You can have a look with tcpdump(1).

 

[hurricane_sh]

Thanks for your quick reply. But I have configured sysctl with

net.inet.tcp.blackhole=2
net.inet.udp.blackhole=1

Shouldn't the server have dropped packets sent to closed ports? The message also says open ports:

+Limiting [B]open[/B] port RST response from 213 to 200 packets/sec

 

[SirDice]

Shouldn't the server dropped packets sent to closed ports?

No, the standards say it must respond with a RST.

As for open ports sending RST packets, it could be because it's receiving packets that are not valid, i.e. bad sequence numbers. Or it's receiving packets (other then a SYN) from a system for which it has no ESTABLISHED state.

 

[anomie]

Thanks for your quick reply. But I have configured sysctl with

net.inet.tcp.blackhole=2
net.inet.udp.blackhole=1

Shouldn't the server dropped packets sent to closed ports?

From blackhole(7):

Normal behaviour, when a TCP SYN segment is received on a port where
     there is no socket accepting connections, is for the system to return a
     RST segment, and drop the connection.  The connecting system will see
     this as a ``Connection refused''.  By setting the TCP blackhole MIB to a
     numeric value of one, the incoming SYN segment is merely dropped, and no
     RST is sent, making the system appear as a blackhole.  By setting the MIB
     value to two, any segment arriving on a closed port is dropped without
     returning a RST.  This provides some degree of protection against stealth
     port scans.

Make sure you've restarted sysctl(8) via its rc script after making the change.

The message also says open ports:

+Limiting open port RST response from 213 to 200 packets/sec

IMO, your FreeBSD system is doing its job - throttling replies to nasty people (and informing you about it). If this is becoming an annoyance, then put up a host-level firewall.

 

[Anil Kumar thotamalla]

Hi,
Same issue I am facing here is the /var/log/messages logs

 kernel: Limiting open port RST response from 1088 to 500 packets/sec
 kernel: Limiting open port RST response from 2432 to 500 packets/sec
 kernel: Limiting open port RST response from 1768 to 500 packets/sec
 kernel: Limiting open port RST response from 674 to 500 packets/sec
and 
  kernel: kern.maxfiles limit exceeded by uid 0, please see tuning(7).

 kernel: kern.maxfiles limit exceeded by uid 0, please see tuning(7).

 kernel: Limiting closed port RST response from 811 to 500 packets/sec
 kernel: kern.maxfiles limit exceeded by uid 0, please see tuning(7).
syslogd: /dev/console: Too many open files in system: Too many open files in system
kernel: Limiting closed port RST response from 815 to 500 packets/sec
esa kernel: kern.maxfiles limit exceeded by uid 0, please see tuning(7).
kernel: Limiting closed port RST response from 783 to 500 packets/sec
kernel: kern.maxfiles limit exceeded by uid 0, please see tuning(7).

Could you please provide the inputs on same . What could be the solution the error?

 

[SirDice]

See post #2, find out what's hammering at your ports.

 

[MAM]

Yeah I know post #2 but it is a rather useless way to "solve" the issue.

These "attacks" are not permanent, they happen now and then. With tcpdump you could hang around for hours waiting for them and you will likely miss them on a busy system.

Wouldnt it be not wiser to change the error message and have it included src/dst addresses and ports ???

I am also punished with such messages a few time a day and even after weeks i have not the slightest idea where they come from and how they happen. I resulted to limit the allowed value to 50 down from 200 to lower the impact on the LAN.
Some kind of DOS attacks maybe?

 

[PacketMan]

Wouldnt it be not wiser to change the error message and have it included src/dst addresses and ports ???

..... i have not the slightest idea where they come from and how they happen.

This happened to my machine twice today, I will have to keep an eye on it althought I think I have an idea why. I agree it would be nice to have src/dst addresses included, but a good properly configured firewall will (a) help prevent attacks (too much to explain here), and (b) log the data you are looking for.

Hmmmm, might be time for me to replace my home router with a PFsense machine.