I am getting a tremendous amount of messages on a particular server saying something close to:
kernel: Limiting open port RST response from 302 to 200 packets/sec I understand the reasons for the message, but I'm having a hard time tracking down a possible point source. Neither ethereal nor tcpdump seem to be picking up any packets with the TCP RST bit set. I have tried this, for example: # tcpdump 'tcp[tcpflags] & tcp-rst = 1' ... but get nothing. I have also tried adding a logging rule to ipfw, such as: # ipfw add allow log tcp from me to any tcpflags rst However, the logged results don't appear to be correct. Log messages do show up in /var/log/security, but at the rate of about 1 message every 4 or 5 seconds, which doesn't seem consistent with a rate limit of 200 packets/sec being implemented. Basically, I'm wanting to find out if the machine(s) causing this are coming from the internal network, or outside. And if coming from inside, which machine is flooding the server with bogus SYN requests to non-listening ports. TCP and UDP blackhole sysctls are also already setup, and it appears that the RST packets are being sent out to internet hosts with a dstport of 80. The machine being affected is running squid. Does anyone have advice on this? Thanks, Nathan -- PGP Public Key: pgp.mit.edu:11371/pks/lookup?op=get&search=0xD8527E49
pgp31ClWPpykK.pgp
Description: PGP signature
