What you’re seeing is the kernel limiting ICMP responses to 200/second.
If there are more than 200 ICMP requests per second, and you have
net.inet.icmp.icmplim set to 200 via sysctl (the default value), this
occurs.
This could be a ICMP flood attack. It could also be legimate traffic.
For your network, what would you consider to be a normal number of ICMP
requests per second?
231 packets/second is actually pretty slow if you’re on a high speed
local network, so in that situation it’s unlikely to be a deliberate
ping flood. I’ve had network monitoring tools that were badly configured
do something that looked much like this.
–
It might very well. If ‘named’ dies, and net.inet.udp.blackhole=0,
then the kernel will be generating ICMP error responses for UDP
packets sent to port 53.
–
SOLUTION
# sysctl net.inet.icmp.icmplim=500
Try that.
Also, if you want to make it permanent, add it to /etc/sysctl.conf:
net.inet.icmp.icmplim=500
(On a line all by itself)
