DragonFlyBSD Kernel Audit
← dashboard
DF-0518

ICMP error generation (icmp_error) not rate-limited: reflection/amplification DoS

Summary

badport_bandlim/icmplim rate-limiting applied to ICMP_ECHO(:787) and ICMP_TSTAMP(:807) replies but NOT to icmp_error() itself. Callers ip_input.c:1780/2030/2037/2184 invoke without pre-check. Remote spoofed attacker floods trigger packets -> kernel emits unlimited ICMP errors toward spoofed victim source. Router/forwarding box egress saturation. Amplification ~1x (errors quote header+8 bytes). Defense-in-depth gap vs modern stacks which rate-limit ALL ICMP error emission. Fix: badport_bandlim inside icmp_error mapping type/code to BANDLIM bucket.