[RndTbl] latest kernel rate limits icmp to different hosts?

Trevor Cordes trevor at tecnopolis.ca
Thu Dec 1 02:01:22 CST 2016 

On 2016-11-29 Theodore Baschak wrote:
> I'm running 4.8.{8,9,10} kernel on a couple systems, however its on
> Debian, and its not stock -- I've compiled packages for my
> infrastructure based on the coldkernel patchset we maintain.
> https://github.com/coldhakca/coldkernel
> 
> I'd be willing to test out something if need be.

Thanks a ton!  I'm attaching as simplified a test prog I made that
shows the bug.  Sorry it's such a mess, I just C&P as little code as I
could to trigger the bug.  (My code is heavily based on a sample from
perl monks, so credit to where it's due.)  The code simply creates 253
icmp echo packets and sends them out to the LAN as fast as it can.  The
sample ignores the responses, as they aren't required to repro the bug.

Change the $subnet at the top to be any of your local LAN /24 subnets.
I guess you could test a /16, might work as-is.  Have no idea about
ipv6.

On 4.8.8 or newer, as it is it should die with error most runs (but not
all!).  (I've confirmed on 4.8.8 and 4.8.10 now.)

CURIOUS!!!:  If you uncomment the $single= at the top and put in any
single IP on your subnet, the bug disappears!!  So the bug only hits
when you are scanning a large number of IPs and not a single IP!  Even
though in both cases it's sending the same number of icmp packets out!
BIZARRE!  This might rule out iptables, because AFAIK there's no rule
to match "variability of hosts".

I confirmed this bug does not exist in 4.7.10 (on the same box, all
else equal).

I found a bunch of icmp and net tweaks in sysfs that possibly could
relate, and tweaked all of them to (near-)unlimited, but it didn't help
at all.  I checked and their defaults were the same as they are on
4.7.10.

Strange, my test is pretty much like:
nmap -sP 192.168.101.0/24
Yet nmap runs perfectly fine.  Unless it catches these errors and
retries/ratelimits?

It's like something new in the kernel is trying to ping flood host
scans?  I'm still digging around in changelogs trying to figure it out.

If you (or anyone with 4.8.8+) can confirm the bug hits with $single
off, and doesn't hit with $single on, that would be great!  Also,
letting me know your iptables setup would help as I still haven't ruled
that out.

Thanks a ton!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ping-test
Type: application/octet-stream
Size: 1728 bytes
Desc: not available
URL: <http://muug.ca/pipermail/roundtable/attachments/20161201/a2b4bfcd/attachment.obj>

More information about the Roundtable mailing list