> On Tue, 30 Sep 1997, Aaron Tiensivu wrote:
>
> > Does an alarming amount of "ICMP: failed checksum from xxx.xxx.xxx.xxx"
> > necessarily tip off an attempted DoS attack? Are these normal? Should I get
> > this message a few times, and then other times a lot?
> >
> > I think some ruthless Quake players are trying to take down the server by doing
> > such a thing..
>
> I've seen two different Linux boxes die horribly (hang) in the past. Last
> thing logged: _huge_ amounts of ICMP failed checksums. Kernels were 1.2.13
> and 2.0.x respectively.
I have seen them with broken Modems (especially ELSAs who got too hot)
or terminal servers (Ascend MAX). Strictly speaking it's against the RFC
anyways to log checksum errors. It's only enabled in 2.1. to catch bugs,
that it is enabled in the 2.0.x masquerading code is a bug IMHO. There are
many legitimate reasons why a packet might get corrupted.
>
> I notice in a recent vger davem snapshot there were some fixes relating to
> proper ICMP size checking upon bad packets. Is this related..????
It's very very unlikely that the missing length checks caused a crash -
usually it only tests for a few bytes ahead, and these should be mostly
available because of the power-of-two kmalloc Linux uses. And when the
checksum test fails Linux will drop the packet anyways, without looking
at it.
-Andi