pfSense Gold Subscription

Author Topic: biggest ping size  (Read 7348 times)

0 Members and 1 Guest are viewing this topic.

Offline simpat1zq

  • Jr. Member
  • **
  • Posts: 50
  • Karma: +0/-0
    • View Profile
biggest ping size
« on: December 27, 2005, 09:06:44 pm »
When I try to ping the LAN interface with anything larger than 25152 bytes, it fails. If I ping it with 25152 bytes exactly, it takes roughly 40 ms. So I have a few questions:

Why is that limited to 25152 bytes? Is that by design? Why such a weird number(it's a palindrome too)?

How come the ping takes 40ms when a normal ping over 100mbit takes 4ms? Is it because it has to do some processing on it first, as far as firewall rules and such?

thx

Offline sullrich

  • Hero Member
  • *****
  • Posts: 5110
  • Karma: +7/-2348
    • View Profile
    • pfSense
Re: biggest ping size
« Reply #1 on: December 28, 2005, 01:17:23 pm »
Research this... (hint: its by design!)

# sysctl -a | grep icmplim
net.inet.icmp.icmplim: 200
net.inet.icmp.icmplim_output: 1

Offline simpat1zq

  • Jr. Member
  • **
  • Posts: 50
  • Karma: +0/-0
    • View Profile
Re: biggest ping size
« Reply #2 on: December 28, 2005, 06:50:36 pm »
ok, i have NO clue what that means. But I'll give it a shot(I don't know anything about freebsd).

I'm guessing that 'icmplim' is short for icmp limit. 25152 bytes = 201.216 kilobits. So I'm guessing that's where the 200 is coming from (does that 1.216 have something to do with overhead?).

So why is the limit at 200? Is that there a technical limitation, or is that just some number someone decided to use?

And why does it take longer for the firewall box to respond than a windows pc(which can handle ICMP up to 65500 bytes)? (neither one of them had much load(~6% cpu) on them when I was doing these pings)

Offline sullrich

  • Hero Member
  • *****
  • Posts: 5110
  • Karma: +7/-2348
    • View Profile
    • pfSense
Re: biggest ping size
« Reply #3 on: December 28, 2005, 06:52:40 pm »

Offline simpat1zq

  • Jr. Member
  • **
  • Posts: 50
  • Karma: +0/-0
    • View Profile
Re: biggest ping size
« Reply #4 on: December 28, 2005, 08:43:44 pm »
well, I'm confused more now(but at least I'm learning something).

When I run the 'ping -f -c 100000 192.168.1.XXX' command to another computer or to the pfsense box, I get a message saying "ping: cannot flood; minimal interval, allowed for user, is 200ms".(I had to run that command from a linux box btw).

Is that the same '200' that was in the sysctl output? Does Windows have that same 200 ms limit?

And if I understand the ping options correctly, your (trying to) flood the IP addy with 100000 ICMP requests, hoping to get 100000 answers back, but the device gets 2 requests within 200 ms, and calls shenanigins on you before you can finish the rest, is that right? I'm guessing this is to stop DOS attacks?

If that's right then let's get back to the 25152 limit. Is the request getting split into 2 peices which are coming one after another(within 200 ms), and firewall rejects it?

Offline billm

  • Hero Member
  • *****
  • Posts: 731
  • Karma: +1/-1
    • View Profile
    • UCSecurity - Technology discovery and ramblings
Re: biggest ping size
« Reply #5 on: December 29, 2005, 01:28:03 am »
well, I'm confused more now(but at least I'm learning something).

When I run the 'ping -f -c 100000 192.168.1.XXX' command to another computer or to the pfsense box, I get a message saying "ping: cannot flood; minimal interval, allowed for user, is 200ms".(I had to run that command from a linux box btw).

Let me guess, you did that as a normal user?  Try doing that as root.

Is that the same '200' that was in the sysctl output? Does Windows have that same 200 ms limit?
Probably not and Windows doesn't have the limit

And if I understand the ping options correctly, your (trying to) flood the IP addy with 100000 ICMP requests, hoping to get 100000 answers back, but the device gets 2 requests within 200 ms, and calls shenanigins on you before you can finish the rest, is that right? I'm guessing this is to stop DOS attacks?

Basically

If that's right then let's get back to the 25152 limit. Is the request getting split into 2 peices which are coming one after another(within 200 ms), and firewall rejects it?

Two?  A lot more than 2.  Maximum segment size on a 10/100 ethernet segment is 1500 bytes - this includes IP and ICMP headers.  Any packets larger than this will get fragmented.  Using a 25152 sized packet guarantees many fragments.  This might be a pf limit btw, it'll reassemble fragments too, up to a certain size (not sure what that is offhand), then it'll start dropping the packets too, assuming it's under a resource starvation attack.

--Bill
pfSense core developer
blog - http://www.ucsecurity.com/
twitter - billmarquette

Offline simpat1zq

  • Jr. Member
  • **
  • Posts: 50
  • Karma: +0/-0
    • View Profile
Re: biggest ping size
« Reply #6 on: December 29, 2005, 08:06:14 am »
yeah, I was doing it as regular user. I'll try it as root when I get home.

Quote
Two?  A lot more than 2.

Well if that's the case, shouldn't a 1501 byte ping fail, as that will send 2 packets within 200 ms.

Offline billm

  • Hero Member
  • *****
  • Posts: 731
  • Karma: +1/-1
    • View Profile
    • UCSecurity - Technology discovery and ramblings
Re: biggest ping size
« Reply #7 on: December 29, 2005, 01:43:25 pm »
yeah, I was doing it as regular user. I'll try it as root when I get home.

Quote
Two?  A lot more than 2.

Well if that's the case, shouldn't a 1501 byte ping fail, as that will send 2 packets within 200 ms.

Read the rest of my post please.

--Bill
pfSense core developer
blog - http://www.ucsecurity.com/
twitter - billmarquette

Offline simpat1zq

  • Jr. Member
  • **
  • Posts: 50
  • Karma: +0/-0
    • View Profile
Re: biggest ping size
« Reply #8 on: December 29, 2005, 04:35:52 pm »
Yeah, that's where I'm confused. sullrich seemed like he was implying that 'net.inet.icmp.icmplim: 200' was the reason this was happening. But it sounds like you're saying that this is happening because of something in pfsense. The thing I was mainly curious about is the reason 25152 is the limit, as opposed to another number.