Section 31.5.  Verbose Monitoring

31.5. Verbose Monitoring When support for this option is added to the kernel and the option is enabled (it is disabled by default), the kernel prints warning messages on the console when input packets have suspicious or invalid source or destination IP addresses. These messages are rate limited to one every five seconds, to avoid potential DoS attacks. Ingress packets that are dropped by sanity checks in the routing subsystem, due to faulty source or destination addresses, trigger a warning message. The kernel can make some of these checks easily using the classifications listed in Table 30-1 and Table 30-3 in Chapter 30. In summary, these classifications are: Source address: Multicast, Loopback, Reserved, Invalid (zeronet) Destination address: Loopback, Reserved, Invalid (zeronet) The kernel makes additional sanity checks on ingress packets based on the routing table. In particular: When reverse path filtering is enabled (an anti-IP-spoofing check), the source IP address must be reachable through the same interface from which the packet was received. See the section "Reverse Path Filtering." The source IP address cannot be a subnet broadcast address or one of the addresses configured on the receiving interface. This check can help prevent IP spoofing attempts (i.e., another host claiming the same IP address as the receiving interface), and can also detect cases of address duplication such as might be caused by DHCP misconfiguration. When the Verbose Monitoring feature is enabled, the ICMP layer can also generate warning messages under specific conditions: Transmission of ICMP REDIRECT messages When the kernel has sent a certain number of ICMP REDIRECT messages to a remote host that appears to ignore them, the kernel prints a warning. The precise number is configurable. See the section "Transmitting ICMP_REDIRECT Messages." Reception of ICMP REDIRECT message Whenever an ingress ICMP redirect is rejected, the kernel prints a warning. The processing of ingress ICMP REDIRECT messages is a little more complex than their transmission, because the kernel may reject ingress ICMP REDIRECT messages for several reasons, some of them configurable by the user. See the section "Processing Ingress ICMP_REDIRECT Messages."