https://www.saddns.net/ discusses a DNS poisoning attack by leveraging network side channels by attempting to solicit ICMP_UNREACH_PORT replies. The source port number can be inferred from the rate at which ICMP_UNREACH_PORT is rate limited. The solution, as implemented on Linux, is randomize rate limiting. This patch randomizes icmplim with a modulus of a random number divided by icmplim. This patch introduces a new icmpden (ICMP denominator) which is used to calculate the modulus. An icmpden of zero disables randomization.
Unit Tests Skipped