Index: sys/netinet/ip_icmp.c
===================================================================
--- sys/netinet/ip_icmp.c
+++ sys/netinet/ip_icmp.c
@@ -89,6 +89,12 @@
 	&VNET_NAME(icmplim), 0,
 	"Maximum number of ICMP responses per second");
 
+VNET_DEFINE_STATIC(int, icmpden) = 2;
+#define	V_icmpden			VNET(icmpden)
+SYSCTL_INT(_net_inet_icmp, ICMPCTL_ICMPLIM, icmpden, CTLFLAG_VNET | CTLFLAG_RW,
+	&VNET_NAME(icmpden), 0,
+	"ICMP responses denominator");
+
 VNET_DEFINE_STATIC(int, icmplim_output) = 1;
 #define	V_icmplim_output		VNET(icmplim_output)
 SYSCTL_INT(_net_inet_icmp, OID_AUTO, icmplim_output, CTLFLAG_VNET | CTLFLAG_RW,
@@ -1120,6 +1126,7 @@
 badport_bandlim(int which)
 {
 	int64_t pps;
+	int icmp_bandlim;
 
 	if (V_icmplim == 0 || which == BANDLIM_UNLIMITED)
 		return (0);
@@ -1127,6 +1134,10 @@
 	KASSERT(which >= 0 && which < BANDLIM_MAX,
 	    ("%s: which %d", __func__, which));
 
+	if (V_icmpden != 0)
+		icmp_bandlim = arc4random() % (V_icmplim / V_icmpden);
+	else
+		icmp_bandlim = V_icmplim;
 	pps = counter_ratecheck(&V_icmp_rates[which].cr, V_icmplim);
 	if (pps == -1)
 		return (-1);