Home page logo

nanog logo nanog mailing list archives

Re: GLBX ICMP rate limiting (was RE: Tier-1 without their own backbone?)
From: Jared Mauch <jared () puck Nether net>
Date: Thu, 28 Aug 2003 08:48:50 -0400

On Thu, Aug 28, 2003 at 01:23:40PM +0100, variable () ednet co uk wrote:

On Wed, 27 Aug 2003, jlewis () lewis org wrote:

We have a similarly sized connection to MFN/AboveNet, which I won't
recommend at this time due to some very questionable null routing they're
doing (propogating routes to destinations, then bitbucketing traffic sent
to them) which is causing complaints from some of our customers and
forcing us to make routing adjustments as the customers notice
MFN/AboveNet has broken our connectivity to these destinations.

We've noticed that one of our upstreams (Global Crossing) has introduced 
ICMP rate limiting 4/5 days ago.  This means that any traceroutes/pings 
through them look awful (up to 60% apparent packet loss).  After 
contacting their NOC, they said that the directive to install the ICMP 
rate limiting was from the Homeland Security folks and that they would not 
remove them or change the rate at which they limit in the foreseeable 

        I guess this depends on the type of
interconnect you have with them.  If you're speaking across
a public-IX or private (or even paid) peering link, this doesn't
seem unreasonable that they would limit traffic to a particular
percentage across that circuit.

        I think the key is to determine what is 'normal' and what
obviously constitutes an out of the ordinary amount of ICMP traffic.

        If you're a customer, there's not really a good reason
to rate-limit your icmp traffic.  customers tend to notice and
gripe.  they expect a bit of loss when transiting a peering
circuit or public fabric, and if the loss is only of icmp they
tend to not care.  This is why when I receive escalated tickets
I check using non-icmp based tools as well as using icmp
based tools.

What are other transit providers doing about this or is it just GLBX?

here's one of many i've posted in the past, note it's also
related to securing machines.


        I recommend everyone do such icmp rate-limits on their
peering circuits and public exchange fabrics to what is a 'normal'
traffic flow on your network.  The above message from the archives
is from Jan 2002, if these were a problem then and still are now,
perhaps people should either 1) accept that this is part of normal
internet operations, or 2) decide that this is enough and it's time
to seriously do something about these things.

        - Jared

Jared Mauch  | pgp key available via finger from jared () puck nether net
clue++;      | http://puck.nether.net/~jared/  My statements are only mine.

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]