Home page logo
/

nanog logo nanog mailing list archives

Re: GLBX ICMP rate limiting (was RE: Tier-1 without their own backbone?)
From: Steve Carter <scarter () pobox com>
Date: Thu, 28 Aug 2003 08:37:51 -0700


* variable () ednet co uk said:

On Wed, 27 Aug 2003, jlewis () lewis org wrote:

We have a similarly sized connection to MFN/AboveNet, which I won't
recommend at this time due to some very questionable null routing they're
doing (propogating routes to destinations, then bitbucketing traffic sent
to them) which is causing complaints from some of our customers and
forcing us to make routing adjustments as the customers notice
MFN/AboveNet has broken our connectivity to these destinations.

We've noticed that one of our upstreams (Global Crossing) has introduced 
ICMP rate limiting 4/5 days ago.  This means that any traceroutes/pings 
through them look awful (up to 60% apparent packet loss).  After 
contacting their NOC, they said that the directive to install the ICMP 
rate limiting was from the Homeland Security folks and that they would not 
remove them or change the rate at which they limit in the foreseeable 
future.

Homeland Security recommended the filtering of ports 137-139 but have not,
to my knowledge, recommended rate limiting ICMP.

I speak for Global Crossing when I say that ICMP rate limiting has existed
on the Global Crossing network, inbound from peers, for a long time ... we
learned our lesson from the Yahoo DDoS attack (when they were one of our
customers) back in the day and it was shortly thereafter that we
implemented the rate limiters.  Over the past 24 hours we've performed
some experimentation that shows outbound rate limiters being also of value
and we're looking at the specifics of differentiating between happy ICMP
and naughty 92 byte packet ICMP and treating the latter with very strict
rules ... like we would dump it on the floor.  This, I believe, will stomp 
on the bad traffic but allow the happy traffic to pass unmolested.

The rate-limiters have become more interesting recently, meaning they've
actually started dropping packets (quite a lot in some cases) because of
the widespread exploitation of unpatched windows machines.

Our results show that were we to raise the size of the queues the quantity
of ICMP is such that it would just fill it up and if we permit all ICMP to
pass unfettered we would find some peering circuits that become conjested.  
Our customers would not appreciate the latter either.

-Steve


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]