Home page logo

nanog logo nanog mailing list archives

Re: GLBX ICMP rate limiting (was RE: Tier-1 without their own backbone?)
From: Lars Erik Gullerud <lerik () nolink net>
Date: Thu, 28 Aug 2003 18:30:16 +0200

On Thu, 2003-08-28 at 17:37, Steve Carter wrote:

I speak for Global Crossing when I say that ICMP rate limiting has existed
on the Global Crossing network, inbound from peers, for a long time ... we
learned our lesson from the Yahoo DDoS attack (when they were one of our
customers) back in the day and it was shortly thereafter that we
implemented the rate limiters.  Over the past 24 hours we've performed
some experimentation that shows outbound rate limiters being also of value
and we're looking at the specifics of differentiating between happy ICMP
and naughty 92 byte packet ICMP and treating the latter with very strict
rules ... like we would dump it on the floor.  This, I believe, will stomp 
on the bad traffic but allow the happy traffic to pass unmolested.

I think I can safely say that GBLX is beyond "looking at the specifics"
of dropping 92-byte ICMP's, and are in fact doing it. And have not
really bothered telling their customers about it either.

We happen to use GBLX as one of our upstreams, and have a GigE pipe
towards them. Since MS in their infinite wisdom seem to use 92-byte ICMP
Echos in the Windows tracert.exe without having any option to use
another protocol and/or packetsize, this certainly has generated several
calls to OUR support desk today, by customers of ours claiming "your
routing is broken, traceroutes aren't getting anywhere!".

Although I obviously understand the reasons, it WOULD be nice if if a
supplier would at least take the trouble to inform us when they start
applying filters to customer traffic, so our helpdesk would be prepared
to answer questions about it. We are not a peer, but a paying customer
after all.

Oh, and it is not rate-limiting causing this, it is most definitely
92-byte filters. "traceroute -P icmp www.gblx.net 92" from a decent OS
will drop, any other packetsize works like a charm.


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]