* Sean Donelan said:
On Thu, 28 Aug 2003, Steve Carter wrote:
The rate-limiters have become more interesting recently, meaning they've actually started dropping packets (quite a lot in some cases) because of the widespread exploitation of unpatched windows machines.
Yep, the amount of ICMP traffic seems to be increasing on most backbones due to worm activity. It probably hasn't exceed HTTP yet, but it is surpasssing many other protocols. Some providers have seen ICMP increase by over 1,000% over the last two weeks.
The results of our data collection is almost unbelievable. I've had to have it rechecked multiple times because I had a hard time even groking the scale. Like, dude, is your calculator broken? It appears that the volume is still growing ... even with the widespread publicity. Those of us that are sourcing this traffic need to protect ourselves and the community by rate limiting because the exploited are not. I agree with Wayne that we need to be smart (reads: very specific) about how we rate limit during this event. When the event is over we can go back to just a simple rate limit that protects us in a very general way until the next event jumps up. <private message> Yuh, Jay, I changed my tune ... you were right. </private message> -Steve