On Tue, Oct 29, 2002 at 06:00:06PM -0500, Ken Chase wrote:
On Tue, Oct 29, 2002 at 04:11:49PM -0500, Jared Mauch's all...
Once again, i'd like to see (other than a performance checking customer) generate more than 2Mb/s of icmp.echo and icmp.echo-reply packets that are legit and not part of a DoS. This is quite rare.
little blip in the internet, and all your intelligent customers running linux use their leet tools to figure out whats wrong. They all run mtr vs their preferred sites. Mtr generates one ICMP packet (~80 bytes?) of traffic PER hop in the trace. A route of 20+ hops, means 1600 bytes/s per customer (thats 12.8Kbps). 150 customers later you got 2Mbps of traffic (2Mb/s is 2 megaBIT per second right? you didnt mean 2 mega BYTES per second? in which case *8).
Is 150 customers a large number?
And there are lots of nice graphical traceroute tools for windoze as well of course, dont know their packet load in full operation however.
Silly me, sometimes I leave mtrs running. I've found 2-3 going all at once at times. <slap!/>
Why is ICMP rate limiting on ECHO and ECHO reply going to stop all DOS attacks? What are they going to do about UDP floods? (Are they proposing
I don't recall saying it will stop all DoS attacks. It will help minimize them. Please discontinue imagination. You obviously don't understand how traceroute works by sending udp packets and getting icmp ttl expired messages back which are not icmp {echo,echo-reply}. Come back when you do understand how it works. /sigh
that DDOS attacks are all smurf based? They've just found a solution to 1996's problems? Amazing!)
They're not, but there is still a large amount of things that just do ping -f <10.2.3.4> and similar types of attacks. If you know what your usual patterns are, it's easy to notice what is out of place.
[ hopefully this post makes it to nanog. my posts've been going to /dev/null with previous attempts ]
/kc
Do your own stats and test your hardware.
- jared
-- Jared Mauch | pgp key available via finger from jared@puck.nether.net clue++; | http://puck.nether.net/~jared/ My statements are only mine.
-- Ken Chase, math@velocet.ca * Velocet Communications Inc. * Toronto, CANADA
-- Jared Mauch | pgp key available via finger from jared@puck.nether.net clue++; | http://puck.nether.net/~jared/ My statements are only mine.
On Tue, Oct 29, 2002 at 09:05:40PM -0500, Jared Mauch wrote:
Please discontinue imagination. You obviously don't understand how traceroute works by sending udp packets and getting icmp ttl expired messages back which are not icmp {echo,echo-reply}. Come back when you do understand how it works. /sigh
Addressing just the issue of how traceroute works, I'll point out that (a) Most or all flavors of traceroute distributed by Microsoft use ICMP ECHO instead of UDP for the outbound packets (the old issue of some stacks not sending ICMP errors in response to any ICMP being not much of an issue these days, Microsoft's non-traditional method works almost as good as the traditional UDP method), and (b) A Microsoft traceroute is what most customers will be using. FWIW, I don't think rate limiting ICMP is likely to have a negative impact. I also don't think it's a good idea, though -- it might help to identify or prevent some problems in the short term, but in the long run, it's a race we can't win -- if everyone limits ICMP, people will launch DDos attacks with, say, packets to 80/tcp -- rate limiting that is more problematic. ICMP rate limiting isn't anywhere near a big enough win, from my perspective, to justify adding complexity to the network, and having to remember, when troubleshooting strange problems, that ICMP is no longer forwarded just like any other packet. -- Brett
On 29 Oct 2002 at 20:51, Brett Frankenberger wrote: Brett! Long time, no hear, now that the Nortel/Bay newsgroup has pretty much wound down. Like Usenet in general.
Addressing just the issue of how traceroute works, I'll point out that (a) Most or all flavors of traceroute distributed by Microsoft use ICMP ECHO instead of UDP for the outbound packets [...]
...And I rather like that method. It's sad, but I'll not allow random high-port UDP to my stations.
FWIW, I don't think rate limiting ICMP is likely to have a negative impact. I also don't think it's a good idea, though -- it might help to identify or prevent some problems in the short term, but in the long run, it's a race we can't win [...]
Hmmm. Agreed. Peter E. Fry
participants (3)
-
Brett Frankenberger
-
Jared Mauch
-
Peter E. Fry