ICMP rate limiting on EGRESS (Warning, operational content inside)
From what I am (unscientifically) seeing, packet loss over the MAE is spikey and can go through periodicity of badness not dissimilar to the length of such DoS attacks. I am not, of course, suggesting
It is reasonably well acknowledge that ratelimiting ICMP on *ingress* to your network can be a good thing to do, if you have available resources to do it. How about players rate-limiting ICMP on *egress* of the network over public exchange points. I have been on the wrong end of several smurfs over 100Mb/s over MAE-East & West, as, I'm sure have others. Whenever anyone is smurfed like this, I presume their port blocks, and anyone sending them data has head of line blocking. Which means, in effect, anyone peering with anyone who is being (sufficiently smurfed) will experience packet loss to *other* peers. By rate-limiting ICMP on output (to perhaps 3 or 4 times its nowmal value which here is 4 times 1% of normal traffic levels), then if one of your peers is being smurfed, you help save HoL blocking occurring. If your peer blocks these on ingress, it won't help - the packets will still get switched. that this will solve all the MAE's problems. If the Gigaswitches could give even an approximation of total traffic that was ICMP, and see if peaks in this correspond to peaks in packet loss between routers on the MAE (not just across the switch fabric), we could even attempt to measure this. Is this a good idea? -- Alex Bligh GX Networks (formerly Xara Networks)
On Sun, Jan 16, 2000 at 08:06:21PM -0800, Randy Bush wrote:
Is this a good idea?
seems to me that there's sufficient chance that it is a REALLY good idea, that folk should seriously try it.
ideas that good should have been implemented a long time ago. OTOH, I am of the opinion that the real problem is neither ICMP nor IP directed broadcast. the real problem, as I see it, is spoofed-source packets. the others are scapegoat accoplices which are more easily corrected, and therefore more susceptible to brute-force corrective action. there has been talk, and even a few implementations to correct the real problem, but it has not gotten the attention or corrective action that it deserves. perhaps this is because it is impractical to dial into every ISP's modem banks and determine if they allow spoofed-source packets for the purpose of creating the ever popular black-list of naughty network operatort. upon further pondering, I came up with this variation on a time-honored favorite: the solution: cheap, easy, correct...pick 2.
At 09:13 AM 01/17/2000 +0000, Sam Thomas wrote:
ideas that good should have been implemented a long time ago. OTOH, I am of the opinion that the real problem is neither ICMP nor IP directed broadcast. the real problem, as I see it, is spoofed-source packets.
This is the principle reason to encourage everyone to implement RFC2267 -style filtering. :-/ - paul
Is this a good idea?
seems to me that there's sufficient chance that it is a REALLY good idea, that folk should seriously try it.
ideas that good should have been implemented a long time ago. OTOH, I am of the opinion that the real problem is neither ICMP nor IP directed broadcast. the real problem, as I see it, is spoofed-source packets. the ....
upon further pondering, I came up with this variation on a time-honored favorite: the solution: cheap, easy, correct...pick 2.
Source routing and connection based services are creaping into the Internet, slowly but surely. Both are a far cry from the destination forwarding and connectionless service that I grew up with. --bill
It is reasonably well acknowledge that ratelimiting ICMP on *ingress* to your network can be a good thing to do, if you have available resources to do it.
How about players rate-limiting ICMP on *egress* of the network over public exchange points. I have been on the wrong end of several smurfs over 100Mb/s over MAE-East & West, as, I'm sure have others. Whenever anyone is smurfed like this, I presume their port blocks, and anyone sending them data has head of line blocking. Which means, in effect, anyone peering with anyone who is being (sufficiently smurfed) will experience packet loss to *other* peers.
DOesn't work. Cisco decided that wasn't the best application for it so egress is MONUMENTALLY innefficient and cpu intensive. (bye, bye little router) ---------------------------------------------------------------------- Wayne Bouchard [Immagine Your ] web@typo.org [Company Name Here] Network Engineer ----------------------------------------------------------------------
participants (6)
-
Alex Bligh
-
bmanning@vacation.karoshi.com
-
Paul Ferguson
-
Randy Bush
-
Sam Thomas
-
Wayne Bouchard