Effects of traffic shaping ICMP (&c.)
Howdy, When our network is being smurfed, we can call our ISPs and have them setup an access list to block ICMP. That fixes the problem, but it creates another (obvious) problem. Could traffic shaping, or similar QoS configurations, be used to solve such issues in a more general way? For example, if my source of packet flooding is ICMP, then I'd like to be able to dedicate as much as 1/10th (e.g.) of the bandwidth of each link to ICMP. That's plenty of ICMP, but it's not so much that an attack using ICMP would be effective. My question, stated briefly, is this: can you solve generic homogenous-packet-flood problems with QoS and/or traffic shaping (if the two can be truly distinguished), in general? If so, are current routers capable of doing it? What would be the effect of doing so on dialup links and backbones? --- Mark R. Lindsey, mark@datasys.net Internet Engineering, DSS Online LLC Voice: 912.241.0607x200, Fax: 912.241.0190 (US)
On Wed, 2 Dec 1998, Mark R. Lindsey wrote:
Could traffic shaping, or similar QoS configurations, be used to solve such issues in a more general way? For example, if my source of packet flooding is ICMP, then I'd like to be able to dedicate as much as 1/10th (e.g.) of the bandwidth of each link to ICMP. That's plenty of ICMP, but it's not so much that an attack using ICMP would be effective.
At the last NANOG, there was a presentation about Cisco's CAR and how @Home was using it to limit ICMP and detect unusual ICMP activity. Well, that was part of the talk, at least. http://www.nanog.org/mtg-9811/ppt/witt/index.htm : presentation slides http://www.nanog.org/mtg-9811/cartalk.ram : presentation in RealVideo Pete.
On Wed, 2 Dec 1998, Pete Kruckenberg wrote: I think what is being asked is not how to rate limit what goes thru the router, but rather to affect rate limitations on the incoming stream. TCP can be rate limited upstream by playing with TCP window size and ACKs as some of the bandwidth manager products do (Packeteer, Xedia, Elron to name just a few). Unfortunately, there is nothing you can do to UDP or ICMP flows coming your way other than rate limit them as they go thru your box. You will still be hit by Smurfs and their ilk and they will still eat up your bandwidth. -Hank
On Wed, 2 Dec 1998, Mark R. Lindsey wrote:
Could traffic shaping, or similar QoS configurations, be used to solve such issues in a more general way? For example, if my source of packet flooding is ICMP, then I'd like to be able to dedicate as much as 1/10th (e.g.) of the bandwidth of each link to ICMP. That's plenty of ICMP, but it's not so much that an attack using ICMP would be effective.
At the last NANOG, there was a presentation about Cisco's CAR and how @Home was using it to limit ICMP and detect unusual ICMP activity. Well, that was part of the talk, at least.
http://www.nanog.org/mtg-9811/ppt/witt/index.htm : presentation slides http://www.nanog.org/mtg-9811/cartalk.ram : presentation in RealVideo
Pete.
On Wed, Dec 02, 1998 at 03:57:08PM -0500, Mark R. Lindsey wrote: ==>Could traffic shaping, or similar QoS configurations, be used to solve ==>such issues in a more general way? For example, if my source of packet ==>flooding is ICMP, then I'd like to be able to dedicate as much as 1/10th ==>(e.g.) of the bandwidth of each link to ICMP. That's plenty of ICMP, but ==>it's not so much that an attack using ICMP would be effective. Sure. Check out my Smurf paper at http://www.quadrunner.com/~chuegen/smurf.html It has information on using Cisco's Committed Access Rate (CAR) feature to rate-limit traffic such as ICMP echo/echo-reply and TCP SYNs. /cah
I am not sure about traffic-shaping because this mechanism looks like an evil's device, but it's good place to use CAR alghoritm for this. On Wed, 2 Dec 1998, Mark R. Lindsey wrote:
Date: Wed, 2 Dec 1998 15:57:08 -0500 From: Mark R. Lindsey <mark@vielle.datasys.net> To: nanog@merit.edu Subject: Effects of traffic shaping ICMP (&c.)
Howdy,
When our network is being smurfed, we can call our ISPs and have them setup an access list to block ICMP. That fixes the problem, but it creates another (obvious) problem.
Could traffic shaping, or similar QoS configurations, be used to solve such issues in a more general way? For example, if my source of packet flooding is ICMP, then I'd like to be able to dedicate as much as 1/10th (e.g.) of the bandwidth of each link to ICMP. That's plenty of ICMP, but it's not so much that an attack using ICMP would be effective.
My question, stated briefly, is this: can you solve generic homogenous-packet-flood problems with QoS and/or traffic shaping (if the two can be truly distinguished), in general? If so, are current routers capable of doing it? What would be the effect of doing so on dialup links and backbones?
--- Mark R. Lindsey, mark@datasys.net Internet Engineering, DSS Online LLC Voice: 912.241.0607x200, Fax: 912.241.0190 (US)
Aleksei Roudnev, Network Operations Center, Relcom, Moscow (+7 095) 194-19-95 (Network Operations Center Hot Line),(+7 095) 239-10-10, N 13729 (pager) (+7 095) 196-72-12 (Support), (+7 095) 194-33-28 (Fax)
participants (5)
-
Alex P. Rudnev
-
Craig A. Huegen
-
Hank Nussbacher
-
mark@vielle.datasys.net
-
Pete Kruckenberg