Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: ICANN Targets DDoS Attacks

  • From: Brett Frankenberger
  • Date: Tue Oct 29 21:53:03 2002

On Tue, Oct 29, 2002 at 09:05:40PM -0500, Jared Mauch wrote:
> 
> 	Please discontinue imagination.  You obviously don't understand how
> traceroute works by sending udp packets and getting icmp ttl expired
> messages back which are not icmp {echo,echo-reply}.  Come back when you do
> understand how it works.  /sigh

Addressing just the issue of how traceroute works, I'll point out that
(a) Most or all flavors of traceroute distributed by Microsoft use ICMP
ECHO instead of UDP for the outbound packets (the old issue of some
stacks not sending ICMP errors in response to any ICMP being not much
of an issue these days, Microsoft's non-traditional method works almost
as good as the traditional UDP method), and (b) A Microsoft traceroute
is what most customers will be using.

FWIW, I don't think rate limiting ICMP is likely to have a negative
impact.  I also don't think it's a good idea, though -- it might help
to identify or prevent some problems in the short term, but in the long
run, it's a race we can't win -- if everyone limits ICMP, people will
launch DDos attacks with, say, packets to 80/tcp -- rate limiting that
is more problematic.  ICMP rate limiting isn't anywhere near a big
enough win, from my perspective, to justify adding complexity to the
network, and having to remember, when troubleshooting strange problems,
that ICMP is no longer forwarded just like any other packet.

     -- Brett




Discussion Communities


About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home


Merit Network, Inc.