Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: GLBX ICMP rate limiting (was RE: Tier-1 without their own backbone?)

  • From: Steve Carter
  • Date: Thu Aug 28 11:44:33 2003

* said:
> On Wed, 27 Aug 2003, wrote:
> > We have a similarly sized connection to MFN/AboveNet, which I won't
> > recommend at this time due to some very questionable null routing they're
> > doing (propogating routes to destinations, then bitbucketing traffic sent
> > to them) which is causing complaints from some of our customers and
> > forcing us to make routing adjustments as the customers notice
> > MFN/AboveNet has broken our connectivity to these destinations.
> We've noticed that one of our upstreams (Global Crossing) has introduced 
> ICMP rate limiting 4/5 days ago.  This means that any traceroutes/pings 
> through them look awful (up to 60% apparent packet loss).  After 
> contacting their NOC, they said that the directive to install the ICMP 
> rate limiting was from the Homeland Security folks and that they would not 
> remove them or change the rate at which they limit in the foreseeable 
> future.

Homeland Security recommended the filtering of ports 137-139 but have not,
to my knowledge, recommended rate limiting ICMP.

I speak for Global Crossing when I say that ICMP rate limiting has existed
on the Global Crossing network, inbound from peers, for a long time ... we
learned our lesson from the Yahoo DDoS attack (when they were one of our
customers) back in the day and it was shortly thereafter that we
implemented the rate limiters.  Over the past 24 hours we've performed
some experimentation that shows outbound rate limiters being also of value
and we're looking at the specifics of differentiating between happy ICMP
and naughty 92 byte packet ICMP and treating the latter with very strict
rules ... like we would dump it on the floor.  This, I believe, will stomp 
on the bad traffic but allow the happy traffic to pass unmolested.

The rate-limiters have become more interesting recently, meaning they've
actually started dropping packets (quite a lot in some cases) because of
the widespread exploitation of unpatched windows machines.

Our results show that were we to raise the size of the queues the quantity
of ICMP is such that it would just fill it up and if we permit all ICMP to
pass unfettered we would find some peering circuits that become conjested.  
Our customers would not appreciate the latter either.


Discussion Communities

About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home

Merit Network, Inc.