North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: Rate limiting UDP,Multicast,ICMP
I have alao heard of providers who have rate limited icmp on their own backbone links, or links facing peering partners, just something else to consider.. Brian ----- Original Message ----- From: "David Schwartz" <[email protected]> To: <[email protected]>; <[email protected]> Sent: Wednesday, November 14, 2001 2:53 PM Subject: Re: Rate limiting UDP,Multicast,ICMP > > > On Tue, 13 Nov 2001 12:42:01 -0500, Thomas Gainer wrote: > > >A little more information. We sell 100Mb Ethernet pipes to the Internet. > >(Yes, there are a few of us left). A fair number of these customers are > >small businesses. Usually, they have servers but very little IT support and > >even less IT know how. My thought is to rate limit UDP and ICMP at the > >customer port to no more than 3Mb/s so WHEN (not if) a customer is > >compromised, the effects are somewhat limited and my MAN pipes have some > >measure protection. The question is, what am I not thinking of? DNS, TFTP > >and such should all operate virtually unaffected, as they are not bandwidth > >hungry services. > > Are you rate limiting only inbound? Or both ways? Are you trying to protect > your customers from attack or prevent them from being the source of attacks > if their machines are compromised? Or both? > > If you rate-limit UDP outbound, you make it very hard for your customers to > source streaming media. If you rate-limit inbound, you make it very hard for > your customers to reflect streaming media. So long as you let your customers > know what you're doing in advance, you shouldn't have any problems. > > You may wish to allow clueful customers to opt out of this filtering > (ideally selectively) if they do wish to do things with high-bandwidth UDP > applications. It wouldn't be unreasonable to require customers opting out of > such filtering to assume responsibility/liability for any floods that might > affect them as a result. You may wish to charge them for your costs associate > with floods they originate that affect others as well. > > DS > >
|