North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

ICMP rate limiting on EGRESS (Warning, operational content inside)

  • From: Alex Bligh
  • Date: Sun Jan 16 13:16:07 2000

It is reasonably well acknowledge that ratelimiting ICMP on *ingress*
to your network can be a good thing to do, if you have available
resources to do it.

How about players rate-limiting ICMP on *egress* of the network over
public exchange points. I have been on the wrong end of several
smurfs over 100Mb/s over MAE-East & West, as, I'm sure have others.
Whenever anyone is smurfed like this, I presume their port blocks,
and anyone sending them data has head of line blocking. Which means,
in effect, anyone peering with anyone who is being (sufficiently
smurfed) will experience packet loss to *other* peers.

By rate-limiting ICMP on output (to perhaps 3 or 4 times its nowmal
value which here is 4 times 1% of normal traffic levels), then if
one of your peers is being smurfed, you help save HoL blocking
occurring. If your peer blocks these on ingress, it won't help - the
packets will still get switched.

>From what I am (unscientifically) seeing, packet loss over the MAE
is spikey and can go through periodicity of badness not dissimilar
to the length of such DoS attacks. I am not, of course, suggesting
that this will solve all the MAE's problems. If the Gigaswitches
could give even an approximation of total traffic that was ICMP,
and see if peaks in this correspond to peaks in packet loss between
routers on the MAE (not just across the switch fabric), we could
even attempt to measure this.

Is this a good idea?

-- 
Alex Bligh
GX Networks (formerly Xara Networks)