|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: ICANN Targets DDoS Attacks
On Tue, Oct 29, 2002 at 09:05:40PM -0500, Jared Mauch wrote:
>
> Please discontinue imagination. You obviously don't understand how
> traceroute works by sending udp packets and getting icmp ttl expired
> messages back which are not icmp {echo,echo-reply}. Come back when you do
> understand how it works. /sigh
Addressing just the issue of how traceroute works, I'll point out that
(a) Most or all flavors of traceroute distributed by Microsoft use ICMP
ECHO instead of UDP for the outbound packets (the old issue of some
stacks not sending ICMP errors in response to any ICMP being not much
of an issue these days, Microsoft's non-traditional method works almost
as good as the traditional UDP method), and (b) A Microsoft traceroute
is what most customers will be using.
FWIW, I don't think rate limiting ICMP is likely to have a negative
impact. I also don't think it's a good idea, though -- it might help
to identify or prevent some problems in the short term, but in the long
run, it's a race we can't win -- if everyone limits ICMP, people will
launch DDos attacks with, say, packets to 80/tcp -- rate limiting that
is more problematic. ICMP rate limiting isn't anywhere near a big
enough win, from my perspective, to justify adding complexity to the
network, and having to remember, when troubleshooting strange problems,
that ICMP is no longer forwarded just like any other packet.
-- Brett
|