North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: [NANOG] Limiting ICMP

  • From: Rob Thomas
  • Date: Wed May 21 17:18:42 2008

Yep, agreed, we need to update those docs. The basic ICMP filtering guide still resides here, and comments are welcome:

<http://www.cymru.com/Documents/icmp-messages.html>


John Kristoff wrote:
On Sat, 17 May 2008 23:53:00 -0400
Drew Weaver <[email protected]> wrote:

I'm wondering if anyone else has run into this/has heard of/(is responsible for)/knows the reason behind large IP providers limiting ICMP on outbound connections to the same amounts regardless of the size of the circuit?


I might be partially responsible for furthering some of that activity. I've done this sort of thing on initial ingress facing links (e.g. LAN segments with client-oriented systems) and it was me who provided the sample configs for the cymru junos template for limiting udp and icmp.

Perhaps I mentioned it on a mailing list or in some internal documentation
somewhere, but the way I've done it is typically to limit those two IP
protocols (and sometimes other things like multicast) to some fraction
of a percent on a edge LAN ingress link speed, which is not in the
template.  Egress, aggregate and peering/Internet facing links shouldn't
have these limits (yes, kind of a pain to manage if you're not good at
router config management).  Unfortunately I didn't provide all that
detail to the cymru folks at the time and as I'm sure they are aware
those templates are quite a bit outdated now and could easily take some
heavy revisioning.

In the environments where I've done this, my experience was that it was
an acceptable practice at the time and in a couple cases it did help the
net upstream when something went wrong (e.g. this did stop some real
DoS traffic for me more than once).  I made use of protocol counters or
some monitoring tools to ensure they were not unnecessarily dropping
valid packets.  Your mileage may vary of course, as it apparently does?

John


-- Rob Thomas Team Cymru The WHO and WHY team http://www.team-cymru.org/