Would anyone be willing to post an operational example of CAR for ICMP. I would like to see what others are doing to combat the problem.
Dan -----Original Message----- From: Jared Mauch [mailto:jared@;puck.Nether.net] Sent: Tuesday, October 29, 2002 13:12 To: Jeff Shultz Cc: [EMAIL PROTECTED] Subject: Re: ICANN Targets DDoS Attacks On Tue, Oct 29, 2002 at 01:03:52PM -0800, Jeff Shultz wrote: > >> On 10/29/2002 at 3:40 PM [EMAIL PROTECTED] wrote: > >> >On Tue, 29 Oct 2002 22:25:44 +0200, Petri Helenius > >> ><[EMAIL PROTECTED]> > >> said: > >> > > >> >> Why would you like to regulate my ability to transmit and > >> >> receive > >> data > >> >> using ECHO and ECHO_REPLY packets? Why they are considered > >> >> harmful? > >> > > >> >Smurf. > >> > > >> > >> Okay. What will this do to my user's ping and traceroute times, if > >> anything? I've got users who tend to panic if their latency hits > 250ms > >> between here and the moon (slight exaggeration, but only slight). > >> > >> I just love it when I've got people blaming me because the 20th hop > on > >> a traceroute starts returning * * * instead of times. > > > > that's icmp ttl expired messages. > > I know that, and I try to explain it to my customers... but it doesn't > answer the first part of the question - what will throttling ICMP do > to ping and traceroute times? My gut reaction is that it will a. slow > them ICMP? Or only icmp echo and icmp echo-reply messages? In a well behaved router, nothing. Obviously if you have a 7500 or older GSR linecards that are incapable of doing this due to design problems from day one in pps rates and feature path, there may be a hit. I'm not saying rate-limit anything other than echo+reply. > down and/or b. discard a lot of them making the circuit look > unreliable to ping. But I don't know enough about the underlying > technology to be sure of that. Once again, i'd like to see (other than a performance checking customer) generate more than 2Mb/s of icmp.echo and icmp.echo-reply packets that are legit and not part of a DoS. This is quite rare. Do your own stats and test your hardware. - jared -- Jared Mauch | pgp key available via finger from [EMAIL PROTECTED] clue++; | http://puck.nether.net/~jared/ My statements are only mine.