Fw: GLBX ICMP rate limiting (was RE: Tier-1 without their own backbone?)

2003-08-28 Thread Gordon 


Of the DDOS attacks I have had to deal with in the past year I have seen
none which were icmp based.
As attacks evolve and transform are we really to believe that rate limiting
icmp will have some value in the attacks of tomorrow?
-Gordon


 On Wed, 27 Aug 2003, [EMAIL PROTECTED] wrote:

  We have a similarly sized connection to MFN/AboveNet, which I won't
  recommend at this time due to some very questionable null routing
they're
  doing (propogating routes to destinations, then bitbucketing traffic
sent
  to them) which is causing complaints from some of our customers and
  forcing us to make routing adjustments as the customers notice
  MFN/AboveNet has broken our connectivity to these destinations.

 We've noticed that one of our upstreams (Global Crossing) has introduced
 ICMP rate limiting 4/5 days ago.  This means that any traceroutes/pings
 through them look awful (up to 60% apparent packet loss).  After
 contacting their NOC, they said that the directive to install the ICMP
 rate limiting was from the Homeland Security folks and that they would not
 remove them or change the rate at which they limit in the foreseeable
 future.

 What are other transit providers doing about this or is it just GLBX?

 Cheers,

 Rich

Re: Fw: GLBX ICMP rate limiting (was RE: Tier-1 without their own backbone?)

2003-08-28 Thread Paul Vixie 

 As attacks evolve and transform are we really to believe that rate
 limiting icmp will have some value in the attacks of tomorrow?

no.  nor those of today.  the only way we're going to flatten the increase
of attack volume, or even turn it into a decrease, is with various forms of
admission control which are considered the greater evil by a lot of the
half baked civil libertarians who inhabit the internet at layer 9.

for example, edge urpf.  for example, full realtime multinoc issue tracking.
for example, route filtering based on rir allocations.  for example, peering
agreements that require active intermediation when downstreams misbehave.

you can have peace.  or you can have freedom.  don't ever count on having
both at once. -LL (RAH)
-- 
Paul Vixie

Re: Fw: GLBX ICMP rate limiting (was RE: Tier-1 without their own backbone?)

2003-08-28 Thread Michael Hallgren 

Selon Christopher L. Morrow [EMAIL PROTECTED]:

 
 
 
 On Thu, 28 Aug 2003, [EMAIL PROTECTED] wrote:
 
 
  On Thu, 28 Aug 2003, Christopher L. Morrow wrote:
 
   Rate-limiting ICMP is 'ok' if you, as the provider, think its worthwhile
   and you, as the provider, want to deal with the headache phone calls...
 
  Would it be fair to say that UUNET haven't been asked by Homeland Security
  to do the rate limiting that GLBX claim they have been asked to do?  Has
 
 That is not fair at all :) DHS asked 'all ISPs' to filter 'all relevant
 traffic' for this latest set of MS worm events. Some ISPs did the
 filtering in part or in whole, others didn't...
 
 I would think that any ISP should have made the decision to take action
 not based on DHS's decree, but on the requirements of their network. So,
 if the ISP's network was adversely impacted by this even, or any other,
 they should take the action that is appropriate for their situation. That
 action might be to filter some or all of the items in DHS's decree, it
 might be to drop prefixes on the floor or turn down customers, or a whole
 host of other options.
 
 Doing things for the govt 'because they asked nicely' is not really the
 best of plans, certianly they don't know the mechanics of your network,
 mine, GBLX's, CW's or anyone elses... they should not dictate a solution.
 They really should work with their industry reps to 'get the word out'
 about a problem and 'make people aware' that there could be a crisis.
 Dictating solutions to 'problems' that might not exist is hardly a way to
 get people to help you out in your cause :) Oh, and why didn't they beat
 on the original software vendor about this?? Ok, no more rant for me :)
 
  anyone else been asked to rate limit by the U.S. Department of Homeland
  Security?
 
 
 Just about everyone with a large enough US office was asked by DHS, in a
 public statement...
 


Rough agreement; with a fair amount of

innocence... : what about attemtpting to approach the (at least current)
ROOT CAUSE(S) albeit likely fairly (even more than patching the outcome)
cumbersome (but in the long run..)... 
/innconcence ;) 


ohh
-- if having bought a car I discover the brakes doesn't really do their job
(in spite of the car, considering other aspects, being (easy|nice) to
drive :), I'd rather (chat|complain) with the vendor, than asking the 
highway provider to patch my way along.. building cotton walls.. ('cause
I wouldn't want my highway provider limit my driving experience in the
case I eventually run into a better performing car..). More subtle highway
speed versus security considerations... neglected, of course :)
/ohh

mh


-- 
Michael Hallgren, http://m.hallgren.free.fr/, mh2198-ripe