Effects of traffic shaping ICMP (&c.)

Mark R. Lindsey mark at vielle.datasys.net
Fri Dec 4 02:43:50 UTC 1998

: ==>Could traffic shaping, or similar QoS configurations, be used to solve
: ==>such issues in a more general way? 
: It has information on using Cisco's Committed Access Rate (CAR) feature
: to rate-limit traffic such as ICMP echo/echo-reply and TCP SYNs.

Thanks, everyone, for your responses. It seems that lots of us agree
that CAR sounds like a wonderful mechanism for taming smurf-like
attacks. (Thanks, Cisco and others who have provided it.)

So isn't this the solution(**) to smurfing that we should be lobbying for?
Consider: Using CAR to limit ICMP to a statistically normal range on 
all links has these features:
	* It can be implemented from the core out
	* It must be implemented by clueful network operators (because they
		run the core)
	* It must be implemented on a relatively small handful of 
		rigorously-maintained routers

Compare this to the drive for limitations on directed broadcasts:
	* It must be implemented at the edges
	* It must be implemented by widely-varying clue levels
	* It must be implemented on hundreds of thousands of routers that no 
		one ever touches

In short, the core grows slower, and is run by people with more experience.
If the problem can be addressed there, then it seems like we *must* address
it there. 

Comments, please. 

(**)	You could well argue that limiting ICMP traffic on core/distribution
	links doesn't actually solve the problem -- lots of trash traffic
	can be generated on networks whose routers allow directed broadcasts.
	But that's if we define the problem to be trash ICMP because 
	hosts reply to pings (or fraggle, or whatever); in such a case,
	traffic limitations are simply a kludge.

	However, if you define the problem to be packet floods, then I think
	CAR provides a viable and real solution. After all, directed broadcast
	is a useful tool; in such a definition, disabling it on a network
	is a kludge. My limited studies seem to show that there are enough
	smurf amplifiers on the Internet to easily saturate OC-48s. Perhaps
	the real problem *is* flooding -- not directed broadcast.

More information about the NANOG mailing list