Rate limiting UDP,Multicast,ICMP

David Schwartz davids at webmaster.com
Wed Nov 14 22:53:19 UTC 2001

On Tue, 13 Nov 2001 12:42:01 -0500, Thomas Gainer wrote:

>A little more information.  We sell 100Mb Ethernet pipes to the Internet.
>(Yes, there are a few of us left).  A fair number of these customers are
>small businesses.  Usually, they have servers but very little IT support and
>even less IT know how.  My thought is to rate limit UDP and ICMP at the
>customer port to no more than 3Mb/s so WHEN (not if) a customer is
>compromised, the effects are somewhat limited and my MAN pipes have some
>measure protection.  The question is, what am I not thinking of?  DNS, TFTP
>and such should all operate virtually unaffected, as they are not bandwidth
>hungry services.

	Are you rate limiting only inbound? Or both ways? Are you trying to protect 
your customers from attack or prevent them from being the source of attacks 
if their machines are compromised? Or both?

	If you rate-limit UDP outbound, you make it very hard for your customers to 
source streaming media. If you rate-limit inbound, you make it very hard for 
your customers to reflect streaming media. So long as you let your customers 
know what you're doing in advance, you shouldn't have any problems.

	You may wish to allow clueful customers to opt out of this filtering 
(ideally selectively) if they do wish to do things with high-bandwidth UDP 
applications. It wouldn't be unreasonable to require customers opting out of 
such filtering to assume responsibility/liability for any floods that might 
affect them as a result. You may wish to charge them for your costs associate 
with floods they originate that affect others as well.


More information about the NANOG mailing list