operational: icmp echo out of control?

Richard A Steenbergen ras at e-gerbil.net
Thu May 23 20:36:23 UTC 2002


On Thu, May 23, 2002 at 10:05:08AM -0700, Mark Kent wrote:
> 
> I've observed that our border routers are getting pinged a fair bit.
> I measured on one router and saw:
> 
>   5 per second, seems consistent throughout the day,
>   roughly 40 different sources every 15 seconds
> 
> I took a look at the varied sources and discovered that the sites
> are well connected and those that resolve resolve to akamai names.
> 
> This isn't more than a nuisance for me, but I run a small net.  
> Should I conclude that an ISP with a population 10 times bigger
> would have their border routers getting pinged at 10 times the
> rate I see?  If so, should we care, or just ignore it?

I can't speak as to what exactly Akamai is doing, but this kind of probing
for "performance" reasons is becoming increasingly common as more people
jump on the "optimized routing" bandwagon.

Not only do you have operational networks originating these probes on
their own (InterNAP, Digital Island, Akamai, others), but you now have
companies making boxes which "optimize routing" in part by doing these
probes from every one of their customers.

Right now it's mostly noise, but it has the potential to get way out of
hand. A packet or two an hour probably wouldn't hurt anyone, but 5
packets/sec is personally what I would consider to be an acceptable amount
of data to be directed at any specific host or router. Not only can this
many probes trigger ICMP rate limiting and ruin the data for the prober
and others, it is just plain unnecessary.

Path latency doesn't change much, you can determine this with very few
probes. Reachability does not need to be continuously probed, you can take
cues from other data to decide if you need to re-probe. Packet loss cannot
be reliably determined without a lot more packets than it is reasonable to
send.

Much like web spidering, some simple common sense can help keep probes 
from becoming a hassle:

 * Control the rate of your probes to a given destination.
 * Don't allow your probes to continuously hit a destination.
 * If you are using traceroute-style probes, extra care must be taken
   as if you were pinging every host along the path.
 * If at all possible, only target destinations you actually exchange
   traffic with. For example, get a netflow feed.
 * Make sure a DoS attack cannot provoke your system into probing innocent
   third parties.
 * Consider what is the smallest unit of "distinct network topology" you
   need to map. A very reasonable number would be a /24.
 * Source your probes from an IP which resolves to something that can
   explain what your probe is doing, and a webpage for people to read
   more about what you are doing and why (such as how it benefits them).
 * Have an "opt out" option for networks who REALLY don't like probes.

-- 
Richard A Steenbergen <ras at e-gerbil.net>       http://www.e-gerbil.net/ras
PGP Key ID: 0x138EA177  (67 29 D7 BC E8 18 3E DA  B2 46 B3 D8 14 36 FE B6)



More information about the NANOG mailing list