ICANN Targets DDoS Attacks

• Previous message (by thread): ICANN Targets DDoS Attacks
• Next message (by thread): ICANN Targets DDoS Attacks
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Would anyone be willing to post an operational example of CAR for ICMP.
I would like to see what others are doing to combat the problem.

Dan

-----Original Message-----
From: Jared Mauch [mailto:jared at puck.Nether.net] 
Sent: Tuesday, October 29, 2002 13:12
To: Jeff Shultz
Cc: nanog at nanog.org
Subject: Re: ICANN Targets DDoS Attacks



On Tue, Oct 29, 2002 at 01:03:52PM -0800, Jeff Shultz wrote:
> >> On 10/29/2002 at 3:40 PM Valdis.Kletnieks at vt.edu wrote:
> >> >On Tue, 29 Oct 2002 22:25:44 +0200, Petri Helenius 
> >> ><pete at he.iki.fi>
> >> said:
> >> >
> >> >> Why would you like to regulate my ability to transmit and 
> >> >> receive
> >> data
> >> >> using ECHO and ECHO_REPLY packets? Why they are considered 
> >> >> harmful?
> >> >
> >> >Smurf.
> >> >
> >> 
> >> Okay. What will this do to my user's ping and traceroute times, if 
> >> anything? I've got users who tend to panic if their latency hits
> 250ms
> >> between here and the moon (slight exaggeration, but only slight).
> >> 
> >> I just love it when I've got people blaming me because the 20th hop
> on
> >> a traceroute starts returning  * * * instead of times.
> >
> >	that's icmp ttl expired messages.
> 
> I know that, and I try to explain it to my customers... but it doesn't

> answer the first part of the question - what will throttling ICMP do 
> to ping and traceroute times? My gut reaction is that it will a. slow 
> them

	ICMP?

	Or only icmp echo and icmp echo-reply messages?

	In a well behaved router, nothing.  Obviously if you have
a 7500 or older GSR linecards that are incapable of doing this due to
design problems from day one in pps rates and feature path, there may be
a hit.

	I'm not saying rate-limit anything other than echo+reply.

> down and/or b. discard a lot of them making the circuit look 
> unreliable to ping. But I don't know enough about the underlying 
> technology to be sure of that.

	Once again, i'd like to see (other than a performance
checking customer) generate more than 2Mb/s of icmp.echo and
icmp.echo-reply packets that are legit and not part of a DoS.  This is
quite rare.

	Do your own stats and test your hardware.

	- jared

-- 
Jared Mauch  | pgp key available via finger from jared at puck.nether.net
clue++;      | http://puck.nether.net/~jared/  My statements are only
mine.

• Previous message (by thread): ICANN Targets DDoS Attacks
• Next message (by thread): ICANN Targets DDoS Attacks
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]