ICANN Targets DDoS Attacks

Brett Frankenberger rbf at rbfnet.com
Wed Oct 30 02:51:01 UTC 2002


On Tue, Oct 29, 2002 at 09:05:40PM -0500, Jared Mauch wrote:
> 
> 	Please discontinue imagination.  You obviously don't understand how
> traceroute works by sending udp packets and getting icmp ttl expired
> messages back which are not icmp {echo,echo-reply}.  Come back when you do
> understand how it works.  /sigh

Addressing just the issue of how traceroute works, I'll point out that
(a) Most or all flavors of traceroute distributed by Microsoft use ICMP
ECHO instead of UDP for the outbound packets (the old issue of some
stacks not sending ICMP errors in response to any ICMP being not much
of an issue these days, Microsoft's non-traditional method works almost
as good as the traditional UDP method), and (b) A Microsoft traceroute
is what most customers will be using.

FWIW, I don't think rate limiting ICMP is likely to have a negative
impact.  I also don't think it's a good idea, though -- it might help
to identify or prevent some problems in the short term, but in the long
run, it's a race we can't win -- if everyone limits ICMP, people will
launch DDos attacks with, say, packets to 80/tcp -- rate limiting that
is more problematic.  ICMP rate limiting isn't anywhere near a big
enough win, from my perspective, to justify adding complexity to the
network, and having to remember, when troubleshooting strange problems,
that ICMP is no longer forwarded just like any other packet.

     -- Brett



More information about the NANOG mailing list