nanog mailing list archives
Re: Rate limiting UDP,Multicast,ICMP
From: "Brian" <bri () sonicboom org>
Date: Thu, 15 Nov 2001 07:07:06 -0800
I have alao heard of providers who have rate limited icmp on their own
backbone links, or links facing peering partners, just something else to
consider..
Brian
----- Original Message -----
From: "David Schwartz" <davids () webmaster com>
To: <TGainer () e-xpedient com>; <nanog () merit edu>
Sent: Wednesday, November 14, 2001 2:53 PM
Subject: Re: Rate limiting UDP,Multicast,ICMP
On Tue, 13 Nov 2001 12:42:01 -0500, Thomas Gainer wrote:A little more information. We sell 100Mb Ethernet pipes to the Internet. (Yes, there are a few of us left). A fair number of these customers are small businesses. Usually, they have servers but very little IT support
and
even less IT know how. My thought is to rate limit UDP and ICMP at the customer port to no more than 3Mb/s so WHEN (not if) a customer is compromised, the effects are somewhat limited and my MAN pipes have some measure protection. The question is, what am I not thinking of? DNS,
TFTP
and such should all operate virtually unaffected, as they are not
bandwidth
hungry services.Are you rate limiting only inbound? Or both ways? Are you trying to
protect
your customers from attack or prevent them from being the source of
attacks
if their machines are compromised? Or both? If you rate-limit UDP outbound, you make it very hard for your customers
to
source streaming media. If you rate-limit inbound, you make it very hard
for
your customers to reflect streaming media. So long as you let your
customers
know what you're doing in advance, you shouldn't have any problems. You may wish to allow clueful customers to opt out of this filtering (ideally selectively) if they do wish to do things with high-bandwidth UDP applications. It wouldn't be unreasonable to require customers opting out
of
such filtering to assume responsibility/liability for any floods that
might
affect them as a result. You may wish to charge them for your costs
associate
with floods they originate that affect others as well. DS
Current thread:
- Rate limiting UDP,Multicast,ICMP Thomas Gainer (Nov 13)
- Re: Rate limiting UDP,Multicast,ICMP Jared Mauch (Nov 13)
- Re: Rate limiting UDP,Multicast,ICMP Niels Bakker (Nov 13)
- Re: Rate limiting UDP,Multicast,ICMP Jared Mauch (Nov 13)
- Re: Rate limiting UDP,Multicast,ICMP Robert Beverly (Nov 13)
- Re: Rate limiting UDP,Multicast,ICMP Hank Nussbacher (Nov 14)
- Re: Rate limiting UDP,Multicast,ICMP Niels Bakker (Nov 13)
- Re: Rate limiting UDP,Multicast,ICMP Jared Mauch (Nov 13)
- <Possible follow-ups>
- Rate limiting UDP,Multicast,ICMP Thomas Gainer (Nov 13)
- Re: Rate limiting UDP,Multicast,ICMP Ian Cooper (Nov 13)
- Re: Rate limiting UDP,Multicast,ICMP David Schwartz (Nov 14)
- Re: Rate limiting UDP,Multicast,ICMP Brian (Nov 15)