Re: ICANN Targets DDoS Attacks

[Jared Mauch <jared () puck Nether net>]

On Tue, Oct 29, 2002 at 10:25:44PM +0200, Petri Helenius wrote:
> > Source address verification at access layer and rate limiting icmp would
> > be fine starts.
> Why would you like to regulate my ability to transmit and receive data
> using ECHO and ECHO_REPLY packets? Why they are considered
> harmful?

        I've found (as others have) that if you take a typical customer
interface or even infrastructure/peer interface, you don't see normal
packet rates over 2Mb/s of icmp echo+echo-reply  (oc3, oc12 and gig-e
to exchange for example).

        Go in and do a rate-limit (and tell it to transmit if exceeded
so it doesn't stop your traffic) on your router to check what your
typical rate is.  you'd be surprised how much this will help
mitigate smurf/icmp attacks.  It can take a 100Mb/s attack and
limit it to 2Mb*<number-of-ingress-peer-interfaces> which is likely
to be smaller than 100Mb/s.  Yet still allow you to determine
the source interface by the unusual traffic spike/pps spike as wlel
as the rate-limit/car/whatever drops.
        
> I´m all for source address verification though.

        As am i.

        - Jared

-- 
Jared Mauch  | pgp key available via finger from jared () puck nether net
clue++;      | http://puck.nether.net/~jared/  My statements are only mine.