nanog mailing list archives

Re: ICMP traffic increasing on most backbones Re: GLBX ICMP rate limiting

From: Steve Carter <scarter () pobox com>
Date: Thu, 28 Aug 2003 09:28:41 -0700


* Sean Donelan said:


On Thu, 28 Aug 2003, Steve Carter wrote:

The rate-limiters have become more interesting recently, meaning they've
actually started dropping packets (quite a lot in some cases) because of
the widespread exploitation of unpatched windows machines.


Yep, the amount of ICMP traffic seems to be increasing on most backbones
due to worm activity.  It probably hasn't exceed HTTP yet, but it is
surpasssing many other protocols.  Some providers have seen ICMP increase
by over 1,000% over the last two weeks.


The results of our data collection is almost unbelievable.  I've had to
have it rechecked multiple times because I had a hard time even groking
the scale.  Like, dude, is your calculator broken?

It appears that the volume is still growing ... even with the widespread
publicity.  Those of us that are sourcing this traffic need to protect
ourselves and the community by rate limiting because the exploited are
not.

I agree with Wayne that we need to be smart (reads: very specific) about
how we rate limit during this event.  When the event is over we can go 
back to just a simple rate limit that protects us in a very general way 
until the next event jumps up.

<private message>
Yuh, Jay, I changed my tune ... you were right.
</private message>

-Steve

Current thread:

Re: GLBX ICMP rate limiting (was RE: Tier-1 without their own backbone?), (continued)
- - - Re: GLBX ICMP rate limiting (was RE: Tier-1 without their own backbone?) Jared Mauch (Aug 28)
    - Re: GLBX ICMP rate limiting (was RE: Tier-1 without their own backbone?) Wayne E. Bouchard (Aug 28)
    - Re: GLBX ICMP rate limiting (was RE: Tier-1 without their own backbone?) Christopher L. Morrow (Aug 28)
    - Re: GLBX ICMP rate limiting (was RE: Tier-1 without their own backbone?) Jared Mauch (Aug 28)
    - Re: GLBX ICMP rate limiting (was RE: Tier-1 without their own backbone?) Robert Boyle (Aug 28)
    - Re: GLBX ICMP rate limiting (was RE: Tier-1 without their own backbone?) Paul Vixie (Aug 28)
    - Re: GLBX ICMP rate limiting (was RE: Tier-1 without their own backbone?) Alex Rubenstein (Aug 28)
    - Message not available
    - Re: GLBX ICMP rate limiting (was RE: Tier-1 without their own backbone?) Robert Boyle (Aug 28)
    - Re: GLBX ICMP rate limiting (was RE: Tier-1 without their own backbone?) Steve Carter (Aug 28)
    - ICMP traffic increasing on most backbones Re: GLBX ICMP rate limiting Sean Donelan (Aug 28)
    - Re: ICMP traffic increasing on most backbones Re: GLBX ICMP rate limiting Steve Carter (Aug 28)
    - Re: ICMP traffic increasing on most backbones Re: GLBX ICMP rate limiting Rachael Treu (Aug 28)
    - Re: ICMP traffic increasing on most backbones Re: GLBX ICMP rate limiting Dan Hollis (Aug 28)
    - Dealing with infected users (Re: ICMP traffic increasing on most backbones Re: GLBX ICMP rate limiting Mike Tancsa (Aug 28)
    - Re: Dealing with infected users (Re: ICMP traffic increasing on most backbones Re: GLBX ICMP rate limiting Dan Hollis (Aug 28)
    - Re: Dealing with infected users (Re: ICMP traffic increasing on most backbones Re: GLBX ICMP rate limiting Mike Tancsa (Aug 28)
    - Re: Dealing with infected users (Re: ICMP traffic increasing on most backbones Re: GLBX ICMP rate limiting Vadim Antonov (Aug 28)
    - Re: Dealing with infected users (Re: ICMP traffic increasing on most backbones Re: GLBX ICMP rate limiting Petri Helenius (Aug 28)
    - Re: Dealing with infected users (Re: ICMP traffic increasing on most backbones Re: GLBX ICMP rate limiting Omachonu Ogali (Aug 29)
    - Re: GLBX ICMP rate limiting (was RE: Tier-1 without their own backbone?) Lars Erik Gullerud (Aug 28)
  - RE: Tier-1 without their own backbone? Daniel Golding (Aug 31)