[AusNOG] network security Question

Mark Andrews marka at isc.org
Wed May 21 10:51:10 EST 2014 

In message <537BF620.4090004 at sisgroup.com.au>, Luke Iggleden writes:
> Rate limiting router control planes is definitely required though if 
> your links are big enough to kill your control plane cpu.
> 
> I think police 5Mbit/s of ICMP to a border router control plane is 
> acceptable.
> 
> -- 
> Luke Iggleden

If you have links with different MTU's you really need to be able
to generate ICMP(8,3) packets for every packet that requires it.
The usual ICMP rate limits for time exceeded are just not appropriate
by several orders of magnitude.

Mark

> On 21/05/2014 10:21 am, Chris Chaundy wrote:
> > If you are getting flooded with icmp, blocking/rate-limiting at your
> > border is pretty well pointless as the damage is already done - your
> > link is toast and the attackers don't give a damn about replies.
> >
> > And talking about DNS, don't even get started on NTP!!!  SIgh...
> >
> >
> > On Wed, May 21, 2014 at 10:15 AM, Joshua D'Alton <joshua at railgun.com.au
> > <mailto:joshua at railgun.com.au>> wrote:
> >
> >     Some places do this, Linode I believe in some locations (or perhaps
> >     their carriers/DCs?), just have to remember said hop (XYZ router(s)
> >     will always have some loss (usually 30%, its consistent). And what
> >     level, well presumably layer 3 ACLs?
> >
> >
> >     On Wed, May 21, 2014 at 10:08 AM, Alex Samad - Yieldbroker
> >     <Alex.Samad at yieldbroker.com <mailto:Alex.Samad at yieldbroker.com>> wrote:
> >
> >         With the icmp, I was more thinking about rate limiting, all nice
> >         to allow it through, but I also rate limit.  Haven't got any
> >         shaping on, but I would be de prioritising a lot of icmp
> >
> >         Just wondering what sort of level do (if they do) rate limit icmp t
> o
> >
> >
> >     _______________________________________________
> >     AusNOG mailing list
> >     AusNOG at lists.ausnog.net <mailto:AusNOG at lists.ausnog.net>
> >     http://lists.ausnog.net/mailman/listinfo/ausnog
> >
> >
> >
> >
> > _______________________________________________
> > AusNOG mailing list
> > AusNOG at lists.ausnog.net
> > http://lists.ausnog.net/mailman/listinfo/ausnog
> >
> 
> 
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

More information about the AusNOG mailing list