[44240] in North American Network Operators' Group
Re: Rate limiting UDP,Multicast,ICMP
daemon@ATHENA.MIT.EDU (David Schwartz)
Wed Nov 14 17:54:34 2001
From: David Schwartz <davids@webmaster.com>
To: <TGainer@e-xpedient.com>, <nanog@merit.edu>
Date: Wed, 14 Nov 2001 14:53:19 -0800
In-Reply-To: <E6F85CA58D2A834E99B1683C05BC7987025F95B5@mail.corp.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Message-ID: <20011114225321.AAA17687@shell.webmaster.com@whenever>
Errors-To: owner-nanog-outgoing@merit.edu
On Tue, 13 Nov 2001 12:42:01 -0500, Thomas Gainer wrote:
>A little more information. We sell 100Mb Ethernet pipes to the=
Internet.
>(Yes, there are a few of us left). A fair number of these=
customers are
>small businesses. Usually, they have servers but very little IT=
support and
>even less IT know how. My thought is to rate limit UDP and ICMP=
at the
>customer port to no more than 3Mb/s so WHEN (not if) a customer=
is
>compromised, the effects are somewhat limited and my MAN pipes=
have some
>measure protection. The question is, what am I not thinking of?=
DNS, TFTP
>and such should all operate virtually unaffected, as they are=
not bandwidth
>hungry services.
=09Are you rate limiting only inbound? Or both ways? Are you trying=
to protect
your customers from attack or prevent them from being the source=
of attacks
if their machines are compromised? Or both?
=09If you rate-limit UDP outbound, you make it very hard for your=
customers to
source streaming media. If you rate-limit inbound, you make it=
very hard for
your customers to reflect streaming media. So long as you let=
your customers
know what you're doing in advance, you shouldn't have any=
problems.
=09You may wish to allow clueful customers to opt out of this=
filtering
(ideally selectively) if they do wish to do things with=
high-bandwidth UDP
applications. It wouldn't be unreasonable to require customers=
opting out of
such filtering to assume responsibility/liability for any floods=
that might
affect them as a result. You may wish to charge them for your=
costs associate
with floods they originate that affect others as well.
=09DS
