[Outages-discussion] ICMP Filtering/Prioritization [was Re: [outages] Level3 Chicago]

Patrick W. Gilmore patrick at ianai.net
Thu Aug 20 08:24:13 EDT 2009


On Aug 20, 2009, at 2:02 AM, Jeremy Chadwick wrote:
> On Thu, Aug 20, 2009 at 12:03:57AM -0400, William R. Lorenz wrote:
>> On Wed, 19 Aug 2009, Craig Pierantozzi wrote:

> As I understand it, that is correct.  Routing of ICMP packets  
> through a
> router (e.g. the dst IP in the IP/ICMP packet is to an address which  
> the
> router is not responsible for) do not result in the packets getting
> de-prioritised.

Correct.  It would take more effort to figure out whether a packet is  
ICMP (look at L4 header) to deprioritize it than just forward the  
damned thing.


>> I haven't looked, but maybe there's a NANOG thread RE ICMP
>> prioritization. Perhaps there's also an engineer from Level3's IP
>> group that could chime in with additional details. :-)  Thanks, in
>> advance, for your insights.
>
> I'm not really sure backbone providers are willing to disclose this
> stuff.  Engineers escalated to via NOCs will definitely use the "what
> you're seeing is de-prioritisation of ICMP on our routers" excuse for
> outages (in some cases even when you include packet captures  
> indicating
> TCP packets to a non-router destination are getting delayed or  
> dropped).

Unfortunately, correct again.  Such is life on the 'Net - NOC, abuse,  
hostmaster, postmaster, CCare, etc. front line are frequently staffed  
by people who couldn't find a better job.  There are exceptions, but  
they tend to be promoted in a few months to avoid them running  
screaming from having to deal with the front line on the other side  
(i.e. customers, aka "lusers", aka "dumb-ass-people", aka...).


> In this day and age, I'm really not sure why ICMP is "throttled" (I'm
> using the term loosely) in this way.  As I understand it, the original
> concern which brought it forth was packet kids ping -f'ing routers.
> Packet kids don't bother with that any more -- now it's TCP SYN, UDP
> floods, or (the most popular) use of DDoS networks to overwhelm the
> entire pipe with all sorts of garbage.

While it is true that "sk3r1pt k1dd13z" use all types of protocols,  
spoofed or not, from botnets and other source, etc., that doesn't mean  
the good, old-fashioned ping flood is no longer in existence.  It is  
alive and (unfortunately) well.

Besides, even if it were not, the moment people stopped policing ICMP  
to their router CPUs, the k1dd13z would notice and BOOM!, it would be  
back in vogue.  Why bother SYN flooding a single web server when you  
can take out a whole datacenter for 1% of the packet rate?


> I'd be interested in knowing exactly what ICMP types and codes are
> prioritised last or considered "best-effort", but providers would  
> likely
> argue that disclosing that information could result in them being open
> to attacks.  Round and round we go...

I believe the ACL used by most provider is "ICMP code matching *".

-- 
TTFN,
patrick




More information about the Outages-discussion mailing list