IEPM

ICMP Rate Limiting

Executive Summary

Part 1: Introduction Tools and Techniques
Part 2: Detailed Study and List of Candidates

SLAC Home Page

Issue

I had a very specific brief - to figure out what sites were performing rate-limiting on pings and to develop automated tools to do the same under the able guidance and supervision of Les Cottrell and Warren Mathews.

Approach

Since we had a vast amount of Ping information collected over a long period of time I looked at it in detail to see if the answer lay in there. I discovered by performing a frequency analysis of packet drops that I could discover Rate limiting performed by certain mechanisms (like TailDrop scheme ) but not other schemes (such as RED, and CAR) and that it was almost impossible to detect these by Ping measurements alone.

This led me to experiment with other tools such as Sting and Synack, both of which use TCP, the same transport protocol that actual data is sent over, and hence less susceptible to artificial blocking/limiting.

While synack raised the hackles of some system admins, and we therefore needed to assure them beforehand that we were not doing anything that would damage their systems, Sting, inspite of producing somewhat less reliable results, went through without anybody taking cognizance and hence proved to be my tool of choice. I carried out several sets of experiments of simultaneous measurements by Ping and Sting to detect if TCP traffic under Sting suffered much less loss than Ping, which would indicate that data traffic was receiving preferential treatment as compared to ICMP and hence indicate ICMP rate limiting.

The early results have been somewhat mixed in proving which sites actually carry out rate-limiting and I believe more measurements separate them out more clearly.

At the same time, analysis of responses to pings of 100 bytes and 1000 bytes have revealed clearly that the sites we suspect to be rate-limiting, on the average *do* seem to be carrying out rate-limiting (avg asymmetry is almost = 2*(avg over all sites) )

Also, Ping vs Sting over those sites that exhibit low network reachability has illustrated some sites to be definitely rate-limiting.

Conclusion

In conclusion, while I have attained statistical evidence of rate-limiting over about 20% of sites monitored from Oceanus (about 40/200), I have been able to identify only about 25% of these (about 10) with certainty. I believe further results can identify more clearly the ones that are performing rate-limiting, as will more stability of new tools like Sting.

Back to top

Created June 4, 2000
URL: http://www-iepm.slac.stanford.edu/pinger/tools.html
Comments to iepm-l@slac.stanford.edu