Bacula-users
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Bacula-users] Failed backup: Network send error to SD. Broken Pipe

2008-06-09 20:06:54
Subject: Re: [Bacula-users] Failed backup: Network send error to SD. Broken Pipe
From: Alan Brown <ajb2 AT mssl.ucl.ac DOT uk>
To: Christian Nolte <ch.nolte AT noltec DOT org>
Date: Mon, 9 Jun 2008 10:41:53 +0100 (BST) 
On Sat, 7 Jun 2008, Christian Nolte wrote:

> >> Strato is not filtering any ICMP traffic on this machine.
> >
> > Yes, but what about on their border routers?
> >
>
> I have asked them about ICMP filtering and they said that they are not
> doing any kind of ICMP filtering. I did not, however, ask them about the
> border routers. I will do that on monday.
>
> Let's say they are doing ICMP filtering. What implication would that
> have on my bacula configuration? Would that mean that it is impossible
> to use bacula in such a scenario?

ICMP is a traffic control protocol. The problem with blanket ICMP
filtering is that it breaks path MTU discovery algorithms and other
control mechanisms aimed at throttling congested networks.

If they are blocking all ICMP at the border router than you can solve the
problem on Linux boxes with the following commands at BOTH ends

echo 1 > /proc/sys/net/ipv4/ip_no_pmtu_disc

Note that this will mess up connections to systems which do use path MTU
discovery, by forcing the use of lowest MTU - this generates a LOT more
packet overhead.


This is my observation on ICMP issues. Feel free to quote.


ICMP filtering is often attempted by inexperienced/naive admins in an
effort to mitigate DoS attacks. Unfotunately if done incorrectly, such
filtering can make things significantly WORSE, as ICMP is the traffic
control protocol for the Internet.

Bear in mind that blocking inbound traffic as a DoS control measure is not
effective - the traffic is already saturating your link. Traffic
throttling must be performed BEFORE it arrives at your border routers.

If ICMP filtering is required, then consider using the following pointers.

1: Preventing participation in "smurf" attacks:

    Filter ALL traffic to BROADCAST addresses
    Ensure all systems are configured to NOT respond to ICMP pings on
broadcast addresses


2: Prevention of general ICMP attacks on individual machines:

  Configure ICMP throttling. This will pass ICMP, but rate limit traffic
if it exceeds preset levels. All Cisco routers (and most other brands) are
capable of rate limiting ICMP.

3: Security concerns

  If filtering attempts at network discovery, then consider only
filtering ICMP ping - but bear in mind there are at least 40 other ways of
mapping internal networks without using ICMP. If you really want to
prevent discovery of internal topologies then proper firewalling
techniques are in order - for both in and outbound traffic - AND make sure
you are not leaking details via DNS or other means.


-------------------------------------------------------------------------
Check out the new SourceForge.net Marketplace.
It's the best place to buy or sell services for
just about anything Open Source.
http://sourceforge.net/services/buy/index.php
_______________________________________________
Bacula-users mailing list
Bacula-users AT lists.sourceforge DOT net
https://lists.sourceforge.net/lists/listinfo/bacula-users
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Bacula-users] Failed backup: Network send error to SD. Broken Pipe, Christian Nolte
Next by Date:  Re: [Bacula-users] Unknown Error on Windows Director, David Justus
Previous by Thread:  Re: [Bacula-users] Failed backup: Network send error to SD. Broken Pipe, Christian Nolte
Next by Thread:  Re: [Bacula-users] Failed backup: Network send error to SD. Broken Pipe, Christian Nolte
Indexes:  [Date] [Thread] [Top] [All Lists]