On Thu, 25 Oct 2001 17:37:16 PDT, "Christopher J. Wolff" <chris@bblabs.com> said:
Unfortunately, in this case I am not a customer of Digital Island in any way, nor have I given them authorization to hammer my network 441 times (and counting) in the last two hours.
If you're worried about the authorization for the 441 PING packets, you might worry about the authorization for the *CONTENT* they intented to send you as well. I'm willing to bet that there were a *lot* more than 441 packets of content - and most likely, some user in your network asked for that content by visiting their web server. Remember - they'd not be doing all this probing unless they were expecting to send you enough data to amortize all the probing delays... What's next? Complaining about your DNS being hammered by some site because one of your users gets on their mailing list, and they need to look up the MX and A records for your mail server to send the mail? OK, so I'm just a bit touchy because I have a host that *used* to be an NTP server, ceased being one a year ago, and is still seeing an average of 150-200 packets *a second* pounding on it. Unlike 200 packets an hour, a flux of 200 packets a second is a significant percentage of said host's 10BaseT(*). What's even more astounding - during a 10 minute span a while ago, we saw hosts from 5 different sites try to contact the IP address that NTP server used to have. Over 7 years ago. And of course we have a canned e-mail response for the IWF incidents (idiot with firewall), for the cases when we're accused of portscanning his machine from our NTP server's port 123. Welcome to the Internet. Valdis Kletnieks Operating Systems Analyst Virginia Tech (*) This acutally ended up a fairly expensive proposition - the NTP traffic was sufficient to force a migration from nonswitched to switched hubs for that subnet some 18 months before it would otherwise have been necessary.