Planet-Lab.org traffic
At about 17:40 EDT today we started seeing traffic from planet-lab.orgnodes at 25+ US universities all directed at one of our hosting boxes. Its all ICMP and high port UDP stuff. Nothing terrible from what we can tell, but its triggering a constant stream of IDS alerts and auto-blocks. Not easy to configure for since the traffic originates from subnets all over the place, and the list of originating nodes is growing every few minutes. Its horribly annoying, and trying to determine the source using the tools provided on the planet-lab.org site is pretty much impossible as the search tool returns nothing at all times. Yes, we've opened a ticket with support@planet-lab.org already. Has anyone else had to deal with this, or is anyone connected to that particular project listening? Im all for academic projects, but the approach here is rubbing me the wrong way.
On Thu, Mar 22, 2012 at 6:58 PM, Drew Linsalata <drew.linsalata@gmail.com> wrote:
Has anyone else had to deal with this, or is anyone connected to that
people get dos'd (or think they do, not you in this case) regularly.
particular project listening? Im all for academic projects, but the approach here is rubbing me the wrong way.
normally their support arm had been helpful... in the past at least I'd gotten responses :(
In fairness to the PlanetLab folks, I did get a response to my original ticket and someone from NANOG also contacted me after my post. I do appreciate that. I will repeat that the traffic is not malicious, but it might be a more friendly policy to allow network operators to automatically opt-out of that environment if desired. Since we have some semblance of clue it was obvious within 30 seconds that this was an academic research network at play, and only took another 15 seconds to figure out that it was PlanetLab, so just let me add my subnets to a database which then prevents the "uber cluster" from including those subnets when generating experimental traffic. Another option might be to clearly state which prefixes the traffic may originate from so operators can filter accordingly. The cluster is pretty widespread so I realize that might not be very practical. Simply assuming that we won't mind having PlanetLab researchers using our assets as a lab isn't terribly cool. On Thu, Mar 22, 2012 at 9:07 PM, Christopher Morrow <morrowc.lists@gmail.com
wrote:
On Thu, Mar 22, 2012 at 6:58 PM, Drew Linsalata <drew.linsalata@gmail.com> wrote:
Has anyone else had to deal with this, or is anyone connected to that
people get dos'd (or think they do, not you in this case) regularly.
particular project listening? Im all for academic projects, but the approach here is rubbing me the wrong way.
normally their support arm had been helpful... in the past at least I'd gotten responses :(
participants (2)
-
Christopher Morrow
-
Drew Linsalata