Re: MicroSoft amplification?
I see it too, on that address and on the second of the 3 addresses mapped to www.microsoft.com (the third address doesn't respond at all). Most likely this is due to a not very smart load distribution system. I suspect each of these addresses really front-ends about 10 web servers. The load distributor doesn't know what to do with ICMP packets so it sends them to all of the servers (and they all respond, in the case of ICMP echo). This probably makes PMTUD work a lot better, but it sucks for ICMP Echo. (I wonder if all Akamai setups are so affected.) Tony Rall So with all the noise about Code Red, and in the process of trying to recover from various attacks, I happened to try to ping www.microsoft.com. It's probably par for the course that this happens: Wed Aug 1 14:05:29 bross@ogre:~ $ ping www.microsoft.com PING www.microsoft.akadns.net (207.46.197.100): 56 data bytes 64 bytes from 207.46.197.100: icmp_seq=1 ttl=45 time=37.5 ms 64 bytes from 207.46.197.100: icmp_seq=1 ttl=45 time=41.2 ms (DUP!) 64 bytes from 207.46.197.100: icmp_seq=1 ttl=45 time=42.8 ms (DUP!) 64 bytes from 207.46.197.100: icmp_seq=1 ttl=45 time=43.9 ms (DUP!) 64 bytes from 207.46.197.100: icmp_seq=1 ttl=45 time=45.0 ms (DUP!) 64 bytes from 207.46.197.100: icmp_seq=1 ttl=45 time=46.1 ms (DUP!) 64 bytes from 207.46.197.100: icmp_seq=1 ttl=45 time=47.3 ms (DUP!) 64 bytes from 207.46.197.100: icmp_seq=1 ttl=45 time=48.4 ms (DUP!) 64 bytes from 207.46.197.100: icmp_seq=1 ttl=45 time=49.5 ms (DUP!) 64 bytes from 207.46.197.100: icmp_seq=1 ttl=45 time=57.6 ms (DUP!) 64 bytes from 207.46.197.100: icmp_seq=2 ttl=45 time=39.8 ms 64 bytes from 207.46.197.100: icmp_seq=2 ttl=45 time=41.4 ms (DUP!) 64 bytes from 207.46.197.100: icmp_seq=2 ttl=45 time=42.7 ms (DUP!) 64 bytes from 207.46.197.100: icmp_seq=2 ttl=45 time=43.3 ms (DUP!) 64 bytes from 207.46.197.100: icmp_seq=2 ttl=45 time=44.4 ms (DUP!) 64 bytes from 207.46.197.100: icmp_seq=2 ttl=45 time=45.5 ms (DUP!) 64 bytes from 207.46.197.100: icmp_seq=2 ttl=45 time=46.8 ms (DUP!) 64 bytes from 207.46.197.100: icmp_seq=2 ttl=45 time=47.9 ms (DUP!) 64 bytes from 207.46.197.100: icmp_seq=2 ttl=45 time=49.0 ms (DUP!) 64 bytes from 207.46.197.100: icmp_seq=2 ttl=45 time=51.6 ms (DUP!) 64 bytes from 207.46.197.100: icmp_seq=3 ttl=45 time=39.6 ms I find it interesting and almost amusing that MicroSoft's own web server can be used for amplification attacks. -- Brandon Ross 404-522-5400 EVP Engineering, NetRail http://www.netrail.net AIM: BrandonNR ICQ: 2269442 Read RFC 2644!
On Wed, Aug 01, 2001 at 04:26:55PM -0700, Tony Rall wrote:
(I wonder if all Akamai setups are so affected.)
Doesn't seem like it to me: falcon:adam% ping -s www.yahoo.com PING www.yahoo.akadns.net: 56 data bytes 64 bytes from w5.dcx.yahoo.com (64.58.76.226): icmp_seq=0. time=75. ms 64 bytes from w5.dcx.yahoo.com (64.58.76.226): icmp_seq=1. time=73. ms 64 bytes from w5.dcx.yahoo.com (64.58.76.226): icmp_seq=2. time=87. ms 64 bytes from w5.dcx.yahoo.com (64.58.76.226): icmp_seq=3. time=102. ms 64 bytes from w5.dcx.yahoo.com (64.58.76.226): icmp_seq=4. time=76. ms 64 bytes from w5.dcx.yahoo.com (64.58.76.226): icmp_seq=5. time=67. ms 64 bytes from w5.dcx.yahoo.com (64.58.76.226): icmp_seq=6. time=68. ms 64 bytes from w5.dcx.yahoo.com (64.58.76.226): icmp_seq=7. time=62. ms ^C ----www.yahoo.akadns.net PING Statistics---- 8 packets transmitted, 8 packets received, 0% packet loss round-trip (ms) min/avg/max = 62/76/102 --Adam -- Adam Korab RFC 882 put the dot in .com, not Sun Microsystems
On Wed, 01 Aug 2001 16:26:55 PDT, Tony Rall <trall@almaden.ibm.com> said:
echo). This probably makes PMTUD work a lot better, but it sucks for ICMP
Or totally horques it up entirely if the actual data path used has a different PMTU. No way this will work if 9 paths are clean and one requires a frag. ;) I won't discuss what to do if you get back 10 FRAG NEEDED packets, with differing frag sizes ;) /Valdis
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
(I wonder if all Akamai setups are so affected.)
No, they are not. -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com> iQA/AwUBO2nO6kksS4VV8BvHEQKUjACglUX+7PgxqBzoJfaHaTSVemRo2awAoKpx RNNnZ7qyo+OiF5ogchLQ3UCG =+n+4 -----END PGP SIGNATURE-----
participants (4)
-
Adam Korab
-
Mike Batchelor
-
Tony Rall
-
Valdis.Kletnieks@vt.edu