RE: [SOT Rant] Non-hostile probes / opt-in/out
LOL! I believe that the question should be: Why are you pinging me? Tell me what admin who sees thousands of ping from one host does not investigation the nature? Do mean to say that if you were to log thousands of pings, you would ignore them? Also many ping attacks start with harmless ping probes. Marc -----Original Message----- From: James Thomason [mailto:james@divide.org] Sent: Friday, October 26, 2001 3:00 PM To: Patrick W. Gilmore Cc: nanog@merit.edu; Quibell, Marc Subject: RE: [SOT Rant] Non-hostile probes / opt-in/out If I did, and they responded negatively, I would tell them YOU said it was a good idea. Seriously, why should the administrators of *.army.mil care if I test packet response time between our networks? Is this an illegal activity I am unaware of? On Fri, 26 Oct 2001, Patrick W. Gilmore wrote:
At 02:16 PM 10/26/2001 -0500, Quibell, Marc wrote:
Maybe you should ping NS01.ARMY.MIL about 2400 times in 3 hour and see
if
you don't get a visit? Pinging a website 2 times means nothing..
How about 441 times in 2 hours? :)
Marc
-- TTFN, patrick
On Fri, 26 Oct 2001, Quibell, Marc wrote:
LOL!
I believe that the question should be: Why are you pinging me? Tell me what admin who sees thousands of ping from one host does not investigation the nature? Do mean to say that if you were to log thousands of pings, you would ignore them?
Also many ping attacks start with harmless ping probes.
The example you gave noted 2400 ICMP echo requests in a three hour period. On most systems I have worked with, the standard ping utility sends ICMP echo requests at a rate of one per second. This is 3600 echo requests per hour, 10800 in a three hour period. In my experience, is fairly common place to leave ping running for extended periods of time to observe network performance and detect intermittent problems. I would think this number of echo requests from a single host in such a timeframe is hardly abnormal, and I could care less. Should I receive 10800 echo requests in less than a minute I could become concerned, depending on the popularity of the system in question.
Marc
-----Original Message----- From: James Thomason [mailto:james@divide.org] Sent: Friday, October 26, 2001 3:00 PM To: Patrick W. Gilmore Cc: nanog@merit.edu; Quibell, Marc Subject: RE: [SOT Rant] Non-hostile probes / opt-in/out
If I did, and they responded negatively, I would tell them YOU said it was a good idea.
Seriously, why should the administrators of *.army.mil care if I test packet response time between our networks? Is this an illegal activity I am unaware of?
On Fri, 26 Oct 2001, Patrick W. Gilmore wrote:
At 02:16 PM 10/26/2001 -0500, Quibell, Marc wrote:
Maybe you should ping NS01.ARMY.MIL about 2400 times in 3 hour and see
if
you don't get a visit? Pinging a website 2 times means nothing..
How about 441 times in 2 hours? :)
Marc
-- TTFN, patrick
In the referenced message, Quibell, Marc said:
LOL!
I believe that the question should be: Why are you pinging me? Tell me what admin who sees thousands of ping from one host does not investigation the nature? Do mean to say that if you were to log thousands of pings, you would ignore them?
Why are you requesting the Digital Island content? Don't want them pinging you? Stop requesting content from them. I'm actually serious here. If you don't think their methods are "good", then boycotting them and their customers is a decent enough way to voice your vote. My guess is that Digital Island will continue to exist, and you will be safely partitioned away from the network. I don't believe any of the Network Operators who are a part of NANOG would care about 1000 ping packets. The existence of the packets, or even the number is not as important as their frequency, duration, size, and number of simultaneous sources/destinations. The original case of 400-some odd packets across 2 hours isn't much of anything. Generally, the sniff test is whether it is actually causing a problem or not. If it _is_ a problem, contact them, and ask them to stop. If they can't or won't, then filter them. The point I think several people have tried to point out is that maybe your logging of thousands of pings is more of a problem than the thousands of pings themselves.
Also many ping attacks start with harmless ping probes.
Yeah, and many attacks start without a ping, and many pings do not precede an attack.
Marc
Stephen
participants (3)
-
James Thomason
-
Quibell, Marc
-
Stephen Griffin