How worried is too worried? Plus, a Global Crossing Story.
I truely enjoyed the wide range of reponses to my Digital Island post. Everything from DI is perfectly justified to 'tell DI to stick it' haha. I certainly do not run the largest ISP, nor the smallest, but my small company is managing customer connectivity on both coasts of the continental US. My customers know me as the one that cares about their network infrastructure and can answer most questions quickly. I enjoy offering personal service. I also take pride in managing my network well. I know, for the most part, what kinds of traffic are passing through my network. This helps me take a proactive stance to issues before they become my customers' business impediments. Therefore, I have to respectfully take exception to the opinion of "Welcome to the Internet, there's nothing you can do, just don't worry about 441 packets." I partner with companies that share my view of network management. Recently I had an issue with a customer that was claiming poor throughput. Global crossing did everything in their power to analyze their network, my network, and my customers server farm. Although this turned out to be a TCP/IP tuning issue on the particular host, Global Crossing did not charge me a premium for investigating this issue. Throughout this resolution, Global Crossing earned my respect and confidence that I am *partnered* with a vendor instead of just buying bandwidth from them. Just my $0.02, Christopher J. Wolff, VP, CTO Broadband Laboratories
Perhaps you can speak with your friends at Global Crossing, and have filters placed on your upstream routers to prevent stray "DDOS attacks from Digital Island". Just curious, but aren't you a little more concerned about all of those "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../ winnt/system32/cmd.exe?/c+dirHTTP/1.0" requests than a few ICMP datagrams from Digital Island? Regards, James On Thu, 25 Oct 2001, Christopher Wolff wrote:
I truely enjoyed the wide range of reponses to my Digital Island post. Everything from DI is perfectly justified to 'tell DI to stick it' haha.
I certainly do not run the largest ISP, nor the smallest, but my small company is managing customer connectivity on both coasts of the continental US. My customers know me as the one that cares about their network infrastructure and can answer most questions quickly. I enjoy offering personal service.
I also take pride in managing my network well. I know, for the most part, what kinds of traffic are passing through my network. This helps me take a proactive stance to issues before they become my customers' business impediments.
Therefore, I have to respectfully take exception to the opinion of "Welcome to the Internet, there's nothing you can do, just don't worry about 441 packets."
I partner with companies that share my view of network management. Recently I had an issue with a customer that was claiming poor throughput. Global crossing did everything in their power to analyze their network, my network, and my customers server farm. Although this turned out to be a TCP/IP tuning issue on the particular host, Global Crossing did not charge me a premium for investigating this issue.
Throughout this resolution, Global Crossing earned my respect and confidence that I am *partnered* with a vendor instead of just buying bandwidth from them.
Just my $0.02,
Christopher J. Wolff, VP, CTO Broadband Laboratories
It sounds like time for an explanation of what Digital Island is. I'm sure marketing will be upset with me for dropping the official "corporate positioning" language, but here goes: There are multiple pieces to Digital Island, the two biggest being an Internet backbone network (mostly carrying web hosting traffic) and a content delivery network (it competes with Akamai, which many of you are probably more familiar with). I work in the hosting side of the company, and have considerably less knowledge of the content delivery network, so I won't promise to be entirely accurate here. The packets you're seeing come from the content delivery network. Content delivery networks consist of caching web servers spread out around the world. When a user requests web content cached by the CDN, a DNS request is sent looking up the caching server. The CDN then calculates which caching server is closest to the requester (or more specifically, the DNS server the requester is using), and sends back the IP address of the closest caching server. The user's web browser then contacts the local caching server, and does the download from there. My knowledge of how exactly those measurements are done is a bit hazy, and Jason is certainly a better person to answer that than I am. However, the ICMP echo requests you're seeing are at least part of the process, and aren't being done unless your users are requesting content from our CDN. They aren't being done at random, and aren't being done as part of a research project. They're just being done to send you or your users the content you or they requested from the right caching server. I hope this helps. I'm sure somebody who knows more about CDNs (ours or others) will jump in and correct whatever I've gotten wrong. -Steve On Thu, 25 Oct 2001, Christopher Wolff wrote:
I truely enjoyed the wide range of reponses to my Digital Island post. Everything from DI is perfectly justified to 'tell DI to stick it' haha.
I certainly do not run the largest ISP, nor the smallest, but my small company is managing customer connectivity on both coasts of the continental US. My customers know me as the one that cares about their network infrastructure and can answer most questions quickly. I enjoy offering personal service.
I also take pride in managing my network well. I know, for the most part, what kinds of traffic are passing through my network. This helps me take a proactive stance to issues before they become my customers' business impediments.
Therefore, I have to respectfully take exception to the opinion of "Welcome to the Internet, there's nothing you can do, just don't worry about 441 packets."
I partner with companies that share my view of network management. Recently I had an issue with a customer that was claiming poor throughput. Global crossing did everything in their power to analyze their network, my network, and my customers server farm. Although this turned out to be a TCP/IP tuning issue on the particular host, Global Crossing did not charge me a premium for investigating this issue.
Throughout this resolution, Global Crossing earned my respect and confidence that I am *partnered* with a vendor instead of just buying bandwidth from them.
Just my $0.02,
Christopher J. Wolff, VP, CTO Broadband Laboratories
-------------------------------------------------------------------------------- Steve Gibbard scg@gibbard.org
On Thu, Oct 25, 2001 at 10:46:37PM -0700, Christopher Wolff wrote:
I truely enjoyed the wide range of reponses to my Digital Island post. Everything from DI is perfectly justified to 'tell DI to stick it' haha.
Remember, an IDS is only useful as the operator. Perhaps it's time to re-think thresholds, response strategy, and what truly constitutes "abuse" in your book, before to complaining to NANOG that a content delivery provider's performance measuring hosts are pinging you without prior consent. These complaints not only distract from real abuse, they have the potential to get innocent parties in trouble for things they didn't do. If people who are going to make security complaints would take the opportunity to first try and find a legitimate explanation, it would make world a better place. In this case, Digital Island went above and beyond the call of duty by specifically padding "probe" packets with useful identifying info...
I partner with companies that share my view of network management. Recently I had an issue with a customer that was claiming poor throughput. Global crossing did everything in their power to analyze their network, my network, and my customers server farm [...]
Not bad. Bonus points if you can have the same folks at Global Crossing ACL out ICMP echo-requests heading your way so we can end this thread already. -adam
On Fri, 26 Oct 2001, Adam Rothschild wrote:
On Thu, Oct 25, 2001 at 10:46:37PM -0700, Christopher Wolff wrote:
I truely enjoyed the wide range of reponses to my Digital Island post. Everything from DI is perfectly justified to 'tell DI to stick it' haha.
Remember, an IDS is only useful as the operator.
Perhaps it's time to re-think thresholds, response strategy, and what truly constitutes "abuse" in your book, before to complaining to NANOG that a content delivery provider's performance measuring hosts are
Rethink? <perhaps my deranged opinion> How about think in the first place? Call me crazy, but, folks, this is the Internet. Protocols like ICMP were designed here as a tool. Expect to be pinged, probed, proded, or anything else. Ask not of your peer to stop sending you off traffic, instead, ask what your own systems can do to protect you from it. IMHO, this entire belief that someone sending you a stray packet constitutes a federal emergency with bells and whistles going off drives abuse@nac.net and legal@nac.net to suicide attempts. Example, as recent as yesterday: An unnamed, but rather large bank, sent legal@nac.net a complaint, based upon that fact that a dialup user of ours sent an ICMP echo request to www.[that_large_bank].com. Yes, just one. Is this really a problem? Are we so mad that we can't ping a host on the Internet anymore? </perhaps my deranged opinion> -- Alex Rubenstein, AR97, K2AHR, alex@nac.net, latency, Al Reuben -- -- Net Access Corporation, 800-NET-ME-36, http://www.nac.net --
participants (5)
-
Adam Rothschild
-
Alex Rubenstein
-
Christopher Wolff
-
James Thomason
-
Steve Gibbard