Fwd: Re: Digital Island sponsors DoS attempt?
To: chris@bblabs.com Subject: Re: Digital Island sponsors DoS attempt? Cc: nanog@merit.edu, abuse@digisle.net Chris, As the message says, this is not an attack of any kind. It is a system which collects metrics for our Footprint Content Delivery System. The system is attempting to determine the closest servers to your network, to provide good service to your customers when they download from Footprint customers such as Microsoft. I'm sure you will get a response from abuse@digisle.net very shortly, but I wanted to allay your fears quickly. There is no attack. - jason -----Original Message----- From: Christopher J. Wolff [mailto:chris@bblabs.com] Sent: Thursday, October 25, 2001 12:58 PM To: nanog@merit.edu Subject: Digital Island sponsors DoS attempt? Hello friends, My IDS was just tripped over 300 times. The decoded packet says: mailto:abuse@digisle.com for questions This ICMP ECHO REQUEST/REPLY is part of the real-time network monitoring performed by Digital Island Inc. It is not an attack. If you have questions please contact abuse@digisle.com....................................................... .... ........................................................................ .... We are not on their network or in any way affiliated with Digital Island, I'm just curious if anyone else has seen this anomaly, if it is legit, or if it is a real attack being spoofed from Digital Island...no response from abuse@digisle.com yet. Regards, Christopher J. Wolff, VP, CIO Broadband Laboratories, Inc. http://www.bblabs.com email:chris@bblabs.com phone:520.622.4338 x234 -- Jason Forester jasonf@digisle.net Network Performance Engineer Digital Island
* Jason Forester sez:
As the message says, this is not an attack of any kind. It is a system which collects metrics for our Footprint Content Delivery System.
I am sure, Digital Island gets the necessary permissions from network owners before hammering them with those requests, right?
The same "permissions" that allow seamless end-to-end connectivity across the entire Internet. The same "permissions" you granted to others when you signed the connectivity agreement. On Thu, 25 Oct 2001, Jonas Luster wrote:
* Jason Forester sez:
As the message says, this is not an attack of any kind. It is a system which collects metrics for our Footprint Content Delivery System.
I am sure, Digital Island gets the necessary permissions from network owners before hammering them with those requests, right?
Unfortunately, in this case I am not a customer of Digital Island in any way, nor have I given them authorization to hammer my network 441 times (and counting) in the last two hours. However I'm thinking that someone else is spoofing their identity in some way...at any rate they should be aware of this problem. Regards, Christopher J. Wolff, VP, CIO Broadband Laboratories, Inc. http://www.bblabs.com email:chris@bblabs.com phone:520.622.4338 x234 -----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu]On Behalf Of Jonas Luster Sent: Thursday, October 25, 2001 4:57 PM To: nanog@merit.edu Subject: Re: Fwd: Re: Digital Island sponsors DoS attempt? * Jason Forester sez:
As the message says, this is not an attack of any kind. It is a system which collects metrics for our Footprint Content Delivery System.
I am sure, Digital Island gets the necessary permissions from network owners before hammering them with those requests, right?
At 08:37 PM 10/25/2001, Christopher J. Wolff wrote:
Unfortunately, in this case I am not a customer of Digital Island in any way, nor have I given them authorization to hammer my network 441 times (and counting) in the last two hours.
They're of the opinion that they don't need your permission... if they want to hammer your network, they will. 'course, a nice ACL at the borders reminds 'em who your network actually belongs to
Wow ... I see another long thread coming :( ACLs are a reactive solution. An ICMP probe or two may be unwanted but not excessive. 441 times (depending on the size of ones network) could be excessive. Why should I have to waste processor cycles to keep these guys out.
At 08:37 PM 10/25/2001, Christopher J. Wolff wrote:
Unfortunately, in this case I am not a customer of Digital Island in any way, nor have I given them authorization to hammer my network 441 times
(and
counting) in the last two hours.
They're of the opinion that they don't need your permission... if they want to hammer your network, they will.
'course, a nice ACL at the borders reminds 'em who your network actually belongs to
Then you can complain to them and make them stop and the other guy can put an ACL on his border routers. Neat how we get to manage our own network eh... andy -- PGP Key Available at http://www.tigerteam.net/andy/pgp On Thu, 25 Oct 2001, Wojtek Zlobicki wrote:
Wow ... I see another long thread coming :(
ACLs are a reactive solution. An ICMP probe or two may be unwanted but not excessive. 441 times (depending on the size of ones network) could be excessive. Why should I have to waste processor cycles to keep these guys out.
At 08:37 PM 10/25/2001, Christopher J. Wolff wrote:
Unfortunately, in this case I am not a customer of Digital Island in any way, nor have I given them authorization to hammer my network 441 times
(and
counting) in the last two hours.
They're of the opinion that they don't need your permission... if they want to hammer your network, they will.
'course, a nice ACL at the borders reminds 'em who your network actually belongs to
On 09:13 PM 10/25/2001 -0400, Dave Stewart wrote:
At 08:58 PM 10/25/2001, Wojtek Zlobicki wrote:
excessive. Why should I have to waste processor cycles to keep these guys out.
You shouldn't have to. But they don't seem to honor requests to stop.
<cue twilight zone music> This is the story of a network who didn't learn the lesson of above.net vs orbs. </music>
On Thu, 25 Oct 2001, JC Dill wrote:
<cue twilight zone music>
This is the story of a network who didn't learn the lesson of above.net vs orbs.
</music>
I may not have the whole story, but I don't believe above.net had much to do with the demise of ORBS. Some in country lawsuit did. andy -- PGP Key Available at http://www.tigerteam.net/andy/pgp
On Thu, Oct 25, 2001 at 05:37:16PM -0700, Christopher J. Wolff wrote:
Unfortunately, in this case I am not a customer of Digital Island in any way, nor have I given them authorization to hammer my network 441 times (and counting) in the last two hours.
441 echo requests in two hours? That doesn't sound like a very big hammer :) Joe
* Joe Abley sez:
On Thu, Oct 25, 2001 at 05:37:16PM -0700, Christopher J. Wolff wrote:
Unfortunately, in this case I am not a customer of Digital Island in any way, nor have I given them authorization to hammer my network 441 times (and counting) in the last two hours.
441 echo requests in two hours?
That doesn't sound like a very big hammer :)
It is also way more than necessary to gather any kind of statistics or improve any kind of routing. 441/120 == one every 20 seconds. I cannot possibly imagine any circumstances in which this amount of "testing" is necessary if the remote end is some site outside the influence of Digital Island. Was the testing end 100 percent positive not to hit some dial up line it's keeping artificially up? Also, a generated IDS/Firewall log would imply some kind of blocking of those requests - if I don't get a reply at the first five tries why do I keep up probing the IP? And IF there was a reply - what about this test is so important that it has to be repeated in 20 second intervals? jonas -- Jonas M. Luster -- jluster@d-fensive.com -- +1 408 768 4148 1024D/8B06BE75 -- 0E0A 8672 78B5 DB9F A911 1C04 2E20 4C9B 8B06 BE75 http://www.d-fensive.com (work) -- http://www.baysec.org/~jluster/ (play)
--On Friday, October 26, 2001 12:06 AM -0700 Jonas Luster <jluster@d-fensive.com> wrote:
It is also way more than necessary to gather any kind of statistics or improve any kind of routing. 441/120 == one every 20 seconds. I cannot possibly imagine any circumstances in which this amount of "testing" is necessary if the remote end is some site outside the influence of Digital Island.
Real-time congestion / behviour dependent routing. Of course whether it works or not is another question. If your IDS considers one ping packet every 20 seconds an 'intrusion' attempt, it is broken. You get one dialup user who wonders about packet loss to your site, and sets a ping going, once a second, for 20 mins and logs the results, and that's 20 times as much 'intrusion'. Either seems to me reasonable behaviour rather than network abuse, provided they stop if asked. Both are trying (possibly misguidedly) to improve connectivity between your site and theirs. -- Alex Bligh Personal Capacity
On Fri, 26 Oct 2001, Jonas Luster wrote:
* Joe Abley sez:
On Thu, Oct 25, 2001 at 05:37:16PM -0700, Christopher J. Wolff wrote:
441 echo requests in two hours?
That doesn't sound like a very big hammer :)
It is also way more than necessary to gather any kind of statistics or improve any kind of routing. 441/120 == one every 20 seconds. I cannot possibly imagine any circumstances in which this amount of "testing" is necessary if the remote end is some site outside the influence of Digital Island.
I didn't see anything in this thread to indicate that one IP address was pinged 441 times. The network was pinged 441 times. Furthermore, I didn't see anything to indicate that the network was pinged from a single host. If this was a single measurement repeated 441 times, I'd have a much different view of it than if it was a set of 441 distinct measurements in response to multiple user requests. I've assumed that it was multiple measurements to different hosts in the destination network from different sites under DI's control. As long as the testing is proportionate with the amount of content delivered to the end user's machine, you don't need to save many TCP retransmits to cause a net benefit to the network. (Yes, the destination network, too. Not just the transmitting network or the intervening transit networks.) -Steve
On Fri, 26 Oct 2001, Jonas Luster wrote:
It is also way more than necessary to gather any kind of statistics or improve any kind of routing. 441/120 == one every 20 seconds.
Jonas, It's one every 20 seconds from -one- ISP. What happens when thousands of ISPs begin offering this service? a) more people are waken up at 3am by tripped IDS systems b) more people filter all icmp and break the internet c) more people have to add more acls to their routers to prevent pushing garbage as much as possible at the core, driving up cost and cpu This service should clearly be "opt-in". Also, I believe the second comment made on this thread was regarding the idea that we implicitly give people permission to do this sort of thing by connecting to the internet (or per our sla/whatever). I surely do not give people permission to attack my network, why is this any different? Intentions? rgds, Adam
On Thu, 25 Oct 2001 17:37:16 PDT, "Christopher J. Wolff" <chris@bblabs.com> said:
Unfortunately, in this case I am not a customer of Digital Island in any way, nor have I given them authorization to hammer my network 441 times (and counting) in the last two hours.
If you're worried about the authorization for the 441 PING packets, you might worry about the authorization for the *CONTENT* they intented to send you as well. I'm willing to bet that there were a *lot* more than 441 packets of content - and most likely, some user in your network asked for that content by visiting their web server. Remember - they'd not be doing all this probing unless they were expecting to send you enough data to amortize all the probing delays... What's next? Complaining about your DNS being hammered by some site because one of your users gets on their mailing list, and they need to look up the MX and A records for your mail server to send the mail? OK, so I'm just a bit touchy because I have a host that *used* to be an NTP server, ceased being one a year ago, and is still seeing an average of 150-200 packets *a second* pounding on it. Unlike 200 packets an hour, a flux of 200 packets a second is a significant percentage of said host's 10BaseT(*). What's even more astounding - during a 10 minute span a while ago, we saw hosts from 5 different sites try to contact the IP address that NTP server used to have. Over 7 years ago. And of course we have a canned e-mail response for the IWF incidents (idiot with firewall), for the cases when we're accused of portscanning his machine from our NTP server's port 123. Welcome to the Internet. Valdis Kletnieks Operating Systems Analyst Virginia Tech (*) This acutally ended up a fairly expensive proposition - the NTP traffic was sufficient to force a migration from nonswitched to switched hubs for that subnet some 18 months before it would otherwise have been necessary.
On Thu, Oct 25, 2001 at 01:31:34PM -1000, Jason Forester wrote:
As the message says, this is not an attack of any kind. It is a system which collects metrics for our Footprint Content Delivery System.
The system is attempting to determine the closest servers to your network, to provide good service to your customers when they download from Footprint customers such as Microsoft.
Since no one has asked the relivant question, I'll ask. Does this system probe networks only in response for a request for content, or are networks monitored even when there are no requests for content? While I don't think {ping,dns,other} probes in response to a content request are the best way to offer better service to the user, they are at least in response to a user request, and proportional to the number of user requests. I would find it hard to call them 'wrong', or 'bad'. Probing other networks 'just in case' a request comes from that network is highly ineffective, introduces useless load to the network, and is just plain rude. -- Leo Bicknell - bicknell@ufp.org - CCIE 3440 PGP keys at http://www.ufp.org/~bicknell/ Read TMBG List - tmbg-list-request@tmbg.org, www.tmbg.org
participants (14)
-
Adam Herscher
-
Alex Bligh
-
Andy Walden
-
Christopher J. Wolff
-
Dave Stewart
-
James Thomason
-
Jason Forester
-
JC Dill
-
Joe Abley
-
Jonas Luster
-
Leo Bicknell
-
Steve Schaefer
-
Valdis.Kletnieks@vt.edu
-
Wojtek Zlobicki