Chris,
As the message says, this is not an attack of any kind. It is a system which collects metrics for our Footprint Content Delivery System.
The system is attempting to determine the closest servers to your network, to provide good service to your customers when they download from Footprint customers such as Microsoft.
I'm sure you will get a response from abuse@digisle.net very shortly, but I wanted to allay your fears quickly. There is no attack.
- jason
* Jason Forester sez:
As the message says, this is not an attack of any kind. It is a system
which collects metrics for our Footprint Content Delivery System.
I am sure, Digital Island gets the necessary permissions from network
owners before hammering them with those requests, right?
The same "permissions" that allow seamless end-to-end connectivity across
the entire Internet. The same "permissions" you granted to others when
you signed the connectivity agreement.
Unfortunately, in this case I am not a customer of Digital Island in any
way, nor have I given them authorization to hammer my network 441 times (and
counting) in the last two hours.
However I'm thinking that someone else is spoofing their identity in some
way...at any rate they should be aware of this problem.
Regards,
Christopher J. Wolff, VP, CIO
Broadband Laboratories, Inc.
http://www.bblabs.com
email:chris@bblabs.com
phone:520.622.4338 x234
They're of the opinion that they don't need your permission... if they want to hammer your network, they will.
'course, a nice ACL at the borders reminds 'em who your network actually belongs to
441 echo requests in two hours?
That doesn't sound like a very big hammer 
Joe
Wow ... I see another long thread coming 
ACLs are a reactive solution. An ICMP probe or two may be unwanted but not
excessive. 441 times (depending on the size of ones network) could be
excessive. Why should I have to waste processor cycles to keep these guys
out.
>Unfortunately, in this case I am not a customer of Digital Island in any
>way, nor have I given them authorization to hammer my network 441 times
(and
>counting) in the last two hours.
They're of the opinion that they don't need your permission... if they
want
Then you can complain to them and make them stop and the other guy can put
an ACL on his border routers. Neat how we get to manage our own network
eh...
andy
You shouldn't have to. But they don't seem to honor requests to stop.
<cue twilight zone music>
This is the story of a network who didn't learn the lesson of above.net vs orbs.
</music>
I may not have the whole story, but I don't believe above.net had much to
do with the demise of ORBS. Some in country lawsuit did.
andy
Above.net's blocking of ORBS led to fewer and fewer networks using ORBS and IMHO it contributed to the weakness that allowed the lawsuit to happen and thrive. If ORBS had been a stronger service with more users, they might have done things differently before or during the lawsuit.
What happens to Digital Island if networks (especially large networks) start blocking them because they won't stop repeatedly scanning when asked? Can it do them *any* good?
jc
Above.net's blocking of ORBS led to fewer and fewer networks using ORBS and
IMHO it contributed to the weakness that allowed the lawsuit to happen and
thrive. If ORBS had been a stronger service with more users, they might
have done things differently before or during the lawsuit.
Maybe, but I think your reaching..
What happens to Digital Island if networks (especially large networks)
start blocking them because they won't stop repeatedly scanning when
asked? Can it do them *any* good?
That I agree with. I expect its a mistake on their end and they will fix
it. It wouldn't be very scalable to scan every network hundreds of times
and hour.
andy
Since no one has asked the relivant question, I'll ask.
Does this system probe networks only in response for a request for
content, or are networks monitored even when there are no requests
for content?
While I don't think {ping,dns,other} probes in response to a content
request are the best way to offer better service to the user, they
are at least in response to a user request, and proportional to the
number of user requests. I would find it hard to call them 'wrong',
or 'bad'.
Probing other networks 'just in case' a request comes from that
network is highly ineffective, introduces useless load to the
network, and is just plain rude.
Above.net's blocking of ORBS led to fewer and fewer networks using ORBS and
IMHO it contributed to the weakness that allowed the lawsuit to happen and
thrive. If ORBS had been a stronger service with more users, they might
have done things differently before or during the lawsuit.What happens to Digital Island if networks (especially large networks)
start blocking them because they won't stop repeatedly scanning when
asked? Can it do them *any* good?
I would assume they might develop a better probing methodology that is
harder to detect or block.
Is it really productive to deem the packets of others "dirty" when you
willingly participate in a public-access medium? Are the probes creating
more overhead than an ACL?
Or is someone just pissed because they have their pager linked to
tail -f ids.log?
This brings up one of those age-old questions - how paranoid is too
paranoid? I, for one, do not view pings in an of themselves as any sort of
security threat or network abuse, even a couple hundred per hour (assuming
these aren't 1500-byte packets coming in on a dialup). I personally will
log and report SYNs coming in to port 139, 111, et al, but I could care
less about ICMP or port 80 SYNs as long as they're not using a significant
amount of bandwidth.
Speaking from personal opinion, but working for a company that does
network performance probing simlar to what DI's doing, I would hope for
their sake that DI is only pinging hosts that have already been a destination
IP for a not-insignificant number of packets traversing their network. If
they're just doing random pinging, well, that's not real useful to begin with,
and, as someone else stated, kinda rude. We don't target an IP for performance
probes unless there's a decent amount of traffic going there from our
customers already...
-C
'course, a nice ACL at the borders reminds 'em who your network actually
belongs to
well, be careful with your acl's, because if you accidently disrupt
nonabusive traffic as a side effect of protecting your network from
abuse, you'll shortly be hearing complaints from EFF about how you've
disenfranchised said nonabusers.
If you're worried about the authorization for the 441 PING packets, you
might worry about the authorization for the *CONTENT* they intented to
send you as well. I'm willing to bet that there were a *lot* more than
441 packets of content - and most likely, some user in your network
asked for that content by visiting their web server. Remember - they'd
not be doing all this probing unless they were expecting to send you enough
data to amortize all the probing delays...
What's next? Complaining about your DNS being hammered by some site because
one of your users gets on their mailing list, and they need to look up the
MX and A records for your mail server to send the mail?
OK, so I'm just a bit touchy because I have a host that *used* to be an
NTP server, ceased being one a year ago, and is still seeing an average
of 150-200 packets *a second* pounding on it. Unlike 200 packets an hour,
a flux of 200 packets a second is a significant percentage of said
host's 10BaseT(*). What's even more astounding - during a 10 minute span
a while ago, we saw hosts from 5 different sites try to contact the IP
address that NTP server used to have. Over 7 years ago.
And of course we have a canned e-mail response for the IWF incidents
(idiot with firewall), for the cases when we're accused of portscanning
his machine from our NTP server's port 123.
Welcome to the Internet.
Valdis Kletnieks
Operating Systems Analyst
Virginia Tech
(*) This acutally ended up a fairly expensive proposition - the NTP
traffic was sufficient to force a migration from nonswitched to switched
hubs for that subnet some 18 months before it would otherwise have
been necessary.
> I am sure, Digital Island gets the necessary permissions from network
> owners before hammering them with those requests, right?
The same "permissions" that allow seamless end-to-end connectivity across
the entire Internet. The same "permissions" you granted to others when
you signed the connectivity agreement.
"everything not expressly forbidden is allowed" is a workable model for
peering relationships and even transit relationships, but it only works
within the context of a direct relationship of some kind.
in the case where the sender and receiver are communicating between one
or many third parties, there is no direct relationship and thus no apriori
terms of service to which the traffic must conform. for this, we reverse the
model: "everything not welcomed is forbidden" and thus create a prior
restraint problem which goes by the name "what, then, is implicitly
welcome or unwelcome?"
generally any traffic which unequally benefits the sender isn't welcome.
ping traffic, even ping traffic which helps one network figure out how to
best route traffic to another, still unequally benefits the sender. one
ought not, in my opinion, ever have to ask that such pings be stopped.
another test for "welcome" is "if everybody did this, would the recipient
be injured?" clearly this is the same profile as "unequal benefit to the
sender" and the answer in the case of these pings is "yes, ouch."
smurf, ddos in general, and spam also classify well by this criteria. it
*is* possible to know before initiating communication whether it's implicitly
"welcome" by this standard, even if you have no direct relationship to the
recipient whose terms and conditions would explicitly tell you the answer.
"everything not expressly forbidden is allowed" is a workable model for
peering relationships and even transit relationships, but it only works
within the context of a direct relationship of some kind.in the case where the sender and receiver are communicating between one
or many third parties, there is no direct relationship and thus no apriori
terms of service to which the traffic must conform. for this, we reverse the
model: "everything not welcomed is forbidden" and thus create a prior
restraint problem which goes by the name "what, then, is implicitly
welcome or unwelcome?"
Until there are standards and technology available to push subscriber
policy to the edge of the network and beyond, the subscriber has
explicitly accepted the overall terms and conditions by which the service
is to be provided. Since peering agreements are typically "not forbidden
is allowed", subscribers too have adopted this policy by their express
consent to the service providers terms of service.
Service providers stand on this high ground frequently when they deny
their subscribers access to particular hosts on the Internet for violations
of "Acceptable Use" policies.
When technology and standards are in place to enforce subscriber policy
globally, then we can both establish and charge for specific
subscriber terms and conditions. This sounds pretty ludicrous, if not
dangerous.
generally any traffic which unequally benefits the sender isn't welcome.
ping traffic, even ping traffic which helps one network figure out how to
best route traffic to another, still unequally benefits the sender. one
ought not, in my opinion, ever have to ask that such pings be stopped.
I am assuming in this discussion that when you refer to "benefit", you are
in fact refering to "financial benefit". If this is the case I would be
forced to disagree. Packets exchanged between parties that participate in
a Sender Keep All settlement relationship cannot be to the exclusive
benefit of a single party. The parties have already agreed on settlement,
and thus are already getting compensated for the delivery of said packets.
(This is of course true regardless of the settlement model.)
another test for "welcome" is "if everybody did this, would the recipient
be injured?"
An interesting hypothesis, but it is seldom the case that the sender of
traffic knows the details of the recipients infrastructure.
One-hundred-million clients attempting to access a news agency during a
crisis may certainly produce a denial of service, but this
was surely not the intent of the originator.
smurf, ddos in general, and spam also classify well by this criteria. it
Smurf and DDOS attacks are precisely that - attacks. They are
intentionally initiated for the purpose of disrupting infrastructure or
service. They are illegal.
Spam - and here we are again. Since it is nearly universally accepted
that spam creates an unfair financial benefit for the spammer, then it
is safe to suggest that the cost arrangement should be completely
reversed. This breaks most provider settlement relationships. (This of
course, all ignoring the fact that spammers already break acceptable use
policies for their own providers.)
*is* possible to know before initiating communication whether it's implicitly
"welcome" by this standard, even if you have no direct relationship to the
recipient whose terms and conditions would explicitly tell you the answer.
It is? I am curious as to what exactly you are referring to.
Regards,
James