FWD: RE: FW: Getting hacked by Digital Isle?

Here is the official Digital Isle party line. The part that I like is

"3) Respond to this message requesting we stop pinging your server. In this event our pinging will cease in several days."

Several days? I'm wondering if I can send a bill to Digital Isle for beta testing their product on my time and bandwidth without even asking me.

Regards,
Christopher

Chris,

We apologize for any inconvenience caused by pings (ICMP_ECHO packets)
coming from our machines. Your server was being pinged as part of our
real-time "network weather" mapping system called Best Distributor
Selection. BDS is an essential part of Footprint, Digital Island's
intelligent network service offering. It is used to optimize
performance when your customers access the web resources of our
customers.

Many large web publishers, such as AOL, CNBC and Blue Mountain, use
our Footprint service to speed up the delivery of their web content.
Our system intelligently matches browsers to the servers on our
Footprint network that will provide the best performance. The dynamic
nature of routing and congestion on the Internet make it necessary for
us to constantly update our maps.

Our network was pinging your system because it appeared to be a name
server with a sufficient number of resolution requests for our
customer web sites to be placed on the list of network nodes to be
constantly observed for Internet congestion.

By pinging your name server, we can provide better quality of service
to your users when they access the web sites of our expanding customer
list. We hope you will consider granting us permission to continue
pinging a name server in your domain.

Sandpiper Networks merged with Digital Island in December 1999, which
is why some of the machines pinging you were in digisle.net.

At this point you can:

1) Do nothing. Please accept our apologies and be assured that your
   machines are not being pinged by a hostile party.

2) Tell us if there is an alternate name server in your IP address
   space that you would like us to ping. We will direct future ping
   traffic to it.

3) Respond to this message requesting we stop pinging your server. In
   this event our pinging will cease in several days.

Regards,

Sean Gleason

Digital Island, Inc.

From: Sean Gleason <sgleason@digisle.net>
Date: Fri, 26 Oct 2001 01:02:21 +0000 (GMT)

At this point you can:

1) Do nothing. Please accept our apologies and be assured that your
   machines are not being pinged by a hostile party.

Hostile is a matter of definition. For some of us, these would be another
in the category of 'false positive' events that LOTs of us look at by
hand. I may be nitpicking here, but every security/network person who
takes time out of their schedule to analyze and dig into this 'test', is
having their time wasted. And the several days time frame is just poor judgement.

t

They should just implement it via a cgi on their webpage
where you can disable by your IP or some netblocks.

  The other thing to do is to just rate-limit icmp and know
that their stats will be off/incorrect.

  btw, 3 days does give them sufficent time to respond assuming you
were to send them something after COB on friday to respond by
monday. The encoding of the abuse info is better than those old +++ATH
packets.

  - Jared

Sure. On that same note, I'm sending you a bill for having to read this
pointless thread.

400 packets. I could understand your gripe if you were personally
hand-delivering packets via camel, but come on. If it bothers you, block
it. Stop whining.

Andy

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Andy Dills 301-682-9972
Xecunet, LLC www.xecu.net
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Dialup * Webhosting * E-Commerce * High-Speed Access

Heh. I've found the best solution is to neither let ICMP in or out of
your network. It works wonders.

/nick

Not *all* ICMP is bad you know. For example, I can see prohibiting
redirects coming in, but what about going _out_?

In the real world, no "blanket acl" is likely to prove both effective
*and* useable simultaneously.

measl@mfn.org wrote:

> Heh. I've found the best solution is to neither let ICMP in or out of
> your network. It works wonders.
>
> /nick

This is getting a bit ridiculous.

ping was created to test connectivity. And most of our jobs here include
trying to improve performance of the internet in general. Is this not
what DI is doing, albeit in an automagic way?

Personally I find it annoying when some firewall administrator starts
blocking icmp. First thing I do when I've got a new router up is ping
yahoo.com. If a customer experiences connectivity issues... try pinging
yahoo.com. That gives me somewhere to start.

If Yahoo started blocking icmp, I'd imagine there'd be hordes of
engineers kicking themselves, doing 'sh run' over and over looking for
something wrong.

Fine, block icmp on your network. Don't complain the first time a
customer of mine can't get your site and I do absolutely nothing about
it.

Grant

You seem to have attributed the above nonsense about blocking all ICMP to
_me_, when in fact I was replying to it and attempting to point out how
inane this practice was. Please be more careful in your editing.

Works wonders at getting you listed at rfc-ignorant.org?

matto

Personally I find it annoying when some firewall administrator starts

>blocking icmp. First thing I do when I've got a new router up is ping
>yahoo.com. If a customer experiences connectivity issues... try pinging
>yahoo.com. That gives me somewhere to start.

It is interesting to note that Yahoo! presented @ NANOG a couple days ago they were getting XX Mbps (15? I forget) of ICMP traffic. They mentioned they could use this data in a decision whether to considering limiting ICMP (without actually saying they were considering limiting ICMP).

Yahoo! has been relatively good to the Internet community, and making them pay for random tests seems to be a bit less than polite, IMHO.

Perhaps we should pick something else to ping, something that is relatively ubiquitous, something that everyone knows, something that should be up all the time, something that has good connectivity, something that everyone here would not mind sending random packets for random reasons ....

Yes, I think we all came to the same conclusion. From now on, everyone should ping www.microsoft.com to test connectivity.

>If Yahoo started blocking icmp, I'd imagine there'd be hordes of
>engineers kicking themselves, doing 'sh run' over and over looking for
>something wrong.

Personally, I would ping my upstream and/or some other location on the 'Net if XXX did not respond before I did "sho run". But that's me.

Is there an Akamai hostname we can ping which would get a response from the
closest cache? Or do we have to let you know in advance that we'll be doing
this?

Adi

They outsmarted us already in Redmond, sadly.
vivienm@quartz:~$ ping -s www.microsoft.com
PING www.microsoft.com: 56 data bytes
^C
----www.microsoft.com PING Statistics----
19 packets transmitted, 0 packets received, 100% packet loss

There are a few other organizations that fit your criteria, though, methinks... some of whom allow ICMP just fine and provide things that are slightly more vital than microsoft.com

Vivien

Unfortunately, pings to microsoft.com have been blocked for last year or
so. Except for short interval when their load-balancer puked and I was
getting 30+ return packets for each sent one...

-alex

Is there an Akamai hostname we can ping which would get a response from the

>closest cache? Or do we have to let you know in advance that we'll be doing
>this?

Hrmmm.... Now that is a loaded question.

Allow me to ignore the question and mention one of the kewl ways Akamai optimizes traffic.

When you resolve an Akamaized hostname, the magical Akamai domain name system will magically respond with the IP addresses of at least two "optimal" Akamai servers. (They might not be "closest" because Akamai also takes into account things like server load, but they usually will be close - network wise.) This is frequently a server in the same ISP as the end user, especially in the US.

So, while you can do a dig on an Akamai hostname to get the IP address, also doing things like ping, or HTTP GETs, require you to resolve the hostname and go through the same resolution process. (Akamai cannot tell if you are doing an HTTP get, or a ping, or an FTP, or what when you do the resolution.)

In almost all cases, to use Akamai's service (i.e. be a customer), you need to have one or more Akamai hostnames associated with your web page, streaming server, etc. in some way.

Back to your question, as for permission, I am not the correct person to answer that question. However, they are public web servers, and they are designed to let anyone do HTTP downloads of the web content on them, so I know that is allowed.

Thank you for your interest in Akamai.

What's below doesn't quite fit the 'vital' criteria, but...

6:08:57pm|melange@pi:/home/melange> ping -c 1 www.riaa.org
PING www.riaa.org (208.225.90.120): 56 data bytes
64 bytes from 208.225.90.120: icmp_seq=0 ttl=111 time=29.475 ms

--- www.riaa.org ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max/stddev = 29.475/29.475/29.475/0.000 ms
6:09:06pm|melange@pi:/home/melange>

It is interesting to note that Yahoo! presented @ NANOG a couple days ago
they were getting XX Mbps (15? I forget) of ICMP traffic. They mentioned
they could use this data in a decision whether to considering limiting ICMP
(without actually saying they were considering limiting ICMP).

Ok.. I'm guilty of this as well, in fact my 'network watcher' sent
a single ping to www.yahoo.com every 15 minutes until your post.
I just turned it off.

Now, here's a real issue, many of us probably have similiar systems
that ping upstream connections and page/alert/log when there are
problems. My 'watcher' could also grab a web page (checking port 80)
or do other tests, but I have always assumed that the ping was the least
amount of traffic easily and reliably sent to check connectivity.

Whats the best way to monitor upstream connectivity for this purpose?

Personally, I do not see anything wrong with pinging your upstream. You PAY them, they will take any and all traffic you send them (unless otherwise stated in something like an AUP). Ping away.

Of course, that leaves the question as to whether your upstream can get to the rest of the world....