I truely enjoyed the wide range of reponses to my Digital Island post. Everything from DI is perfectly justified to 'tell DI to stick it' haha.
I certainly do not run the largest ISP, nor the smallest, but my small company is managing customer connectivity on both coasts of the continental US. My customers know me as the one that cares about their network infrastructure and can answer most questions quickly. I enjoy offering personal service.
I also take pride in managing my network well. I know, for the most part, what kinds of traffic are passing through my network. This helps me take a proactive stance to issues before they become my customers' business impediments.
Therefore, I have to respectfully take exception to the opinion of "Welcome to the Internet, there's nothing you can do, just don't worry about 441 packets."
I partner with companies that share my view of network management. Recently I had an issue with a customer that was claiming poor throughput. Global crossing did everything in their power to analyze their network, my network, and my customers server farm. Although this turned out to be a TCP/IP tuning issue on the particular host, Global Crossing did not charge me a premium for investigating this issue.
Throughout this resolution, Global Crossing earned my respect and confidence that I am *partnered* with a vendor instead of just buying bandwidth from them.
Just my $0.02,
Christopher J. Wolff, VP, CTO
Broadband Laboratories
Perhaps you can speak with your friends at Global Crossing, and have
filters placed on your upstream routers to prevent stray "DDOS attacks
from Digital Island".
Just curious, but aren't you a little more concerned about all of those
"GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../
winnt/system32/cmd.exe?/c+dirHTTP/1.0" requests than a few ICMP datagrams
from Digital Island?
Regards,
James
It sounds like time for an explanation of what Digital Island is. I'm
sure marketing will be upset with me for dropping the official "corporate
positioning" language, but here goes:
There are multiple pieces to Digital Island, the two biggest being an
Internet backbone network (mostly carrying web hosting traffic) and a
content delivery network (it competes with Akamai, which many of you are
probably more familiar with). I work in the hosting side of the company,
and have considerably less knowledge of the content delivery network, so I
won't promise to be entirely accurate here. The packets you're seeing
come from the content delivery network.
Content delivery networks consist of caching web servers spread out around
the world. When a user requests web content cached by the CDN, a DNS
request is sent looking up the caching server. The CDN then calculates
which caching server is closest to the requester (or more specifically,
the DNS server the requester is using), and sends back the IP address of
the closest caching server. The user's web browser then contacts the
local caching server, and does the download from there.
My knowledge of how exactly those measurements are done is a bit hazy, and
Jason is certainly a better person to answer that than I am. However, the
ICMP echo requests you're seeing are at least part of the process, and
aren't being done unless your users are requesting content from our CDN.
They aren't being done at random, and aren't being done as part of a
research project. They're just being done to send you or your users the
content you or they requested from the right caching server.
I hope this helps. I'm sure somebody who knows more about CDNs (ours or
others) will jump in and correct whatever I've gotten wrong.
-Steve
I truely enjoyed the wide range of reponses to my Digital Island
post. Everything from DI is perfectly justified to 'tell DI to
stick it' haha.
Remember, an IDS is only useful as the operator.
Perhaps it's time to re-think thresholds, response strategy, and what
truly constitutes "abuse" in your book, before to complaining to NANOG
that a content delivery provider's performance measuring hosts are
pinging you without prior consent. These complaints not only distract
from real abuse, they have the potential to get innocent parties in
trouble for things they didn't do.
If people who are going to make security complaints would take the
opportunity to first try and find a legitimate explanation, it would
make world a better place. In this case, Digital Island went above
and beyond the call of duty by specifically padding "probe" packets
with useful identifying info...
I partner with companies that share my view of network management.
Recently I had an issue with a customer that was claiming poor
throughput. Global crossing did everything in their power to
analyze their network, my network, and my customers server farm
[...]
Not bad. Bonus points if you can have the same folks at Global
Crossing ACL out ICMP echo-requests heading your way so we can end
this thread already.
-adam
Rethink?
<perhaps my deranged opinion>
How about think in the first place?
Call me crazy, but, folks, this is the Internet. Protocols like ICMP were
designed here as a tool. Expect to be pinged, probed, proded, or anything
else.
Ask not of your peer to stop sending you off traffic, instead, ask what
your own systems can do to protect you from it.
IMHO, this entire belief that someone sending you a stray packet
constitutes a federal emergency with bells and whistles going off drives
abuse@nac.net and legal@nac.net to suicide attempts.
Example, as recent as yesterday: An unnamed, but rather large bank, sent
legal@nac.net a complaint, based upon that fact that a dialup user of ours
sent an ICMP echo request to www.[that_large_bank].com. Yes, just one. Is
this really a problem? Are we so mad that we can't ping a host on the
Internet anymore?
</perhaps my deranged opinion>
-- Alex Rubenstein, AR97, K2AHR, alex@nac.net, latency, Al Reuben --
-- Net Access Corporation, 800-NET-ME-36, http://www.nac.net --