MicroSoft amplification?

Mailman List Mirror (Read Only)
1

I see it too, on that address and on the second of the 3 addresses mapped
to www.microsoft.com (the third address doesn't respond at all).

Most likely this is due to a not very smart load distribution system. I
suspect each of these addresses really front-ends about 10 web servers.
The load distributor doesn't know what to do with ICMP packets so it sends
them to all of the servers (and they all respond, in the case of ICMP
echo). This probably makes PMTUD work a lot better, but it sucks for ICMP
Echo.

(I wonder if all Akamai setups are so affected.)

Tony Rall

So with all the noise about Code Red, and in the process of trying to
recover from various attacks, I happened to try to ping
www.microsoft.com. It's probably par for the course that this happens:

Wed Aug 1 14:05:29 bross@ogre:~ $ ping www.microsoft.com
PING www.microsoft.akadns.net (207.46.197.100): 56 data bytes
64 bytes from 207.46.197.100: icmp_seq=1 ttl=45 time=37.5 ms
64 bytes from 207.46.197.100: icmp_seq=1 ttl=45 time=41.2 ms (DUP!)
64 bytes from 207.46.197.100: icmp_seq=1 ttl=45 time=42.8 ms (DUP!)
64 bytes from 207.46.197.100: icmp_seq=1 ttl=45 time=43.9 ms (DUP!)
64 bytes from 207.46.197.100: icmp_seq=1 ttl=45 time=45.0 ms (DUP!)
64 bytes from 207.46.197.100: icmp_seq=1 ttl=45 time=46.1 ms (DUP!)
64 bytes from 207.46.197.100: icmp_seq=1 ttl=45 time=47.3 ms (DUP!)
64 bytes from 207.46.197.100: icmp_seq=1 ttl=45 time=48.4 ms (DUP!)
64 bytes from 207.46.197.100: icmp_seq=1 ttl=45 time=49.5 ms (DUP!)
64 bytes from 207.46.197.100: icmp_seq=1 ttl=45 time=57.6 ms (DUP!)
64 bytes from 207.46.197.100: icmp_seq=2 ttl=45 time=39.8 ms
64 bytes from 207.46.197.100: icmp_seq=2 ttl=45 time=41.4 ms (DUP!)
64 bytes from 207.46.197.100: icmp_seq=2 ttl=45 time=42.7 ms (DUP!)
64 bytes from 207.46.197.100: icmp_seq=2 ttl=45 time=43.3 ms (DUP!)
64 bytes from 207.46.197.100: icmp_seq=2 ttl=45 time=44.4 ms (DUP!)
64 bytes from 207.46.197.100: icmp_seq=2 ttl=45 time=45.5 ms (DUP!)
64 bytes from 207.46.197.100: icmp_seq=2 ttl=45 time=46.8 ms (DUP!)
64 bytes from 207.46.197.100: icmp_seq=2 ttl=45 time=47.9 ms (DUP!)
64 bytes from 207.46.197.100: icmp_seq=2 ttl=45 time=49.0 ms (DUP!)
64 bytes from 207.46.197.100: icmp_seq=2 ttl=45 time=51.6 ms (DUP!)
64 bytes from 207.46.197.100: icmp_seq=3 ttl=45 time=39.6 ms

I find it interesting and almost amusing that MicroSoft's own web server
can be used for amplification attacks.

2

Doesn't seem like it to me:

falcon:adam% ping -s www.yahoo.com
PING www.yahoo.akadns.net: 56 data bytes
64 bytes from w5.dcx.yahoo.com (64.58.76.226): icmp_seq=0. time=75. ms
64 bytes from w5.dcx.yahoo.com (64.58.76.226): icmp_seq=1. time=73. ms
64 bytes from w5.dcx.yahoo.com (64.58.76.226): icmp_seq=2. time=87. ms
64 bytes from w5.dcx.yahoo.com (64.58.76.226): icmp_seq=3. time=102. ms
64 bytes from w5.dcx.yahoo.com (64.58.76.226): icmp_seq=4. time=76. ms
64 bytes from w5.dcx.yahoo.com (64.58.76.226): icmp_seq=5. time=67. ms
64 bytes from w5.dcx.yahoo.com (64.58.76.226): icmp_seq=6. time=68. ms
64 bytes from w5.dcx.yahoo.com (64.58.76.226): icmp_seq=7. time=62. ms
^C
----www.yahoo.akadns.net PING Statistics----
8 packets transmitted, 8 packets received, 0% packet loss
round-trip (ms) min/avg/max = 62/76/102

--Adam

3

Or totally horques it up entirely if the actual data path used has a
different PMTU. No way this will work if 9 paths are clean and one
requires a frag. :wink:

I won't discuss what to do if you get back 10 FRAG NEEDED packets, with
differing frag sizes :wink:

/Valdis

4

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

(I wonder if all Akamai setups are so affected.)

No, they are not.