MicroSoft amplification?

• Previous message (by thread): MicroSoft amplification?
• Next message (by thread): MicroSoft amplification?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I see it too, on that address and on the second of the 3 addresses mapped 
to www.microsoft.com (the third address doesn't respond at all).

Most likely this is due to a not very smart load distribution system.  I 
suspect each of these addresses really front-ends about 10 web servers. 
The load distributor doesn't know what to do with ICMP packets so it sends 
them to all of the servers (and they all respond, in the case of ICMP 
echo).  This probably makes PMTUD work a lot better, but it sucks for ICMP 
Echo.

(I wonder if all Akamai setups are so affected.)

Tony Rall

So with all the noise about Code Red, and in the process of trying to
recover from various attacks, I happened to try to ping
www.microsoft.com.  It's probably par for the course that this happens:

Wed Aug  1 14:05:29 bross at ogre:~ $ ping www.microsoft.com
PING www.microsoft.akadns.net (207.46.197.100): 56 data bytes
64 bytes from 207.46.197.100: icmp_seq=1 ttl=45 time=37.5 ms
64 bytes from 207.46.197.100: icmp_seq=1 ttl=45 time=41.2 ms (DUP!)
64 bytes from 207.46.197.100: icmp_seq=1 ttl=45 time=42.8 ms (DUP!)
64 bytes from 207.46.197.100: icmp_seq=1 ttl=45 time=43.9 ms (DUP!)
64 bytes from 207.46.197.100: icmp_seq=1 ttl=45 time=45.0 ms (DUP!)
64 bytes from 207.46.197.100: icmp_seq=1 ttl=45 time=46.1 ms (DUP!)
64 bytes from 207.46.197.100: icmp_seq=1 ttl=45 time=47.3 ms (DUP!)
64 bytes from 207.46.197.100: icmp_seq=1 ttl=45 time=48.4 ms (DUP!)
64 bytes from 207.46.197.100: icmp_seq=1 ttl=45 time=49.5 ms (DUP!)
64 bytes from 207.46.197.100: icmp_seq=1 ttl=45 time=57.6 ms (DUP!)
64 bytes from 207.46.197.100: icmp_seq=2 ttl=45 time=39.8 ms
64 bytes from 207.46.197.100: icmp_seq=2 ttl=45 time=41.4 ms (DUP!)
64 bytes from 207.46.197.100: icmp_seq=2 ttl=45 time=42.7 ms (DUP!)
64 bytes from 207.46.197.100: icmp_seq=2 ttl=45 time=43.3 ms (DUP!)
64 bytes from 207.46.197.100: icmp_seq=2 ttl=45 time=44.4 ms (DUP!)
64 bytes from 207.46.197.100: icmp_seq=2 ttl=45 time=45.5 ms (DUP!)
64 bytes from 207.46.197.100: icmp_seq=2 ttl=45 time=46.8 ms (DUP!)
64 bytes from 207.46.197.100: icmp_seq=2 ttl=45 time=47.9 ms (DUP!)
64 bytes from 207.46.197.100: icmp_seq=2 ttl=45 time=49.0 ms (DUP!)
64 bytes from 207.46.197.100: icmp_seq=2 ttl=45 time=51.6 ms (DUP!)
64 bytes from 207.46.197.100: icmp_seq=3 ttl=45 time=39.6 ms

I find it interesting and almost amusing that MicroSoft's own web server
can be used for amplification attacks.

-- 
Brandon Ross                                                 404-522-5400
EVP Engineering, NetRail                           http://www.netrail.net
AIM:  BrandonNR                                             ICQ:  2269442
Read RFC 2644! 

• Previous message (by thread): MicroSoft amplification?
• Next message (by thread): MicroSoft amplification?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]