MicroSoft amplification?
Tony Rall
trall at almaden.ibm.com
Wed Aug 1 23:26:55 UTC 2001
I see it too, on that address and on the second of the 3 addresses mapped
to www.microsoft.com (the third address doesn't respond at all).
Most likely this is due to a not very smart load distribution system. I
suspect each of these addresses really front-ends about 10 web servers.
The load distributor doesn't know what to do with ICMP packets so it sends
them to all of the servers (and they all respond, in the case of ICMP
echo). This probably makes PMTUD work a lot better, but it sucks for ICMP
Echo.
(I wonder if all Akamai setups are so affected.)
Tony Rall
So with all the noise about Code Red, and in the process of trying to
recover from various attacks, I happened to try to ping
www.microsoft.com. It's probably par for the course that this happens:
Wed Aug 1 14:05:29 bross at ogre:~ $ ping www.microsoft.com
PING www.microsoft.akadns.net (207.46.197.100): 56 data bytes
64 bytes from 207.46.197.100: icmp_seq=1 ttl=45 time=37.5 ms
64 bytes from 207.46.197.100: icmp_seq=1 ttl=45 time=41.2 ms (DUP!)
64 bytes from 207.46.197.100: icmp_seq=1 ttl=45 time=42.8 ms (DUP!)
64 bytes from 207.46.197.100: icmp_seq=1 ttl=45 time=43.9 ms (DUP!)
64 bytes from 207.46.197.100: icmp_seq=1 ttl=45 time=45.0 ms (DUP!)
64 bytes from 207.46.197.100: icmp_seq=1 ttl=45 time=46.1 ms (DUP!)
64 bytes from 207.46.197.100: icmp_seq=1 ttl=45 time=47.3 ms (DUP!)
64 bytes from 207.46.197.100: icmp_seq=1 ttl=45 time=48.4 ms (DUP!)
64 bytes from 207.46.197.100: icmp_seq=1 ttl=45 time=49.5 ms (DUP!)
64 bytes from 207.46.197.100: icmp_seq=1 ttl=45 time=57.6 ms (DUP!)
64 bytes from 207.46.197.100: icmp_seq=2 ttl=45 time=39.8 ms
64 bytes from 207.46.197.100: icmp_seq=2 ttl=45 time=41.4 ms (DUP!)
64 bytes from 207.46.197.100: icmp_seq=2 ttl=45 time=42.7 ms (DUP!)
64 bytes from 207.46.197.100: icmp_seq=2 ttl=45 time=43.3 ms (DUP!)
64 bytes from 207.46.197.100: icmp_seq=2 ttl=45 time=44.4 ms (DUP!)
64 bytes from 207.46.197.100: icmp_seq=2 ttl=45 time=45.5 ms (DUP!)
64 bytes from 207.46.197.100: icmp_seq=2 ttl=45 time=46.8 ms (DUP!)
64 bytes from 207.46.197.100: icmp_seq=2 ttl=45 time=47.9 ms (DUP!)
64 bytes from 207.46.197.100: icmp_seq=2 ttl=45 time=49.0 ms (DUP!)
64 bytes from 207.46.197.100: icmp_seq=2 ttl=45 time=51.6 ms (DUP!)
64 bytes from 207.46.197.100: icmp_seq=3 ttl=45 time=39.6 ms
I find it interesting and almost amusing that MicroSoft's own web server
can be used for amplification attacks.
--
Brandon Ross 404-522-5400
EVP Engineering, NetRail http://www.netrail.net
AIM: BrandonNR ICQ: 2269442
Read RFC 2644!
More information about the NANOG
mailing list