Fwd: Re: Digital Island sponsors DoS attempt?

Fri Oct 26 04:34:57 UTC 2001

On Thu, 25 Oct 2001 17:37:16 PDT, "Christopher J. Wolff" <chris at bblabs.com>  said:
> Unfortunately, in this case I am not a customer of Digital Island in any
> way, nor have I given them authorization to hammer my network 441 times (and
> counting) in the last two hours.

If you're worried about the authorization for the 441 PING packets, you
might worry about the authorization for the *CONTENT* they intented to
send you as well.  I'm willing to bet that there were a *lot* more than
441 packets of content - and most likely, some user in your network
asked for that content by visiting their web server.  Remember - they'd
not be doing all this probing unless they were expecting to send you enough
data to amortize all the probing delays...

What's next?  Complaining about your DNS being hammered by some site because
one of your users gets on their mailing list, and they need to look up the
MX and A records for your mail server to send the mail?

OK, so I'm just a bit touchy because I have a host that *used* to be an
NTP server, ceased being one a year ago, and is still seeing an average
of 150-200 packets *a second* pounding on it. Unlike 200 packets an hour,
a flux of 200 packets a second is a significant percentage of said
host's 10BaseT(*). What's even more astounding - during a 10 minute span
a while ago, we saw hosts from 5 different sites try to contact the IP
address that NTP server used to have.  Over 7 years ago.

And of course we have a canned e-mail response for the IWF incidents
(idiot with firewall), for the cases when we're accused of portscanning
his machine from our NTP server's port 123. 

Welcome to the Internet.  

				Valdis Kletnieks
				Operating Systems Analyst
				Virginia Tech

(*) This acutally ended up a fairly expensive proposition - the NTP
traffic was sufficient to force a migration from nonswitched to switched
hubs for that subnet some 18 months before it would otherwise have
been necessary.