Fwd: Re: Digital Island sponsors DoS attempt

James Thomason james at divide.org
Fri Oct 26 17:11:37 UTC 2001




On Fri, 26 Oct 2001, Wojtek Zlobicki wrote:

> Sure is, they have not authorized you to send such traffic.  I've been
> downloading data from your web page, there is no reason for you to send ICMP
> traffic my way (one ICMP packet is one end of the extreme).
> 
> 
> > 3a) I ping every host in their netblock once, is that wrong?
> 
> You bet !  I've given you no right to do so!
> 

Think of it as freedom of speech.  I can say whatever I like, and you have
the option of listening.  

ICMP is a standard protocol I can use to solicit packet responses from
hosts on the Internet. Until that changes, people will be sending you ICMP
packets, and lots of them.  

> I will ACL you and possibly complain to your upstream for abuse.

Have mercy. 

> I don't need to tell anyone that they may not enter my hope and park their
> arse on my sofa.  The also cannot start walking through my house and opening
> doors to see which rooms are occupied.  I'd love to see someone take
> portscannig and probing and use tresspass or break and enter laws to
> prosecute.

An analogy - how clever.  But wait, your home is private property, and 
your network is a public-access system.  I can park my car in front of
your house, and my dog can crap by your mailbox. 

> Why not !  I have not authorized you to probe my network ! Does your
> proposal scale ?  What if I want to ping every host on the @Home network 100
> times in a day (ooops thats 350 million ICMP packets that enter your
> network, is it a problem NOW?).

Nothing to my knowledge is preventing you from sending ICMP echo requests
to every host on the @Home network 100 times a day.  There would be little
they could do about it, other than politely ask you to stop, or filter
you. 

> Where is the line drawn between a SMURF and a legitimate probe ?  Who gets
> to draw the line ,the sender, I think not!

A smurf is an intentional denial of service, an ICMP echo request is not.  

> 
> I know of no standard that incorporates ICMP probes with HTTP transfers.  If
> I ask for HTTP data, thats all that I expect, nothing less, nothing more.  I
> am not opposed to such a standard, but am opposed to people trying such
> schemes without my knowledge or permission.

Yes they can. Its a Free Internet (tm). 

> I've got much better things to do than enter millions of  hosts into an ACL.
> If one had to block all this traffic, routers would need hundreds of CPUs
> and Terabytes of memory (going through an ACL that is thousands of lines
> long takes a lot of power).

You might consider upgrading your IOS, it looks like you are going to
need it.


> 
> 
> 





More information about the NANOG mailing list