Security Incidents mailing list archives
Load Balancing Protocol (was Re: your mail)
From: Crist Clark <crist.clark () GLOBALSTAR COM>
Date: Fri, 27 Oct 2000 23:42:46 +0100
Nick Phillips wrote:
On Thu, Oct 26, 2000 at 08:39:12AM -0600, Mike Lewinski wrote:Heh, this thing wants to portscan us, plus check that the webserver it's sending the client to is actually up. Probably DNS resolution takes so long that the "client" is sitting there repeatedly hitting the refresh button and bitching at their ISP (who's servers are being packet flooded by load balancers at the moment....)I don't know that this is the place to discuss this, but... There seem to be so many of these idiots out there making so many assumptions, would it not be a Good Thing to sit down and thrash out a standard which would enable all the loadbalancers to get what they need (and no more) from clients without triggering alarm bells. If someone (?) could come up with a protocol which would enable them to send a packet to the client which would elicit a useful response from any client (compliant or not - I guess your average home user wouldn't need to run the service, whereas a firewall/proxy/whatever might get better value if they did), then maybe we could all stop wasting our time on them, and they'd get more useful data back. And everyone would have less rubbish floating around the net.
Such a thing already exists: the ICMP ping packet. Any protocol to allow you to bounce a packet off of a client is just a re-invention of ping. The problem is that "a protocol which would enable [someone] to send a packet to [a] client which would elicit a useful response from any client" is basically building in the capability for someone to do a scan of your network to identify the number of hosts, where they live, and the topology of the network. This is why people block incoming echo requests (pings) now. People will always seek to break any "load balancing" protocol because the information the load balancers want may be considered sensitive. If someone devises a protocol that _does_ always work, it will be broken very quickly as someone just as clever would quickly come up with a fix. Any feature (supporting load balancers) that cannot be turned off is a bug. -- Crist J. Clark Network Security Engineer crist.clark () globalstar com Globalstar, L.P. (408) 933-4387 FAX: (408) 933-4926
Current thread:
- Re: Load Balancing Protocol (was Re: your mail) Gregor Binder (Nov 01)
- <Possible follow-ups>
- Load Balancing Protocol (was Re: your mail) Crist Clark (Nov 01)