Re: FW: Packets from 255.255.255.255(80) (was: Packet from port 80 wi th spoofed microsoft.com ip)

[Alif The Terrible <measl () mfn org>]

Good Morning,

        As much as I hate killing a cool conspiracy theory (being chock full
of such theories myself), I'm afraid that this one just needs killing...

        (1) This traffic has been seen worldwide, on every major carrier;

        (2) While the aggregate volume for this traffic is estimated by some
at several gbps, even the hardest hit circuits are only seeing a handful of
these per minute - hardly enough to register, let alone spike the price;

        (3) While burstable pipes do still exist here and there (mostly for
low-end DS3's), the vast bulk of the worlds high speed (T1 and
up) connections are pay-by-pipe, and not pay-by-traffic.  Under this model,
the NSPs would bear the brunt of the costs associated with this traffic, and
not the smaller ISPs.

        (4) Every major NSP I am personally familiar with (and I work with
all of them on a day to day basis) is expending at lest some energy trying to
figure out what these packets are.  Assuming only a minimal response, say, an
hour a day of engineering time, any "benefits" these NSPs would realize
through this type of "traffic padding" would be quickly extinguished.

        In short, conspiracy theories should be put forward only when the
theory explains something that is otherwise unexplainable, AND, when the
theory is not so obviously flawed as to make it's proponents seek the nearest
wash rag to scrape off the eggs hanging from their eyebrows...

--
Yours,
J.A. Terranson
sysadmin () mfn org



> -----Original Message-----
> From: Valdis.Kletnieks () vt edu [mailto:Valdis.Kletnieks () vt edu]
> Sent: Monday, February 03, 2003 1:05 PM
> To: Joel Tyson
> Cc: Incidents Mailing List
> Subject: Re: Packets from 255.255.255.255(80) (was: Packet from port 80
> with spoofed microsoft.com ip) 
>
>
> On Mon, 03 Feb 2003 10:40:02 EST, Joel Tyson <jtyson () pa eplus com>  said:
>
> > The best way to handle these types of packets would be to route them to a
> > null0 interface.  This way the packets will be dropped without icmp
> response.
> > Typically all ISP should have these ACL's configured on their border
> routers;
> > but they don't.  
>
> There's not much financial incentive for many ISPs to filter - when you're
> billing based on traffic volume, you don't really want all those probes to
> go away.  So what if 20% of the traffic is probes?  That's 20% more income
> for the provider, and many providers are in a financial crunch - that 20%
> may be all that's keeping them afloat.  As long as they don't get burned by
> an SQL worm that takes out their infrastructure too, why should the filter?
>
> /Valdis (who is having a more-cynical-than-usual day)



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com