Firewall Wizards mailing list archives
Re: Tcp port 7 spam from Doubleclick
From: "C. Harald Koch" <chk () pobox com>
Date: Thu, 21 Oct 1999 10:44:58 -0400
In message <380E13E0.E4166BFF () syracusesupply com>, Eric Toll writes:
Let me know if you like this idea, or if you think I'm insaine on this.
There's alot more of these coming; see attached for another example. -- C. Harald Koch <chk () pobox com> "It takes a child to raze a village." -Michael T. Fry
--- Begin Message --- From: David Ambrose <stargazer1 () home com>
Date: Tue, 19 Oct 1999 20:49:06 -0700
Got this from a friend. How obnoxious can you get? Tom Perrine wrote:Folks, About a month ago we started getting reports of ISDN lines staying up for 7x24. And my own ISDN line started doing the same thing. I tried rebooting the pipeline router, disconnected from the home net, and the line would come back up immediately. The home router (not any of the hosts behind it) was being ping'ed, on average about every 2-3 minutes, from anywhere between 2 and 4 hosts out on the Internet. All the signs pointed to an attempt to mount a "cost them some money" attack on us. The source IP addresses would change, the DNS PTR records were missing or pointed to names similar to those used in dial-up pools, the source machines were locked-down in some ways, wide open in others (typical script kiddie box). I finally started calling the source ISPs, with an offer to help them find the intruders. The response was scary: "It's supposed to do that, it's a product." This company, Akamai Technologies, is trying to calculate optimal and efficient paths for "guaranteed and optimal delivery of Internet content". To do this, they pick thousands of IP addresses at random, and then ping them every few minutes. Forever. Once they find you, they never stop until you complain. I pointed out that random pinging could cost other people money, and they said they had had complaints but they always promptly removed addresses from their lists. Sounds just like the excuses the SPAMers use, to me. For now there are just a few nets where these things live, but I think that the boxes will soon be sold to anyone who wants to deliver "content". While I agree that this is possibly useful research-like stuff, their cavalier attitude about "target selection" and being responsible for the losses they cause has put them on my "target selection list." If they want to measure RTTs across the net they can either deploy their own d*mn boxes, or at least get permission from the target, or take some due diligence steps to make sure they aren't crossing any "pay for play" network links. They cost us some money in ISDN bills, and labor hours to track them down. The "don't have a position" on whether or not they will pay for financial losses they cause. They'll be getting a bill anyway. The local FBI office and the local DA are both convinced that there is a good case for any number of violations of CA state and/or Fed law, if losses are incurred through the negligence of Akamai. All we have to do is decide to press charges. I'm going to see what their response to the billing is. We'll take it from there. Here are some of the IP addresses that you may see this ping traffic from: 206.132.160.42 209.67.231.* 216.32.65.143 Some of the addresses have PTRs, and some don't. Some are in akamaitechnologies.com and some are in globalcenter.com. Some folks may want to block traffic from their nets at border routers. We *had* left ping open on our ISDN routers because there was some small value in it, but we'll be closing that soon. *sigh* --tep
--- End Message ---
Current thread:
- Tcp port 7 spam from Doubleclick Eric Toll (Oct 20)
- Re: Tcp port 7 spam from Doubleclick C. Harald Koch (Oct 21)
- Re: Tcp port 7 spam from Doubleclick Greg Reynolds (Oct 23)
- <Possible follow-ups>
- RE: Tcp port 7 spam from Doubleclick Victor Granic (Oct 21)
- Re: Tcp port 7 spam from Doubleclick C. Harald Koch (Oct 21)