Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Load Balancing Protocol (was Re: your mail)

From: Crist Clark <crist.clark () GLOBALSTAR COM>
Date: Fri, 27 Oct 2000 23:42:46 +0100
Nick Phillips wrote:


On Thu, Oct 26, 2000 at 08:39:12AM -0600, Mike Lewinski wrote:


Heh, this thing wants to portscan us, plus check that the webserver it's
sending the client to is actually up. Probably DNS resolution takes so long
that the "client" is sitting there repeatedly hitting the refresh button and
bitching at their ISP (who's servers are being packet flooded by load
balancers at the moment....)


I don't know that this is the place to discuss this, but...

There seem to be so many of these idiots out there making so many assumptions,
would it not be a Good Thing to sit down and thrash out a standard which would
enable all the loadbalancers to get what they need (and no more) from
clients without triggering alarm bells.

If someone (?) could come up with a protocol which would enable them to send
a packet to the client which would elicit a useful response from any client
(compliant or not - I guess your average home user wouldn't need to run the
service, whereas a firewall/proxy/whatever might get better value if they did),
then maybe we could all stop wasting our time on them, and they'd get more
useful data back. And everyone would have less rubbish floating around the
net.


Such a thing already exists: the ICMP ping packet. Any protocol to allow
you to bounce a packet off of a client is just a re-invention of ping.

The problem is that "a protocol which would enable [someone] to send a
packet to [a] client which would elicit a useful response from any client"
is basically building in the capability for someone to do a scan of
your network to identify the number of hosts, where they live, and the
topology of the network. This is why people block incoming echo requests
(pings) now.

People will always seek to break any "load balancing" protocol because
the information the load balancers want may be considered sensitive.
If someone devises a protocol that _does_ always work, it will be broken
very quickly as someone just as clever would quickly come up with a fix.
Any feature (supporting load balancers) that cannot be turned off is a
bug.
--
Crist J. Clark                                Network Security Engineer
crist.clark () globalstar com                    Globalstar, L.P.
(408) 933-4387                                FAX: (408) 933-4926
Previous By Date Next
Previous By Thread Next

Current thread: