[43824] in North American Network Operators' Group
Re: Fwd: Re: Digital Island sponsors DoS attempt
daemon@ATHENA.MIT.EDU (James Thomason)
Fri Oct 26 13:29:48 2001
Date: Fri, 26 Oct 2001 10:11:37 -0700 (PDT)
From: James Thomason <james@divide.org>
To: Wojtek Zlobicki <wojtekz@idirect.com>
Cc: nanog@merit.edu
In-Reply-To: <00cf01c15e3d$8f857a30$020a0a0a@ender>
Message-ID: <Pine.GSO.4.21.0110260956100.2242-100000@www1>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Errors-To: owner-nanog-outgoing@merit.edu
On Fri, 26 Oct 2001, Wojtek Zlobicki wrote:
> Sure is, they have not authorized you to send such traffic. I've been
> downloading data from your web page, there is no reason for you to send ICMP
> traffic my way (one ICMP packet is one end of the extreme).
>
>
> > 3a) I ping every host in their netblock once, is that wrong?
>
> You bet ! I've given you no right to do so!
>
Think of it as freedom of speech. I can say whatever I like, and you have
the option of listening.
ICMP is a standard protocol I can use to solicit packet responses from
hosts on the Internet. Until that changes, people will be sending you ICMP
packets, and lots of them.
> I will ACL you and possibly complain to your upstream for abuse.
Have mercy.
> I don't need to tell anyone that they may not enter my hope and park their
> arse on my sofa. The also cannot start walking through my house and opening
> doors to see which rooms are occupied. I'd love to see someone take
> portscannig and probing and use tresspass or break and enter laws to
> prosecute.
An analogy - how clever. But wait, your home is private property, and
your network is a public-access system. I can park my car in front of
your house, and my dog can crap by your mailbox.
> Why not ! I have not authorized you to probe my network ! Does your
> proposal scale ? What if I want to ping every host on the @Home network 100
> times in a day (ooops thats 350 million ICMP packets that enter your
> network, is it a problem NOW?).
Nothing to my knowledge is preventing you from sending ICMP echo requests
to every host on the @Home network 100 times a day. There would be little
they could do about it, other than politely ask you to stop, or filter
you.
> Where is the line drawn between a SMURF and a legitimate probe ? Who gets
> to draw the line ,the sender, I think not!
A smurf is an intentional denial of service, an ICMP echo request is not.
>
> I know of no standard that incorporates ICMP probes with HTTP transfers. If
> I ask for HTTP data, thats all that I expect, nothing less, nothing more. I
> am not opposed to such a standard, but am opposed to people trying such
> schemes without my knowledge or permission.
Yes they can. Its a Free Internet (tm).
> I've got much better things to do than enter millions of hosts into an ACL.
> If one had to block all this traffic, routers would need hundreds of CPUs
> and Terabytes of memory (going through an ACL that is thousands of lines
> long takes a lot of power).
You might consider upgrading your IOS, it looks like you are going to
need it.
>
>
>
