North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Alternative to BGP-4 for multihoming?

  • From: Daniel Senie
  • Date: Sun Mar 12 18:11:33 2000

Dana Hudes wrote:
> Products like the Nortel Accelar 700 do layer 7 redirect.

you should read that datasheet more closely. When handling multiple
sites, this product does something questionable, just as the F5 and
other brands do. In the case of this Nortel product, it pings the
original user's DNS server:

>From this data sheet:

"The Accelar 790 Server Switch can offer such services because it uses
standard DNS and OSPF protocols. Here's how it works: When the client
initially requests a URL, his or her browser sends a resolution request
to the local DNS server - the typical scenario. But with the Accelar
790, the DNS tree does not contain the physical IP address of the URL
server. Instead, the DNS tree is populated with the IP address of a
master Accelar 790 Server Switch. This Accelar IP address bears a flag
to indicate that it is the DNS server that can resolve the URL IP
address. The client's local DNS server will then submit the DNS request
to the master Accelar 790. The master will forward the client IP address
and requested URL to all other Accelar 790 Server Switches that are
providing points of presence for the requested URL. Each Accelar 790
will ping the client's DNS server and return the router hop count and
latency as well as their local server load for the URL. The master 790
will choose the best response time and forward that IP address to the
client's DNS server. The client's browser will cache that IP address and
use it for the remainder of the session."

So, provided you permit ICMP traffic to your DNS servers, and provided
that traffic is routed through various providers' networks along the
same paths as 
the DNS and web traffic, this approach might work. What is also inherent
in this product is a packet amplification. Every time a DNS request
comes to one of these boxes, a set of ping packets is fired at the
source IP address of the DNS request, not to mention the site-to-site
traffic generated. This can be accomplished using a single UDP packet.
If such packet is spoofed...

Looks to me like this product is capable of resulting in a denial of
service against the site running the boxes, and being used to cause a
DoS against other sites.

> ----- Original Message -----
> From: "Peter A. van Oene" <[email protected]>
> To: <[email protected]>
> Sent: Sunday, March 12, 2000 4:44 PM
> Subject: Re: Alternative to BGP-4 for multihoming?
> >
> > This is great feedback / moderate flaming.  However, consider the
> > following.
> >
> > I have only moderate experience with the F5 3DNS & similar products however
> > I am familiar with BGP routing.  My client base are high traffic e-commerce
> > style (for lack of a better over used marketing term) web sites.  They sit
> > on /28's and smaller in some cases.  I'm certainly not going to be
> > successful in acquiring ASN's for these people to do proper load balancing
> > between multiple ISP's and most major ISP's see little benefit in modifying
> > route tables to include our small netblock.  Its these cases I'm concerned
> > with.  In my mind, irrespective of the comments on the functionality of DNS
> > for this purpose, I see little other choice.
> >
> > As a direct FYI, the 3DNS can make fairly intelligent decisions about where
> > to direct traffic beyond simply gauging TCP/53 handshake times.  These is
> > quite a detailed, informatative interaction that can take place between the
> > 3DNS and F5's local load distributor, the BIG-IP.
> >
> > That being said, if anyone has better ideas on how to provide for high
> > availability to millions of web sites worldwide, please let me know.
> >
> > Pete
> >
> >
> > *********** REPLY SEPARATOR  ***********
> >
> > On 3/12/00 at 1:32 PM Chris Brenton wrote:
> >
> > >"Peter A. van Oene" wrote:
> > >>
> > >> Essentially, the 3DNS box assumes the DNS entry for the site for which
> > the
> > >> customer requires multihoming and it intelligently balances traffic
> > amongst
> > >> any geographically disparate sites.  This allows for high availability.
> > >
> > >If I'm not mistaken, it accomplishes this in a somewhat obtrusive
> > >manner. The box attempts an xfer back to TCP/53 on the querying DNS
> > >server. Based on response time, a proper route is chosen. I've seen a
> > >lot of posts to Intrusion & GIAC from people who assumed someone was
> > >trying enumeration in preparation for an attack, only to find out it was
> > >one of these boxes.
> > >
> > >I also seem to remember a post on GIAC showing Snort traces of one of
> > >these boxes actually performing a full xfer if the box was not locked
> > >down. Do you use one of these boxes? If so, any idea what happens to the
> > >xfer data?
> > >
> > >Ignoring the argument as to whether its appropriate to attempt xfers on
> > >unsuspecting networks, I also see this as being pretty inefficient. A
> > >good quantity of sites are now running split DNS so the querying server
> > >is not even reachable. This means a fair percentage of the time the load
> > >balance attempt will outright fail.
> > >
> > >Don't see this replacing BGP anytime soon. ;)
> > >
> > >Chris
> > >--
> > >**************************************
> > >[email protected]
> > >
> > >* Multiprotocol Network Design & Troubleshooting
> > >
> > >* Mastering Network Security
> > >
> >
> >
> > -------
> > Peter Van Oene
> > Senior Systems Engineer
> >
> >
> >

Daniel Senie                                        [email protected]
Amaranth Networks Inc.