|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: MicroSoft amplification?
I see it too, on that address and on the second of the 3 addresses mapped to www.microsoft.com (the third address doesn't respond at all). Most likely this is due to a not very smart load distribution system. I suspect each of these addresses really front-ends about 10 web servers. The load distributor doesn't know what to do with ICMP packets so it sends them to all of the servers (and they all respond, in the case of ICMP echo). This probably makes PMTUD work a lot better, but it sucks for ICMP Echo. (I wonder if all Akamai setups are so affected.) Tony Rall So with all the noise about Code Red, and in the process of trying to recover from various attacks, I happened to try to ping www.microsoft.com. It's probably par for the course that this happens: Wed Aug 1 14:05:29 [email protected]:~ $ ping www.microsoft.com PING www.microsoft.akadns.net (207.46.197.100): 56 data bytes 64 bytes from 207.46.197.100: icmp_seq=1 ttl=45 time=37.5 ms 64 bytes from 207.46.197.100: icmp_seq=1 ttl=45 time=41.2 ms (DUP!) 64 bytes from 207.46.197.100: icmp_seq=1 ttl=45 time=42.8 ms (DUP!) 64 bytes from 207.46.197.100: icmp_seq=1 ttl=45 time=43.9 ms (DUP!) 64 bytes from 207.46.197.100: icmp_seq=1 ttl=45 time=45.0 ms (DUP!) 64 bytes from 207.46.197.100: icmp_seq=1 ttl=45 time=46.1 ms (DUP!) 64 bytes from 207.46.197.100: icmp_seq=1 ttl=45 time=47.3 ms (DUP!) 64 bytes from 207.46.197.100: icmp_seq=1 ttl=45 time=48.4 ms (DUP!) 64 bytes from 207.46.197.100: icmp_seq=1 ttl=45 time=49.5 ms (DUP!) 64 bytes from 207.46.197.100: icmp_seq=1 ttl=45 time=57.6 ms (DUP!) 64 bytes from 207.46.197.100: icmp_seq=2 ttl=45 time=39.8 ms 64 bytes from 207.46.197.100: icmp_seq=2 ttl=45 time=41.4 ms (DUP!) 64 bytes from 207.46.197.100: icmp_seq=2 ttl=45 time=42.7 ms (DUP!) 64 bytes from 207.46.197.100: icmp_seq=2 ttl=45 time=43.3 ms (DUP!) 64 bytes from 207.46.197.100: icmp_seq=2 ttl=45 time=44.4 ms (DUP!) 64 bytes from 207.46.197.100: icmp_seq=2 ttl=45 time=45.5 ms (DUP!) 64 bytes from 207.46.197.100: icmp_seq=2 ttl=45 time=46.8 ms (DUP!) 64 bytes from 207.46.197.100: icmp_seq=2 ttl=45 time=47.9 ms (DUP!) 64 bytes from 207.46.197.100: icmp_seq=2 ttl=45 time=49.0 ms (DUP!) 64 bytes from 207.46.197.100: icmp_seq=2 ttl=45 time=51.6 ms (DUP!) 64 bytes from 207.46.197.100: icmp_seq=3 ttl=45 time=39.6 ms I find it interesting and almost amusing that MicroSoft's own web server can be used for amplification attacks. -- Brandon Ross 404-522-5400 EVP Engineering, NetRail http://www.netrail.net AIM: BrandonNR ICQ: 2269442 Read RFC 2644!
|