[Dshield] Dshield listing of load-balancers / proposal for LB registry

Chris Brenton cbrenton at chrisbrenton.org
Wed Oct 27 20:23:17 GMT 2004

On Wed, 2004-10-27 at 13:49, Frank Knobbe wrote:
> There are thousands of load-balancers (F5, Radware, etc) in use on the
> Internet. Those load-balancers do two things: 
> a) They contribute to the pollution of the Internet by sending multiple
> packets in different formats (TCP SYNs, ICMPs, UDP probes) to
> unsuspecting targets (I say unsuspecting because they just browse
> websites. They don't expect a handful of pings'n'probes being thrown at
> them just for looking at a website).

Agreed. I've seen load balancers doing everything from version.bind
requests to triggering nmap active OS signatures. In fact, a bit over a
year ago I did an advisory about spammers doing recursive queries in
order to steal name server resources, and within 2 months I was seeing
load balancers mirroring this traffic pattern. Sometimes its nearly
impossible to tell the difference a load balancer and a hostile system
(assuming there is in fact a difference ;-).

> If you think about all this "false traffic" floating around the net,
> falsifying statistics and possibly tripping preventive/reactive
> countermeasures inadvertently, you come to realize that this is a
> growing problem.

IMHO the problem is not with the detection, the problem rests squarely
on the load balancer companies who choose to emulate a known hostile
traffic pattern. Does anyone remember when Microsoft had to dump their
load balancing solution because they were zone transferring everyone
that visited their site? The easiest fix is for the load balancing
companies to simply "stop doing that". 

> I'd like to check and see what is being done to counter this
> falsification through garbage thrown out by load-balancers.

Best bet is client push back. If people refuse to use hardware that puts
them black lists, the vendors will have to address the problem.

> If not, I'd like to propose the creation of a registry of
> load-balancers. Maybe similar to Team Cymru Bogon List, or perhaps like
> a spam list in DNS based format. This registry could be open to anyone
> (companies using load-balancers, IDS operators, Managed Security Service
> Providers, etc). Those folks can submit IP addresses of load-balancers.
> That database should be available for query to anyone so that IP's can
> be checked against the DB, and false hits can be quickly identified.

Humm, so how do you screen out entries from people who actually want to
perform hostile activity, so they simply register their attack system as
a load balancer to help fly under the radar?

> Likewise, other lists (like DShield) could use that data to intersect
> their database and clean-out all the known load-balancers from their
> listings so that load-balancers are not mistaken for "hostile
> attackers".

Don't take this the wrong way, but this kind of reads like "let's excuse
the load balancer companies for generating hostile traffic patterns and
make this everyone else's problem to deal with". 

As I said, easiest fix is "don't do that".


More information about the list mailing list