[Dshield] Opinions on traffic volume

Ryan McConigley ryan at csse.uwa.edu.au
Tue Oct 30 06:37:04 GMT 2007


	Hi Everyone, I'm just curious for some opinions on this.  I'll give the history to set things in context.

	Last week I was contacted by the University's network people asking me if I knew about the huge amount of ICMP traffic going to one of our boxes.  I knew nothing and started hunting it down.

	First thought was the box itself was broadcasting out, but looking at the traffic showed them all as incoming packets.  I did think of a possible DDOS, but it was pretty lazy if it was.  Then I started looking at the machines that were coming in and discovered they were all part of a distributed network research project.

	Once I found out about that, I started to think some of the researchers or academics here were doing some project they didn't mention to us.  (It happens all the time) but no one here had heard of this project group.  By this stage the central university network people had put in a block on the incoming router.  We thought that might have people complaining, but nope, still quiet.

	Anyway, I discovered a little more about the distributed network research project and found they had a support contact.  So I sent them an email asking them what was going on.  They're support was great, I provided a log, they tracked it down to a specific group who sent me a reply over the weekend.

	Apparently they're running a project dealing with routing on the internet.  They sent back a email saying the most common problems were "idiot with firewall" related, they were following best practices and it was nothing out of the ordinary.

	Admittedly, we didn't notice them hitting the added machine, no noticable change in load or network traffic, the machine is a DNS server and doesn't do much else.  However, we were getting over 14000 hits from their network a day.  4-6hits/second, sustained and continuous.  As unsolicitated traffic, I would have to say this is a little rude.  If they had asked us about being an endpoint, then I'm sure we could have come up with something.

	So I'm curious, do other people agree with us being concerned and us asking them to stop it or would you have continued to let them do what they were?

	Cheers, 
		Ryan.
--
          Ryan McConigley - Systems Administrator                  _.-,
     Computer Science   University of Western Australia        .--'  '-._
       Tel: (+61 8) 6488 7082 - Fax: (+61 8) 6488 1089       _/`-  _      '.
Ryan[@]csse.uwa.edu.au - http://www.csse.uwa.edu.au/~ryan  '----'._`.----. \
                                                                     `     \;
 "You're just jealous because the voices are talking to me"                ;_\





More information about the list mailing list