[Dshield] Opinions on traffic volume
stasinia at msoe.edu
Tue Oct 30 12:38:28 GMT 2007
For all practical purposes, researchers can do these types of tests with
minimal consequence. But there is a big difference between what one "can
do" and what one "should do". From what you describe, it looks like they
targeted your server specifically. For that reason, they "should" have
asked for your permission first. Again, not because they are compelled to
by some rules/laws/etc, but simply because it is the "right thing to do".
Going forward, I would first recommend you get some more information on the
exact nature of the research. If it sounds reasonable and won't put too
much strain on your network/servers, go ahead and allow it. Otherwise, tell
them to exclude your network from their project. If they resist, you should
be able to get the contact info of Dean/Director/VP/etc and complain to
them. Again, law enforcement won't be of much help in this scenario, but
you can bet there is at least one sensible person in the management
From: list-bounces at lists.dshield.org [mailto:list-bounces at lists.dshield.org]
On Behalf Of Ryan McConigley
Sent: Tuesday, October 30, 2007 1:37 AM
To: list at lists.dshield.org
Subject: [Dshield] Opinions on traffic volume
Hi Everyone, I'm just curious for some opinions on this. I'll give
the history to set things in context.
Last week I was contacted by the University's network people asking
me if I knew about the huge amount of ICMP traffic going to one of our
boxes. I knew nothing and started hunting it down.
First thought was the box itself was broadcasting out, but looking
at the traffic showed them all as incoming packets. I did think of a
possible DDOS, but it was pretty lazy if it was. Then I started looking at
the machines that were coming in and discovered they were all part of a
distributed network research project.
Once I found out about that, I started to think some of the
researchers or academics here were doing some project they didn't mention to
us. (It happens all the time) but no one here had heard of this project
group. By this stage the central university network people had put in a
block on the incoming router. We thought that might have people
complaining, but nope, still quiet.
Anyway, I discovered a little more about the distributed network
research project and found they had a support contact. So I sent them an
email asking them what was going on. They're support was great, I provided
a log, they tracked it down to a specific group who sent me a reply over the
Apparently they're running a project dealing with routing on the
internet. They sent back a email saying the most common problems were
"idiot with firewall" related, they were following best practices and it was
nothing out of the ordinary.
Admittedly, we didn't notice them hitting the added machine, no
noticable change in load or network traffic, the machine is a DNS server and
doesn't do much else. However, we were getting over 14000 hits from their
network a day. 4-6hits/second, sustained and continuous. As unsolicitated
traffic, I would have to say this is a little rude. If they had asked us
about being an endpoint, then I'm sure we could have come up with something.
So I'm curious, do other people agree with us being concerned and us
asking them to stop it or would you have continued to let them do what they
Ryan McConigley - Systems Administrator _.-,
Computer Science University of Western Australia .--' '-._
Tel: (+61 8) 6488 7082 - Fax: (+61 8) 6488 1089 _/`- _ '.
Ryan[@]csse.uwa.edu.au - http://www.csse.uwa.edu.au/~ryan '----'._`.----. \
"You're just jealous because the voices are talking to me"
SANS Network Security 2007 in Las Vegas September 22-30. 39 courses,
SANS top instructors. http://www.sans.org/info/9346
More information about the list