[Snort-users] FW: ICMP from Speedera

L. Christopher Luther CLuther at ...6333...
Mon Jul 22 09:48:09 EDT 2002


All: An FAQ from Speedera describing their services. - Christopher

-----Original Message-----
From: support (NOC) [mailto:support at ...6406...]
Sent: Friday, July 19, 2002 3:21 PM
To: 'L. Christopher Luther '
Cc: security_abuse
Subject: RE: ICMP from Speedera
Sensitivity: Confidential


Ping Packet FAQ 

For administrators seeing ICMP ping packets, UDP packets to high ports or
to UDP packets to port 53 


1. Why do I see packets hitting my client DNS server? 

Speedera maintains a map of the Internet and its health. When users hit a 
customers whose domain name is maintained by Speedera Networks, we return 
the server IP address(es) for that domain which is best and is closest, in
terms of latency, to the user making the request for the domain name. 

The process of choosing which server is best involves service probes that 
probe the different servers to determine their load, response time, 
availability, etc. The process of determining the distance from the server
locations to end users can involve latency probes to determine the latency
(round trip time) between a few locations on the Internet and the client DNS
location the user is making the request from. 

One method used to determine latency is to send a packet - such as an ICMP
ping packet - from one location on the Internet to the client DNS that did
the name lookup for the Speedera domain name. 

All Speedera domain names use the same Internet map and the number of 
latency requests sent to create the map is fairly minimal. They are sent in
response to DNS queries from the client DNS and they are sent at very 
infrequent intervals. Each hostname lookup from a client DNS does not 
require us to perform a latency check. Our Internet map is only refreshed 
once and a while to determine if the distance between the closest server is
still low. 

The latency test we perform is normally a small ICMP ping packet. If ICMP 
ping is blocked by a firewall in front of a client DNS server, we may try a
reply to the DNS server making the request to port 53. 

The client DNS server is making a request on port 53 and to test latency,
we respond with a packet to port 53 with a query that will cause the DNS 
server to simply reply to us without taking any time. If port 53 is also 
blocked, you may see a couple UDP packets to high port numbers. This is 
used to determine the router closest to the client DNS server. That router
will be used as the latency point closest to the user. 
 

2. Are these DOS attacks? 

No, the number of requests sent is low and is capped. You will see a few of
them spread out over time if many users at your site hit many Speedera 
domain names. 


3. Is this a port scan? 

No, you will only see hits to the ports above (ICMP ping, UDP port 53, UDP
port > 32768) and then they will always be the same query and one which
requires no computation time by the client DNS server. 


4. Are these unsolicited? 

No, they are in response to some of the queries from your DNS server. We do
not do unsolicited probing, they are part of response to the DNS query. 

 
5. Why don't I see these from other servers? 

You will see these from other companies that are running load balancers 
from Cisco, F5, etc. However, in those cases, you will see them from each 
customer that runs those load balancers. In Speedera's case, you will only
see one probe for all their customers. 

 
6. How do I make the packets go away? 
 
If you are seeing the packets and you find them annoying, there are two 
main things you can do. The best thing that could be done is to enable ICMP
ping on your client DNS server. If you do this, you will see other packets
go away and this will allow your users the best performance. If you don't
want even that, you can contact Speedera networks and ask them to
"statically map" your client DNS. This will map you to a single site on the
Internet which may not be the closest but which will prevent latency
determinations to your site. 


Please note that the small number of pings that are done to determine 
latency from points on the Internet to your DNS servers are miniscule in 
relation to the number of packets sent to users to reply to their content 
request. A single typical HTTP GIF, for example, is approximately 12 large
packets. A request for a single streaming media file can require the
delivery of thousands of packets. 

So, the latency packets sent are trivial in relation to the content 
delivered from the Speedera Network to the users requesting content. 


SPEEDERA SUPPORT 
1-877-412-0600 
Speedera networks Inc. 

 
---
Incoming mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.372 / Virus Database: 207 - Release Date: 6/20/2002


-----Original Message-----
From: L. Christopher Luther
To: 'support at ...6406...'
Sent: 7/19/02 11:57 AM
Subject: ICMP from Speedera
Sensitivity: Confidential

Hello,  

Within the last couple of days my IDS has been registering lots of ICMP
traffic, all identified as "ICMP PING speedera".  This type of ICMP
traffic repeats in cycles, and usually all comes from the same group of
servers.  Here is a snippet from my IDS logs:  

07/19/02-10:25:02.329385  [**] [1:480:2] ICMP PING speedera [**] 
[Classification: Misc activity] [Priority: 3] {ICMP} 64.14.117.10 -> 
10.x.x.x 
07/19/02-10:25:02.339568  [**] [1:480:2] ICMP PING speedera [**] 
[Classification: Misc activity] [Priority: 3] {ICMP} 206.65.183.55 -> 
10.x.x.x 
07/19/02-10:25:02.347032  [**] [1:480:2] ICMP PING speedera [**] 
[Classification: Misc activity] [Priority: 3] {ICMP} 65.114.157.130 
- -> 10.x.x.x 
07/19/02-10:25:02.352278  [**] [1:480:2] ICMP PING speedera [**] 
[Classification: Misc activity] [Priority: 3] {ICMP} 64.15.251.198 -> 
10.x.x.x 
07/19/02-10:25:02.353595  [**] [1:480:2] ICMP PING speedera [**] 
[Classification: Misc activity] [Priority: 3] {ICMP} 208.185.54.14 -> 
10.x.x.x 
07/19/02-10:25:02.362706  [**] [1:480:2] ICMP PING speedera [**] 
[Classification: Misc activity] [Priority: 3] {ICMP} 204.253.104.235 
- -> 10.x.x.x 
07/19/02-10:25:02.376253  [**] [1:480:2] ICMP PING speedera [**] 
[Classification: Misc activity] [Priority: 3] {ICMP} 63.238.125.34 -> 
10.x.x.x 
07/19/02-10:25:02.386243  [**] [1:480:2] ICMP PING speedera [**] 
[Classification: Misc activity] [Priority: 3] {ICMP} 64.0.96.12 -> 
10.x.x.x 
07/19/02-10:25:02.397752  [**] [1:480:2] ICMP PING speedera [**] 
[Classification: Misc activity] [Priority: 3] {ICMP} 212.62.17.145 -> 
10.x.x.x 
07/19/02-10:25:02.404776  [**] [1:480:2] ICMP PING speedera [**] 
[Classification: Misc activity] [Priority: 3] {ICMP} 204.176.88.5 -> 
10.x.x.x 
07/19/02-10:25:02.420922  [**] [1:480:2] ICMP PING speedera [**] 
[Classification: Misc activity] [Priority: 3] {ICMP} 65.119.25.162 -> 
10.x.x.x 
07/19/02-10:25:02.454157  [**] [1:480:2] ICMP PING speedera [**] 
[Classification: Misc activity] [Priority: 3] {ICMP} 213.61.6.2 -> 
10.x.x.x 

07/19/02-11:37:55.348729  [**] [1:480:2] ICMP PING speedera [**] 
[Classification: Misc activity] [Priority: 3] {ICMP} 64.14.117.10 -> 
10.x.x.x 
07/19/02-11:37:55.359533  [**] [1:480:2] ICMP PING speedera [**] 
[Classification: Misc activity] [Priority: 3] {ICMP} 206.65.183.55 -> 
10.x.x.x 
07/19/02-11:37:55.362571  [**] [1:480:2] ICMP PING speedera [**] 
[Classification: Misc activity] [Priority: 3] {ICMP} 65.114.157.130 
- -> 10.x.x.x 
07/19/02-11:37:55.366961  [**] [1:480:2] ICMP PING speedera [**] 
[Classification: Misc activity] [Priority: 3] {ICMP} 208.185.54.14 -> 
10.x.x.x 
07/19/02-11:37:55.369756  [**] [1:480:2] ICMP PING speedera [**] 
[Classification: Misc activity] [Priority: 3] {ICMP} 64.15.251.198 -> 
10.x.x.x 
07/19/02-11:37:55.377139  [**] [1:480:2] ICMP PING speedera [**] 
[Classification: Misc activity] [Priority: 3] {ICMP} 204.253.104.235 
- -> 10.x.x.x 
07/19/02-11:37:55.402405  [**] [1:480:2] ICMP PING speedera [**] 
[Classification: Misc activity] [Priority: 3] {ICMP} 64.0.96.12 -> 
10.x.x.x 
07/19/02-11:37:55.404888  [**] [1:480:2] ICMP PING speedera [**] 
[Classification: Misc activity] [Priority: 3] {ICMP} 212.62.17.145 -> 
10.x.x.x 
07/19/02-11:37:55.425166  [**] [1:480:2] ICMP PING speedera [**] 
[Classification: Misc activity] [Priority: 3] {ICMP} 204.176.88.5 -> 
10.x.x.x 
07/19/02-11:37:55.453302  [**] [1:480:2] ICMP PING speedera [**] 
[Classification: Misc activity] [Priority: 3] {ICMP} 65.119.25.162 -> 
10.x.x.x 
07/19/02-11:37:55.464767  [**] [1:480:2] ICMP PING speedera [**] 
[Classification: Misc activity] [Priority: 3] {ICMP} 213.61.6.2 -> 
10.x.x.x 

The hex match string from these ICMP packets is always the same:  "3839
3a3b 3c3d 3e3f" or "8 9 : ; < = > ?" (spaces added for readability.  

Some of the folks I've spoken with suggested that I contact you directly
get an explanation of this traffic.  

Any help/assistance you can give would be most appreciated.  


Sincerely,  

L. Christopher Luther  
Technical Consultant  
Xybernaut Solutions, Inc.  
(703) 506-0400 x230  
cluther at ...6331...  
http://www.xybernautsolutions.com <http://www.xybernautsolutions.com>   

My PGP Public Key:  
http://keyserver.pgp.com/pks/lookup?op=get
<http://keyserver.pgp.com/pks/lookup?op=get&search=0x21261B88>
&search=0x21261B88 

CONFIDENTIALITY NOTE:  This communication contains 
information that is confidential and/or legally privileged.  
This information is intended only for the use of the individual 
or entity named on this communication. If you are not the 
intended recipient, you are hereby notified that any disclosure, 
copying, distribution, printing or other use of, or any action 
in reliance on, the contents of this communication is strictly 
prohibited.  If you receive this communication in error, please 
immediately notify us by telephone at (703) 506-0400. 

------------------------------------------------------------
Unsolicited commercial e-mail will automatically be reported
to the appropriate abuse@ - without exception.
------------------------------------------------------------ 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20020722/58244255/attachment.html>


More information about the Snort-users mailing list