[6bone] abuse notification (fwd)
John Fraizer
tvo@EnterZone.Net
Mon, 11 Nov 2002 17:55:30 -0500 (EST)
On Mon, 11 Nov 2002, Bill Owens wrote:
> At 16:15 -0500 11/11/02, John Fraizer wrote:
> >On Mon, 11 Nov 2002, Pekka Savola wrote:
> > > To me, it indicates a small fraction of our v6 newsfeed traffic.
> >
> >Pekka, the operative word here is SPIKE. IE; Out of the ordinary or
> >uncharacteristic.
>
> One could imagine that a routing change could redirect someone's v6
> newsfeed across a new network that was used to the usual IPv6 traffic
> loads (tens of kbps), and cause some suprise. Obviously that was not
> the case here, since the other end reported that the packets were
> echo requests. But it does make the point that a network operator
> used to having almost no v6 traffic might be quite suprised should
> they suddenly see even a steady traffic load. The initial reaction
> shouldn't be to assume DoS without knowing more about the nature of
> the traffic. . .
>
> Bill.
OK. This brings on a very good point when it comes time to choose
peers. It's a bad idea to accept transit from someone who can't handle
your "normal" traffic, even if it is temporary "backup" transit.
Why? Because if your NORMAL traffic is going to swamp their network, they
are of no use to you as a transit peer and you are a liability to their
network.
As indicated though, this particular instance was ICMP based. The only
role EnterZone played in this was as a transit AS. We did not
characterization of traffic at all. XS26 simply cc'd us on the abuse
notification because to mitigate the effects of the attack, they had to
temporary shutdown our peering session.
---
John Fraizer | High-Security Datacenter Services |
President | Dedicated circuits 64k - 155M OC3 |
EnterZone, Inc | Virtual, Dedicated, Colocation |
http://www.enterzone.net/ | Network Consulting Services |