I have been doing battle lately with some unwanted
traffic which is eating bandwidth on my uplinks.
This is probably something that a lot of people
here have done, are doing, or at least in the planning stages considering the discussion about filtering MP3
traffic.
I was digging around my logs and noticed that my
servers are getting constantly ping-flooded from serveral sources on the
internet with the worst offender being AKAMAI. You will be suprised how many
networks have akamai in their top traffic reports.
Several other companies are doing similar
things.
I am using a NAT'd IP for my http traffic, and
within MINUTES of going to akamai.com, I get port scanned from a server in
POLAND using the SAME IP which I contacted AKAMAI with. I find this highly
unlikely that this scan was coincidental and not a direct action of AKAMAI. Why
so?
1) because this address range was JUST provisioned
by UUNET several days ago.
2) because the server in poland did not scan a
range of hosts in our subnet which would have shown in my logs. Instead they
only connected to my NAT'd address which I was using without ever trying any
other IP's in my subnet...why the need for a port scan? What do they need to
know? I suppose port scanning is legitimate business when someone connects to a
webserver. I disagree...
3) my logs are on MAXIMUM detail for all rules,
including a RealSecure network sensor, and a sniffer which is running 24x7. I
had not a single packet destined for this host in POLAND which claims to be a
mail server. The server is running Linux and
appears to be very similar nmap profile to some other akamai servers I
found.
I have been digging around, and I am not liking
what I am finding in terms of what these people are doing.
Their sales pitch is that they are delivering
content at the fastest speed to/from their customers using a large network of
servers around the globe.
They do this by ping flooding large blocks of
addresses and building a network latency topology map and vectoring data from
their servers.
I don't want AKAMAI's thousands of servers PING
FLOODING me. I don't care if they want to speed up their customers, pay for my
T1's and then tell me about it.
They are in bed with providers like RealNetworks
and forming a lot of joint ventures (Radware, Cisco)..
So what is another reason why I don't like AKAMAI,
well try THIS if you want to get around WebSense.
Now I have to block THOUSANDS of servers which in
many cases are used for valid business reasons because they can easily be used
for "banned" content.
So I have a ton of people trying to access REAL
networks via http, and tons of traffic to banner ad sites like DOUBLECLICK (who
got a GOOFBALL patent issued).
Has anybody done battle successfully with "trojan
ware" software like realplayer, and ad-banner providers successfully that has
any tips?
|