> From: Stephane Bortzmeyer <[email protected]> > To: [email protected]
> Configuring a small network, I had the problem to test if the Internet > connectivity is working [side note: so I can use the result in the > test in the "parents" directive of Nagios/Icinga, to avoid alarms for > every target when the outside link is simply down]. The problem is to > find suitable targets for testing "the Internet". Why must one use a relatively small number of distant beacons for all sites? Why poke distant anchors when almost all "The Internet is down" complaints have local causes, and when not local, are out of the control and even the ken almost everyone complaining? My systems poke the far sides of my routers, services that I own and operate on other networks, and service providers that receive my money for more substantial services. > Some persons suggested me to use "facebook.com" (if it is down, the > Internet is useless, anyway), some suggested 8.8.8.8 (always up and > fast) and some suggested to ping the root name servers. Some months ago after working on some rate limiting code, I tired of seeing the same referer strings poking the the same bogus URLs in my HTTP server error logs. So I hacked something that generates firewall drop rules after about a dozen hits for the same page per day by apparently innocent HTTP clients and immediately for clients with what I consider bad referer strings. Watching that mechanism led me to discover that a bunch of people all over the world were using my puny, obscure HTTP servers for "Internet down" beacons. Most hit obvious pages at most a few dozen times per day. The budding commercial service (?) "DinoPing" was hitting http://www.rhyolite.com/anti-spam/that-which-we-dont.html from a bunch of clients every few seconds each. Whoever set them up overlooked the irony of stealing my resources to abuse a web page of spammer reasons why their spam is not spam. That irony made me see that the unsolicited beacon/anchor idea is yet another "doesn't scale" and "tragedy of the commons" notion like spam. > But I wonder what would happen if every small network with an OpenWRT > router and Nagios starts pinging them every minute. Is it a reasonable > use? Do the root name servers operators have an opinion about that? Is > there a better alternative? That other rate limiting code that I had been working on was for DNS. I eat my own dog food, and so it's in my own DNS servers. Most of the dropped DNS requests in the logs are for stupid reverse DNS scanners, but some are repeated hits that could be "Internet up" checks. That code has been touted as a good idea for roots and might make a root a poor "Internet up" beacon. I've heard that 8.8.8.8 is not a useful DNS DoS tool, perhaps because Google, like any competent, well known provider, must know about rate limiting. Every reasonable protocol must have several features. One is exponential or steeper retry back off in clients when things fail. Another is rate limiting in servers to deal with bad clients that fail to back off. > [You have probably seen this project, which is partially related: > <https://labs.ripe.net/Members/dfk/ripe-atlas-anchors>. A case where > many small boxes testing an unwilling service created problems: > <http://slashdot.org/story/06/04/07/130209/d-link-firmware-abuses-open-ntp-servers>.] There have been many similar stories over the years, including equipment vendors that DDoS'ed themselves instead of third parties. Vernon Schryver [email protected] _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
