[LINK] DNS outage?

Glen Turner gdt at gdt.id.au
Wed Jul 29 10:15:05 AEST 2009

[as usual, not speaking for my employer]

On 29/07/09 09:03, Stilgherrian wrote:
> No, it just means ping is bocked. Traceroute uses ping. Pings don't
> always get allowed through any more. Indeed, many networks actively
> block such attempts to do reconnaissance like that, for security
> reasons, as someone said earlier. Telstra is, in general, one of them.

Ah blocking ping and traceroute. All it leads to is an escalation in
tools -- so tcptraceroute rather than the original traceroute.

Sites with absolutely smooth firewalls are just hopeless to diagnose,
because they've turned all of the diagnosis tools off.  So their
Internet goes down, they ring for help, and all the help an ISP can
offer is "looks good at our end".  For most sites they've made too
paranoid a security/maintainability trade off.

Block the invalid ICMP options. Rate limit the valid ones.

 > Indeed, I tend to agree with that sort of network decision. On the
 > Internet, you're only responsible for the operation of your own
 > network and how it connects to your peers. What happens inside someone
 > else's network -- which includes the backbone links -- is not your
 > problem and none of your business.

This has been rehashed many times on the NANOG list. The counter-argument
is that you are paying for an Internet service which includes the ability
to diagnose faults, since the RFCs specifying an Internet service include
the diagnosis protocols. From a practical point of view, most large ISPs
are happy with that argument, as allowing customers to fault-find lowers
the number of expensive-to-handle calls to the helpdesk, especially during
peak times (and remember, since many ISPs hold various telco licenses, in
some countries the ISP pays for every minute people are on hold above ten

For big ISPs which offer SLAs with penalties there's also the problem of
contestibility of SLA failures. No big customer is going to be happy with
an outage report which the ISP claims doesn't activate the penalty clause
but which the customer has no way of verifying for themselves. That will
only lead to SLA contracts which really suck for the ISP (such as paying
for all failures of connectivity, regardless of cause).

  Glen Turner   <http://www.gdt.id.au/~gdt/>

More information about the Link mailing list