Mailing List Archive: www.house.gov not reachable.

www.house.gov not reachable.

virendra.rode at gmail

Sep 28, 2008, 3:35 PM

Post #1 of 21 (827 views)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Appears to be slashdot effect. Is anyone able to reach it?

$ traceroute-nanog www.house.gov
traceroute to www.house.gov (143.228.144.184), 30 hops max, 40 byte packets
1 * * 192.168.1.1 (192.168.1.1) 0.694 ms
2 rrcs-24-43-96-129.west.biz.rr.com (24.43.96.129) 12.547 ms 14.746
ms 11.975 ms
3 cpe-24-30-162-209.socal.rr.com (24.30.162.209) 13.230 ms 10.382 ms
10.428 ms
4 tge4-0-2.lsanca4-rtr1.socal.rr.com (24.30.162.233) 15.257 ms
16.641 ms 19.161 ms
5 * * *
6 te-4-1.car1.Tustin1.Level3.net (4.71.104.157) 21.439 ms
te-1-3.car1.Tustin1.Level3.net (4.79.140.37) 18.273 ms
te-1-4.car1.Tustin1.Level3.net (4.79.140.1) 18.181 ms
7 ae-2-3.bar1.Tustin1.Level3.net (4.69.132.218) 20.702 ms 20.403 ms
17.741 ms
8 ae-6-6.ebr1.LosAngeles1.Level3.net (4.69.136.202) 21.904 ms 19.457
ms 17.880 ms
9 ae-81-81.csw3.LosAngeles1.Level3.net (4.69.137.10) 29.696 ms
ae-71-71.csw2.LosAngeles1.Level3.net (4.69.137.6) 22.903 ms
ae-61-61.csw1.LosAngeles1.Level3.net (4.69.137.2) 39.060 ms
10 ae-4-99.edge1.LosAngeles1.Level3.net (4.68.20.199) 19.504 ms
ae-2-79.edge1.LosAngeles1.Level3.net (4.68.20.71) 24.409 ms
ae-1-69.edge1.LosAngeles1.Level3.net (4.68.20.7) 20.251 ms
11 192.205.33.225 (192.205.33.225) 98.923 ms
level3-gw.la2ca.ip.att.net (192.205.33.229) 18.833 ms 192.205.33.225
(192.205.33.225) 17.658 ms
12 tbr2.la2ca.ip.att.net (12.127.3.214) 84.049 ms 83.400 ms 82.004 ms
13 cr2.la2ca.ip.att.net (12.122.19.213) 87.134 ms 83.234 ms 83.367 ms
14 12.122.30.29 (12.122.30.29) 85.060 ms 83.920 ms 82.151 ms
15 cr2.dvmco.ip.att.net (12.122.30.26) 85.061 ms 82.887 ms 82.259 ms
16 * cr1.cgcil.ip.att.net (12.122.31.86) 83.637 ms 82.557 ms
17 cr1.cl2oh.ip.att.net (12.122.2.206) 82.341 ms 83.166 ms 84.391 ms
18 cr2.cl2oh.ip.att.net (12.122.2.126) 84.642 ms 84.020 ms 85.446 ms
19 cr2.phlpa.ip.att.net (12.122.2.210) 199.738 ms 81.896 ms 82.662 ms
20 cr1.wswdc.ip.att.net (12.122.4.54) 84.546 ms 82.374 ms 82.072 ms
21 12.123.10.1 (12.123.10.1) 85.794 ms 83.924 ms 82.481 ms
22 * * *
23 * * *
24 * * *
25 * * *

regards,
/virendra
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFI4AbKpbZvCIJx1bcRAiCWAKDGEnwwlKkjtPp20/oBj+v4+XOw1wCg9VBr
BnYN/jFjC4TEbzUdbytrWFY=
=gAsi
-----END PGP SIGNATURE-----

www.house.gov not reachable. [ In reply to ]

LarrySheldon at cox

Sep 28, 2008, 3:43 PM

Post #2 of 21 (817 views)

virendra rode wrote:

> Appears to be slashdot effect. Is anyone able to reach it?

I don't have full diagnostic skills--it seems to server up a blank page.

They apparently block ICMP as current best practice seems to require.

www.house.gov not reachable. [ In reply to ]

christian at broknrobot

Sep 28, 2008, 3:45 PM

Post #3 of 21 (818 views)

Trying 143.228.144.184...
Connected to www.house.gov.
Escape character is '^]'.
GET / HTTP/1.0

.

HTTP/1.1 200 OK
Server: "USHR Webserver Ver 5.4.1"
Date: Sun, 28 Sep 2008 22:43:33 GMT
Content-type: text/html
Connection: close

<?xml version="1.0" encoding="iso-8859-1"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">

<head>
<title>United States House of Representatives, 110th Congress, 2nd
Session</title>

having issues puling up via a browser though...

On Sun, Sep 28, 2008 at 6:43 PM, Laurence F. Sheldon, Jr.
<LarrySheldon at cox.net> wrote:
> virendra rode wrote:
>
>> Appears to be slashdot effect. Is anyone able to reach it?
>
> I don't have full diagnostic skills--it seems to server up a blank page.
>
> They apparently block ICMP as current best practice seems to require.
>
> _______________________________________________
> outages mailing list
> outages at outages.org
> https://puck.nether.net/mailman/listinfo/outages
>

www.house.gov not reachable. [ In reply to ]

flowerpt at gmail

Sep 28, 2008, 3:49 PM

Post #4 of 21 (815 views)

On Sep 28, 2008, at 18:45, Christian Koch wrote:

> having issues puling up via a browser though...

I tried the same and it took a long time to return - perhaps
exceeding a browser timeout.

I think virendra called it - load problems.

They can call me for an LVS cluster. ;)

-Bill

-----
Bill McGonigle, Owner Work: 603.448.4440
BFC Computing, LLC Home: 603.448.1668
bill at bfccomputing.com Cell: 603.252.2606
http://www.bfccomputing.com/ Page: 603.442.1833
Blog: http://blog.bfccomputing.com/
VCard: http://bfccomputing.com/vcard/bill.vcf

www.house.gov not reachable. [ In reply to ]

virendra.rode at gmail

Sep 28, 2008, 3:55 PM

Post #5 of 21 (816 views)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Just found out, congress released their draft rescue plan on their website.

Just wondering if the bill includes any $$$$ for load-balancers :-)

regards,
/virendra

Christian Koch wrote:
> Trying 143.228.144.184...
> Connected to www.house.gov.
> Escape character is '^]'.
> GET / HTTP/1.0
>
> .
>
>
> HTTP/1.1 200 OK
> Server: "USHR Webserver Ver 5.4.1"
> Date: Sun, 28 Sep 2008 22:43:33 GMT
> Content-type: text/html
> Connection: close
>
> <?xml version="1.0" encoding="iso-8859-1"?>
> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
> "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
>
> <head>
> <title>United States House of Representatives, 110th Congress, 2nd
> Session</title>
>
>
>
> having issues puling up via a browser though...
>
> On Sun, Sep 28, 2008 at 6:43 PM, Laurence F. Sheldon, Jr.
> <LarrySheldon at cox.net> wrote:
>> virendra rode wrote:
>>
>>> Appears to be slashdot effect. Is anyone able to reach it?
>> I don't have full diagnostic skills--it seems to server up a blank page.
>>
>> They apparently block ICMP as current best practice seems to require.
>>
>> _______________________________________________
>> outages mailing list
>> outages at outages.org
>> https://puck.nether.net/mailman/listinfo/outages
>>
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFI4AtdpbZvCIJx1bcRAkT+AJ4nY7zUprLeUTHHdGKKJiQ3uYOuMwCgqbFa
hJlT0knbWF6XtGd+0a6byVA=
=z/1S
-----END PGP SIGNATURE-----

www.house.gov not reachable. [ In reply to ]

LarrySheldon at cox

Sep 28, 2008, 3:55 PM

Post #6 of 21 (817 views)

Bill McGonigle wrote:
>
> On Sep 28, 2008, at 18:45, Christian Koch wrote:
>
>> having issues puling up via a browser though...
>
> I tried the same and it took a long time to return - perhaps exceeding a
> browser timeout.
>
> I think virendra called it - load problems.
>
> They can call me for an LVS cluster. ;)

I guess there is some comfort that there are a few people interested in
the $1.2T Giveaway Bill.

Seems like there is a message in the readiness to serve area tho.

I expect Obama's office to announce a solution momentarily.
--
Requiescas in pace o email Two identifying characteristics
of System Administrators:
Ex turpi causa non oritur actio Infallibility, and the ability to
learn from their mistakes.
Eppure si rinfresca

ICBM Targeting Information: http://tinyurl.com/4sqczs

www.house.gov not reachable. [ In reply to ]

yahoo at jimpop

Sep 28, 2008, 3:57 PM

Post #7 of 21 (819 views)

On Sun, Sep 28, 2008 at 18:49, Bill McGonigle <flowerpt at gmail.com> wrote:
> I think virendra called it - load problems.

I wonder if it's load or config issues.

I get:

"Bad Gateway"
"The proxy server received an invalid response from an upstream server."

when visiting speaker.house.gov.

However judiciary.house.gov and clerk.house.gov come up fine.

-Jim P.

www.house.gov not reachable. [ In reply to ]

JMacleod at alentus

Sep 28, 2008, 4:00 PM

Post #8 of 21 (816 views)

I'm sure its a typical enterprise/government announcement. No prior communication to IT staff, although they will be required to troubleshoot and fix! As now it appears "broken", although completely avoidable!

Communication and planning - its another foreign policy!

--
John Macleod
CTO
Alentus Corporation
28202 Cabot Road
Suite 205
Laguna Niguel, CA 92677
Tel: +1.877.922.9903
DID - US: +1.949.243.0490
UK: +44.(0)208.819.0350

www.alentus.com
www.serversfirst.com

- Sent via the Alentus Corporate Mobile Messaging System -

----- Original Message -----
From: outages-bounces@outages.org <outages-bounces@outages.org>
To: Christian Koch <christian at broknrobot.com>
Cc: Laurence F. Sheldon, Jr. <LarrySheldon at cox.net>; outages at outages.org <outages at outages.org>
Sent: Sun Sep 28 16:55:25 2008
Subject: Re: [outages] www.house.gov not reachable.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Just found out, congress released their draft rescue plan on their website.

Just wondering if the bill includes any $$$$ for load-balancers :-)

regards,
/virendra

Christian Koch wrote:
> Trying 143.228.144.184...
> Connected to www.house.gov.
> Escape character is '^]'.
> GET / HTTP/1.0
>
> .
>
>
> HTTP/1.1 200 OK
> Server: "USHR Webserver Ver 5.4.1"
> Date: Sun, 28 Sep 2008 22:43:33 GMT
> Content-type: text/html
> Connection: close
>
> <?xml version="1.0" encoding="iso-8859-1"?>
> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
> "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
>
> <head>
> <title>United States House of Representatives, 110th Congress, 2nd
> Session</title>
>
>
>
> having issues puling up via a browser though...
>
> On Sun, Sep 28, 2008 at 6:43 PM, Laurence F. Sheldon, Jr.
> <LarrySheldon at cox.net> wrote:
>> virendra rode wrote:
>>
>>> Appears to be slashdot effect. Is anyone able to reach it?
>> I don't have full diagnostic skills--it seems to server up a blank page.
>>
>> They apparently block ICMP as current best practice seems to require.
>>
>> _______________________________________________
>> outages mailing list
>> outages at outages.org
>> https://puck.nether.net/mailman/listinfo/outages
>>
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFI4AtdpbZvCIJx1bcRAkT+AJ4nY7zUprLeUTHHdGKKJiQ3uYOuMwCgqbFa
hJlT0knbWF6XtGd+0a6byVA=
=z/1S
-----END PGP SIGNATURE-----
_______________________________________________
outages mailing list
outages at outages.org
https://puck.nether.net/mailman/listinfo/outages

www.house.gov not reachable. [ In reply to ]

LarrySheldon at cox

Sep 28, 2008, 4:01 PM

Post #9 of 21 (816 views)

Laurence F. Sheldon, Jr. wrote:

> I guess there is some comfort that there are a few people interested in
> the $1.2T Giveaway Bill.
>
> Seems like there is a message in the readiness to serve area tho.
Comments to blog entry at
http://gatewaypundit.blogspot.com/2008/09/pelosi-reid-corruptocrats-face-nation.html
says every site carrying the save-the-bankers-beemer bill is down.

www.house.gov not reachable. [ In reply to ]

risnaini at indo

Sep 28, 2008, 5:38 PM

Post #10 of 21 (827 views)

It's fine for me here ?

[root at ipv6 /home/risnaini]# tcptraceroute -n www.house.gov
Selected device rl0, address 202.159.33.33, port 51633 for outgoing packets
Tracing the path to www.house.gov (143.228.144.184) on TCP port 80, 30
hops max
1 202.159.33.32 (202.159.33.32) 5.703 ms 9.893 ms 9.962 ms
2 202.53.251.145 (202.53.251.145) 9.961 ms 9.967 ms 9.990 ms
3 202.53.234.98 (202.53.234.98) 9.960 ms 9.976 ms 9.963 ms
4 118.91.224.226 (118.91.224.226) 9.977 ms 9.975 ms 9.986 ms
5 202.93.46.212 (202.93.46.212) 98.309 ms 124.895 ms 6.690 ms
6 157.130.195.13 (157.130.195.13) 189.902 ms 189.454 ms 188.222 ms
7 152.63.54.114 (152.63.54.114) 189.407 ms 188.027 ms 190.503 ms
8 152.63.48.6 (152.63.48.6) 190.383 ms 190.442 ms 191.152 ms
9 152.63.48.249 (152.63.48.249) 191.514 ms 191.047 ms 234.658 ms
10 192.205.34.185 (192.205.34.185) 264.976 ms 259.146 ms 355.663 ms
11 12.123.13.189 (12.123.13.189) 270.224 ms 270.228 ms 269.604 ms
12 12.122.19.17 (12.122.19.17) 270.191 ms 268.271 ms 270.759 ms
13 12.122.4.122 (12.122.4.122) 269.254 ms 269.937 ms 269.370 ms
14 12.122.2.206 (12.122.2.206) 268.567 ms 270.028 ms 271.254 ms
15 12.122.2.126 (12.122.2.126) 266.867 ms 269.245 ms 266.970 ms
16 12.122.2.210 (12.122.2.210) 269.768 ms 270.364 ms 270.227 ms
17 12.122.4.54 (12.122.4.54) 269.442 ms 269.510 ms 269.872 ms
18 12.123.10.1 (12.123.10.1) 268.465 ms 268.095 ms 269.004 ms
19 * * *
20 * * *
21 143.228.129.13 (143.228.129.13) 277.405 ms 277.642 ms 279.836 ms
22 * 143.228.130.2 (143.228.130.2) 279.245 ms 279.561 ms
23 * * *
24 * * *
25 143.228.144.184 (143.228.144.184) [open] 278.100 ms 278.582 ms
288.544 ms

Christian Koch wrote:
> Trying 143.228.144.184...
> Connected to www.house.gov.
> Escape character is '^]'.
> GET / HTTP/1.0
>
> .
>
>
> HTTP/1.1 200 OK
> Server: "USHR Webserver Ver 5.4.1"
> Date: Sun, 28 Sep 2008 22:43:33 GMT
> Content-type: text/html
> Connection: close
>
> <?xml version="1.0" encoding="iso-8859-1"?>
> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
> "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
>
> <head>
> <title>United States House of Representatives, 110th Congress, 2nd
> Session</title>
>
>
>
> having issues puling up via a browser though...
>
> On Sun, Sep 28, 2008 at 6:43 PM, Laurence F. Sheldon, Jr.
> <LarrySheldon at cox.net> wrote:
>> virendra rode wrote:
>>
>>> Appears to be slashdot effect. Is anyone able to reach it?
>> I don't have full diagnostic skills--it seems to server up a blank page.
>>
>> They apparently block ICMP as current best practice seems to require.
>>
>> _______________________________________________
>> outages mailing list
>> outages at outages.org
>> https://puck.nether.net/mailman/listinfo/outages
>>
> _______________________________________________
> outages mailing list
> outages at outages.org
> https://puck.nether.net/mailman/listinfo/outages
>
>

www.house.gov not reachable. [ In reply to ]

Sep 28, 2008, 5:42 PM

Post #11 of 21 (819 views)

I heard they posted the 700 Bn bail out bill online...

--
Steve
Equal bytes for women.

On Sun, 28 Sep 2008, Laurence F. Sheldon, Jr. wrote:

> Bill McGonigle wrote:
>>
>> On Sep 28, 2008, at 18:45, Christian Koch wrote:
>>
>>> having issues puling up via a browser though...
>>
>> I tried the same and it took a long time to return - perhaps exceeding a
>> browser timeout.
>>
>> I think virendra called it - load problems.
>>
>> They can call me for an LVS cluster. ;)
>
> I guess there is some comfort that there are a few people interested in the
> $1.2T Giveaway Bill.
>
> Seems like there is a message in the readiness to serve area tho.
>
> I expect Obama's office to announce a solution momentarily.
> --
> Requiescas in pace o email Two identifying characteristics
> of System Administrators:
> Ex turpi causa non oritur actio Infallibility, and the ability to
> learn from their mistakes.
> Eppure si rinfresca
>
> ICBM Targeting Information: http://tinyurl.com/4sqczs
> _______________________________________________
> outages mailing list
> outages at outages.org
> https://puck.nether.net/mailman/listinfo/outages
>

www.house.gov not reachable. [ In reply to ]

LarrySheldon at cox

Sep 28, 2008, 5:43 PM

Post #12 of 21 (814 views)

a. rahman isnaini r.sutan wrote:
> It's fine for me here ?

Obama must have fixed it.

The page loads here now.

www.house.gov not reachable. [ In reply to ]

Sep 28, 2008, 5:50 PM

Post #13 of 21 (825 views)

I heard Al Gore had to be called in. :)

Robert D. Scott Robert at ufl.edu
Senior Network Engineer 352-273-0113 Phone
CNS - Network Services 352-392-2061 CNS Receptionist
University of Florida 352-392-9440 FAX
Florida Lambda Rail 352-294-3571 FLR NOC
Gainesville, FL 32611 321-663-0421 Cell

-----Original Message-----
From: outages-bounces@outages.org [mailto:outages-bounces@outages.org] On
Behalf Of Laurence F. Sheldon, Jr.
Sent: Sunday, September 28, 2008 8:44 PM
Cc: outages at outages.org
Subject: Re: [outages] www.house.gov not reachable.

a. rahman isnaini r.sutan wrote:
> It's fine for me here ?

Obama must have fixed it.

The page loads here now.

_______________________________________________
outages mailing list
outages at outages.org
https://puck.nether.net/mailman/listinfo/outages

www.house.gov not reachable. [ In reply to ]

Valdis.Kletnieks at vt

Sep 29, 2008, 9:44 AM

Post #14 of 21 (817 views)

On Sun, 28 Sep 2008 17:43:00 CDT, "Laurence F. Sheldon, Jr." said:

> They apparently block ICMP as current best practice seems to require.

Ahem. Who said "block ICMP' is BCP? Yes, there's some ICMP things that
you probably *should* block if they're to/from untrusted sources, but in
particular, host/net unreachable ICMP shouldn't be blocked, and the next
site I catch blocking 'Frag Needed' I'm gonna get on a plane and re-educate
them with a clue-by-four regarding what they're doing to PMTUD.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 226 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/outages/attachments/20080929/524373f9/attachment.bin>

www.house.gov not reachable. [ In reply to ]

Sep 29, 2008, 9:52 AM

Post #15 of 21 (815 views)

----- "Valdis Kletnieks" <Valdis.Kletnieks at vt.edu> wrote:
> On Sun, 28 Sep 2008 17:43:00 CDT, "Laurence F. Sheldon, Jr." said:
> > They apparently block ICMP as current best practice seems to
> require.
>
> Ahem. Who said "block ICMP' is BCP? Yes, there's some ICMP thingsthat
> you probably *should* block if they're to/from untrusted sources, butin
> particular, host/net unreachable ICMP shouldn't be blocked, and thenext
> site I catch blocking 'Frag Needed' I'm gonna get on a plane and
> re-educate them with a clue-by-four regarding what they're doing to PMTUD.

The Department Of Homeland Insecurity will put you on their no-route list if
they catch you trying to sneak a clue-by-four onto a plane, Valdis.

Cheers,
-- jra
--
Jay R. Ashworth Baylink jra at baylink.com
Designer The Things I Think RFC 2100
Ashworth & Associates http://baylink.pitas.com '87 e24
St Petersburg FL USA http://photo.imageinc.us +1 727 647 1274

Those who cast the vote decide nothing.
Those who count the vote decide everything.
-- (Josef Stalin)

www.house.gov not reachable. [ In reply to ]

caperry at edolnx

Sep 29, 2008, 10:36 AM

Post #16 of 21 (816 views)

Valdis.Kletnieks at vt.edu wrote:
> On Sun, 28 Sep 2008 17:43:00 CDT, "Laurence F. Sheldon, Jr." said:
>
>> They apparently block ICMP as current best practice seems to require.
>
> Ahem. Who said "block ICMP' is BCP? Yes, there's some ICMP things that
> you probably *should* block if they're to/from untrusted sources, but in
> particular, host/net unreachable ICMP shouldn't be blocked, and the next
> site I catch blocking 'Frag Needed' I'm gonna get on a plane and re-educate
> them with a clue-by-four regarding what they're doing to PMTUD.

I wouldn't say it's "best" practice, but it's "common" practice to drop
all ICMP traffic. When I worked for a government contractor a few years
ago, we had to fight tooth and nail for them to enable 'Frag Needed' and
'Destination Unreachable' on as many routers/firewalls as possible.
Those changes were needed just so we could get to the point of figuring
out _why_ the network was broken. Almost every cisco router or firewall
I saw on a government network control started with "any any drop" rule,
and ICMP never had an "accept" rule. Best practice says drop everything
and permit what you need, most people don't realize how critical ICMP is.

It's been a few years since the "ping death" scares of 1997, do we
really need to stop dropping any ICMP traffic anymore? My home internet
connection (AT&T DSL) drops not only ICMP Echo, but traceroute requests
as well. I understand that some saturated connections don't want ICMP
Echo requests going through, but in this age of fast processors in
routers we could rate limit instead of drop. It's hard to determine an
outage is an outage when you can't perform basic connectivity tests.

-Carl

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 252 bytes
Desc: OpenPGP digital signature
URL: <https://puck.nether.net/pipermail/outages/attachments/20080929/979e36b1/attachment.bin>

www.house.gov not reachable. [ In reply to ]

LarrySheldon at cox

Sep 29, 2008, 11:08 AM

Post #17 of 21 (816 views)

Valdis.Kletnieks at vt.edu wrote:
> On Sun, 28 Sep 2008 17:43:00 CDT, "Laurence F. Sheldon, Jr." said:
>
>> They apparently block ICMP as current best practice seems to require.
>
> Ahem. Who said "block ICMP' is BCP? Yes, there's some ICMP things that
> you probably *should* block if they're to/from untrusted sources, but in
> particular, host/net unreachable ICMP shouldn't be blocked, and the next
> site I catch blocking 'Frag Needed' I'm gonna get on a plane and re-educate
> them with a clue-by-four regarding what they're doing to PMTUD.

I've been inactive in the racket for a while but personally think
blocking any ICMP from or to people you want to talk to is a mistake,
but last I heard just about everybody was telling me to block _some_
ICMP or other for some mythical reason o other.

And the more expensive consultants (considering TCO) and most of the
"firewall" experts were telling me to block them all.

--
Requiescas in pace o email Two identifying characteristics
of System Administrators:
Ex turpi causa non oritur actio Infallibility, and the ability to
learn from their mistakes.
Eppure si rinfresca

ICBM Targeting Information: http://tinyurl.com/4sqczs

www.house.gov not reachable. [ In reply to ]

LarrySheldon at cox

Sep 29, 2008, 11:13 AM

Post #18 of 21 (815 views)

Carl Perry wrote:

> I wouldn't say it's "best" practice, but

Please check the sticker on your sarcasm detector, it may be overdue for
calibration.

www.house.gov not reachable. [ In reply to ]

LarrySheldon at cox

Sep 29, 2008, 11:18 AM

Post #19 of 21 (821 views)

Laurence F. Sheldon, Jr. wrote:

> I've been inactive in the racket for a while but personally think
> blocking any ICMP from or to people you want to talk to is a mistake,
> but last I heard just about everybody was telling me to block _some_
> ICMP or other for some mythical reason o other.
>
> And the more expensive consultants (considering TCO) and most of the
> "firewall" experts were telling me to block them all.

And occurs to me now that there are one or two places that operate
routers in RFC 1918 space and some that will not pass traffic that is
sourced in RFC1918 space.

--
Requiescas in pace o email Two identifying characteristics
of System Administrators:
Ex turpi causa non oritur actio Infallibility, and the ability to
learn from their mistakes.
Eppure si rinfresca

ICBM Targeting Information: http://tinyurl.com/4sqczs

www.house.gov not reachable. [ In reply to ]

Sep 29, 2008, 11:24 AM

Post #20 of 21 (818 views)

Carl Perry <caperry at edolnx.net> writes:

> It's been a few years since the "ping death" scares of 1997, do we
> really need to stop dropping any ICMP traffic anymore?

I used to routinely drop ICMP from outside (at a different employer) because of the use at the time of ICMP as a covert communications channel by Loki and similar malware. ICMP messages were (are) also very useful for mapping services on a network.

This was before "stateful" packet inspection on ICMP was commonplace, and before ICMP traffic could be selectively blocked by type.

--
Jim Goltz <jgoltz at mail.nih.gov>

www.house.gov not reachable. [ In reply to ]

flowerpt at gmail

Sep 29, 2008, 12:34 PM

Post #21 of 21 (816 views)

On Sep 29, 2008, at 13:36, Carl Perry wrote:

> I understand that some saturated connections don't want ICMP
> Echo requests going through

Wouldn't you specifically want source quenches to go through in this
case?

> It's hard to determine an
> outage is an outage when you can't perform basic connectivity tests.

The choir concurs. :)

-Bill

-----
Bill McGonigle, Owner Work: 603.448.4440
BFC Computing, LLC Home: 603.448.1668
bill at bfccomputing.com Cell: 603.252.2606
http://www.bfccomputing.com/ Page: 603.442.1833
Blog: http://blog.bfccomputing.com/
VCard: http://bfccomputing.com/vcard/bill.vcf