port probes from anandtech host?

[Unforgiven]

for the past month and a half my zone alarm has been going nuts with hits every time i visit the anandtech forums. the dns forums.anandtech.com resolves to ip 168.143.107.163 and when i go to do a traceroute on that, the isp that comes up toward the end of the trace is one for carpathia hosting. carpathia hosting is pinging the crap out of me every time i visit the anandtech forums from ips:

66.117.41.12 btn-probe.cirn.net
66.117.41.13 above-probe.cirn.net
66.117.41.14 level3-probe.cirn.net
66.117.41.15 nac-probe.cirn.net
66.117.41.16 verio-probe.cirn.net
66.117.41.17

it wouldnt be that big of a deal but i get HAMMERED by these ip's to a tone of 50-100 hits PER HOUR. its gotten to the point where when im not evening visiting the anandtech forums that im getting hits overnight to the sum of 200-300 in a 6-8 hour span! ive written carpathia hosting to ask them what the deal is and have gotten no response. there is something on these forums that has changed in the past few months to cause this to happen and i want to know what it is please. these constant probes are slowing my internet connection to a crawl and its to the point where its making me angry.

 

[Sunner]

Yep, I'm getting those too.

 

[Barnaby W. Füi]

Originally posted by: Unforgiven

i get HAMMERED by these ip's to a tone of 50-100 hits PER HOUR. . . . im getting hits overnight to the sum of 200-300 in a 6-8 hour span! . . . these constant probes are slowing my internet connection to a crawl

WTF? A ping a minute is going to have approximately zero effect on your surfing speed.

 

[Bleep]

WTF? A ping a minute is going to have approximately zero effect on your surfing speed

Maybe he is on a dialup.
But either way it does not make it allright now do it?

Bleep

 

[n0cmonkey]

Originally posted by: Bleep

WTF? A ping a minute is going to have approximately zero effect on your surfing speed

Maybe he is on a dialup.
But either way it does not make it allright now do it?

Bleep

If his firewall is stopping it, what's the problem?

 

[Sunner]

Originally posted by: Bleep

WTF? A ping a minute is going to have approximately zero effect on your surfing speed

Maybe he is on a dialup.
But either way it does not make it allright now do it?

Bleep

Well, I agree with BBWF, one a minute is hardly "hammered", 100/sec would be alot closer
Can't say I give a crap either

root@cerberus: ~> tcpdump -enttt -r /var/log/pflog net 66.117.41.0/24
Sep 05 05:02:25.417741 rule 13/0(match): block in on le1: 66.117.41.17 > x.x.x.x: icmp: echo request (DF)
Sep 05 05:05:01.645920 rule 13/0(match): block in on le1: 66.117.41.15 > x.x.x.x: icmp: echo request (DF)
Sep 05 05:10:13.606643 rule 13/0(match): block in on le1: 66.117.41.12 > x.x.x.x: icmp: echo request (DF)
Sep 05 05:12:55.055649 rule 13/0(match): block in on le1: 66.117.41.13 > x.x.x.x: icmp: echo request (DF)
Sep 05 05:18:16.723902 rule 13/0(match): block in on le1: 66.117.41.16 > x.x.x.x: icmp: echo request (DF)
Sep 05 05:20:58.838624 rule 13/0(match): block in on le1: 66.117.41.14 > x.x.x.x: icmp: echo request (DF)
Sep 05 05:23:39.865818 rule 13/0(match): block in on le1: 66.117.41.17 > x.x.x.x: icmp: echo request (DF)
Sep 05 05:26:15.789828 rule 13/0(match): block in on le1: 66.117.41.15 > x.x.x.x: icmp: echo request (DF)
Sep 05 05:28:58.017337 rule 13/0(match): block in on le1: 66.117.41.12 > x.x.x.x: icmp: echo request (DF)
Sep 05 05:31:39.014071 rule 13/0(match): block in on le1: 66.117.41.13 > x.x.x.x: icmp: echo request (DF)
Sep 05 05:34:18.679535 rule 13/0(match): block in on le1: 66.117.41.16 > x.x.x.x: icmp: echo request (DF)
Sep 05 05:37:04.932433 rule 13/0(match): block in on le1: 66.117.41.14 > x.x.x.x: icmp: echo request (DF)
Sep 05 05:42:20.026451 rule 13/0(match): block in on le1: 66.117.41.17 > x.x.x.x: icmp: echo request (DF)

Looks like there are 6 hosts trying to ping...whatever, like I said, I can't say I care much...

 

[n0cmonkey]

If it's a problem, notify the ISP.

 

[Barnaby W. Füi]

Originally posted by: Bleep

WTF? A ping a minute is going to have approximately zero effect on your surfing speed

Maybe he is on a dialup.
But either way it does not make it allright now do it?

Bleep

Dialup is tens of thousands of bits per second. This ping is, what, maybe a few dozen (I'm not a networking guy ) bits, every ~60 seconds. A ping is almost nothing.

 

[n0cmonkey]

Originally posted by: BingBongWongFooey

Originally posted by: Bleep

WTF? A ping a minute is going to have approximately zero effect on your surfing speed

Maybe he is on a dialup.
But either way it does not make it allright now do it?

Bleep

Dialup is tens of thousands of bits per second. This ping is, what, maybe a few dozen (I'm not a networking guy ) bits, every ~60 seconds. A ping is almost nothing.

64-65535 bytes.

 

[Unforgiven]

maybe its not an issue to SOME of you people, but when the host for a forum im viewing is pinging me over and over and over again, i become alarmed. its called being informed with whats going on with your network. im not asking for your opinion on what effect a ping has on my connection or what your opinion is regarding dial-up, im asking why is it happening over the past few months and why should it be happening at all? if you dont like the question and want to state how much of an effect it has on my connection or other things just move along and dont bother posting. if you have an answer as to what the actual issue is and why its happenening over and over daily id appreciate a response.

 

[Sunner]

Originally posted by: n0cmonkey

Originally posted by: BingBongWongFooey

Originally posted by: Bleep

WTF? A ping a minute is going to have approximately zero effect on your surfing speed

Maybe he is on a dialup.
But either way it does not make it allright now do it?

Bleep

Dialup is tens of thousands of bits per second. This ping is, what, maybe a few dozen (I'm not a networking guy ) bits, every ~60 seconds. A ping is almost nothing.

64-65535 bytes.

I think Windows default is even smaller.

Unforgiven, just calm down.
This is their NOC and Abuse information from ARIN:
NOCHandle: KSB1-ARIN
NOCName: Bethke, Kenneth Scott
NOCPhone: +1-571-332-4957
NOCEmail: scott-REMOVETHIS@carpathiahost.com

Try mailing or calling him if you're so worried.

 

[ProviaFan]

This is slightly OT, but IMHO firewalls like ZoneAlarm et. al. do humankind a great disservice by telling someone every time they get pinged. Please, people, realize for once that shi... er, pings happen, your firewall protects you, and life goes on. It's kind of like "background noise" on the internet.

I have some friends who will tell me sometimes when they see me, "I got portscanned 13 times last night while I was on the computer." And I think, "so? My firewall goes about its business without pretending like it has to make me feel like it's a hero for saving my butt so many times."

I'm sorry if this comes off as being harsh - it's not, really, but it does get tiring hearing people talk about how "dangerous" the internet is all the time. Anyway, if you want to feel like you're doing something about it, Sunner has posted all the info you need to proceed.

 

[n0cmonkey]

Originally posted by: Unforgiven
maybe its not an issue to SOME of you people, but when the host for a forum im viewing is pinging me over and over and over again, i become alarmed. its called being informed with whats going on with your network. im not asking for your opinion on what effect a ping has on my connection or what your opinion is regarding dial-up, im asking why is it happening over the past few months and why should it be happening at all? if you dont like the question and want to state how much of an effect it has on my connection or other things just move along and dont bother posting. if you have an answer as to what the actual issue is and why its happenening over and over daily id appreciate a response.

My point was, unless it is *.anandtech.com pinging you, then you shouldn't be bitching here.

And ICMP is an informational protocol, it means almost nothing to get pinged. This whole idea of "stealthing" your computer is ridiculous.

 

[n0cmonkey]

Originally posted by: Sunner

Originally posted by: n0cmonkey

Originally posted by: BingBongWongFooey

Originally posted by: Bleep

WTF? A ping a minute is going to have approximately zero effect on your surfing speed

Maybe he is on a dialup.
But either way it does not make it allright now do it?

Bleep

Dialup is tens of thousands of bits per second. This ping is, what, maybe a few dozen (I'm not a networking guy ) bits, every ~60 seconds. A ping is almost nothing.

64-65535 bytes.

I think Windows default is even smaller.

I got the info from a cisco site, go figure.

Unforgiven, just calm down.
This is their NOC and Abuse information from ARIN:
NOCHandle: KSB1-ARIN
NOCName: Bethke, Kenneth Scott
NOCPhone: +1-571-332-4957
NOCEmail: scott-REMOVETHIS@carpathiahost.com

Try mailing or calling him if you're so worried.

571... I've got a 571 numbe. Guess they might be local?

 

[bsobel]

Originally posted by: Unforgiven
maybe its not an issue to SOME of you people, but when the host for a forum im viewing is pinging me over and over and over again, i become alarmed. its called being informed with whats going on with your network. im not asking for your opinion on what effect a ping has on my connection or what your opinion is regarding dial-up, im asking why is it happening over the past few months and why should it be happening at all? if you dont like the question and want to state how much of an effect it has on my connection or other things just move along and dont bother posting. if you have an answer as to what the actual issue is and why its happenening over and over daily id appreciate a response.

Unforgiven, here is what I believe is hapening (you can verify with cirn.net). Cirn is peered with a number of other providers (just from your dns lookups, BTN, AboveNet, Level3, NAC, Verio, etc). I think what you are seeing is an autodiscovery mechanism which is trying to determine which of the peers has the best/fastest connectivity to you. I suspect they use that data in conjunction with other metrics (current load on pipes, etc) to determine which peer to use to send packets back to you.

The load (to you) should actually be small (as was mentioned), and you should be (in theory) getting the best performance you can this way. That said, would be nice if they'd drop a simple web server on those IP's with a static page that just expains who they are and why they generate traffic.

Best,
Bill

 

[bsobel]

Replying to myself. Just going to Cirn.net gives you more info:

A Server is only as good as its Network:
Carpathia Hosting network connectivity is among the finest in the world. Our state-of-the-art Carpathia Intelligent Routing Network (CIRN) is built exclusively atop N+1 redundant, hot failover Juniper hardware. Unlike most hosting providers that rely on simple BGP, CIRN does much more than simply counting the number of hops to each end user. CIRN analyzes each one of our transit and peers for latency, jitter, and packet loss then automatically selects the highest performing provider to ensure our customers the fastest speeds available. Developed exclusively by Carpathia Hosting, CIRN has quickly become the preferred network for online game and video streaming companies who demand the absolute fastest route.

Transit and peer providers currently used by Carpathia Hosting, Inc:
Level(3), AboveNet, NAC, Verio, BTN, AOL, Big Pipe, NetAccess Corporation, Peer1, Netcologne, Realconnect, Witbe, Primus Telecommunications, Telenor, Aleron, EarthLink, TDS, Atlantech and AboveNet.

...

Carpathia Hosting offers its Premium bandwidth over CIRN (Carpathia Intelligent Routing Network). Our intelligent routing software monitors traffic flows and alerts us of latency, packet retransmission's and packet loss. When CIRN discovers issues with any of our transit providers, the system dynamically tests for a better path and re-directs your packets through that new higher performing path. CIRN provides you a competitive advantage for your mission critical and performance sensitive network applications

So, now I'm positive this what your seeing (it's actually kinda cool, IMHO).

Bill

 

[Sunner]

Originally posted by: ProviaFan
This is slightly OT, but IMHO firewalls like ZoneAlarm et. al. do humankind a great disservice by telling someone every time they get pinged. Please, people, realize for once that shi... er, pings happen, your firewall protects you, and life goes on. It's kind of like "background noise" on the internet.

I have some friends who will tell me sometimes when they see me, "I got portscanned 13 times last night while I was on the computer." And I think, "so? My firewall goes about its business without pretending like it has to make me feel like it's a hero for saving my butt so many times."

I'm sorry if this comes off as being harsh - it's not, really, but it does get tiring hearing people talk about how "dangerous" the internet is all the time. Anyway, if you want to feel like you're doing something about it, Sunner has posted all the info you need to proceed.

Yep, I agree.

 

[VirtualLarry]

Originally posted by: ProviaFan
This is slightly OT, but IMHO firewalls like ZoneAlarm et. al. do humankind a great disservice by telling someone every time they get pinged. Please, people, realize for once that shi... er, pings happen, your firewall protects you, and life goes on. It's kind of like "background noise" on the internet.

I have some friends who will tell me sometimes when they see me, "I got portscanned 13 times last night while I was on the computer." And I think, "so? My firewall goes about its business without pretending like it has to make me feel like it's a hero for saving my butt so many times."

Sitting there watching the alerts come in on your firewall, is kind of like sitting watching the rain pour down and hit the window. If you didn't have but a square hole in the side of your house instead, then of course the contents would be getting wet, but that's why we have windows. Likewise, firewalls.

Btw, good sleuthing bsobel, that's interesting to know about "CIRN". I've also had some strange suspicious packets hit me back from some web sites, but when I investigated more, it was far more shady. Apparently the web site in question (or perhaps one of their banner-ad providers), had entered into a business relationship with this other firm, that when I investigated further, appeared to be in the business of scanning for open shares on peoples' PCs, for purposes of gathering advertising demographic info. Hacking/scanning peoples boxes for advertising purposes, doesn't seem like such a great business to me, but I guess that all types exist on the internet today. I just thought I would mention that, because not all scans/pings/feedback from web sites that you are browsing are non-malicious. It was good that in Unforgiven's case that they were. It's good that they labeled the IPs with "probe" r-DNS names, but by the same token, that could also tend to make some users more suspicious of the activities, not less. Trust me though, a real criminal won't label their IPs with tags like "probe" on their r-DNS.

 

[n0cmonkey]

Originally posted by: VirtualLarry

Originally posted by: ProviaFan
This is slightly OT, but IMHO firewalls like ZoneAlarm et. al. do humankind a great disservice by telling someone every time they get pinged. Please, people, realize for once that shi... er, pings happen, your firewall protects you, and life goes on. It's kind of like "background noise" on the internet.

I have some friends who will tell me sometimes when they see me, "I got portscanned 13 times last night while I was on the computer." And I think, "so? My firewall goes about its business without pretending like it has to make me feel like it's a hero for saving my butt so many times."

Sitting there watching the alerts come in on your firewall, is kind of like sitting watching the rain pour down and hit the window. If you didn't have but a square hole in the side of your house instead, then of course the contents would be getting wet, but that's why we have windows. Likewise, firewalls.

Btw, good sleuthing bsobel, that's interesting to know about "CIRN". I've also had some strange suspicious packets hit me back from some web sites, but when I investigated more, it was far more shady. Apparently the web site in question (or perhaps one of their banner-ad providers), had entered into a business relationship with this other firm, that when I investigated further, appeared to be in the business of scanning for open shares on peoples' PCs, for purposes of gathering advertising demographic info. Hacking/scanning peoples boxes for advertising purposes, doesn't seem like such a great business to me, but I guess that all types exist on the internet today. I just thought I would mention that, because not all scans/pings/feedback from web sites that you are browsing are non-malicious. It was good that in Unforgiven's case that they were. It's good that they labeled the IPs with "probe" r-DNS names, but by the same token, that could also tend to make some users more suspicious of the activities, not less. Trust me though, a real criminal won't label their IPs with tags like "probe" on their r-DNS.

Open shares on the internet are like those free sample stands at costco. If we weren't supposed to use the data there, they wouldn't be available in that manner.

 

[Jason Clark]

The "pings" are part of a customer routing protocol that our ISP uses to determine the best route to the network. It's extremely beneficial as it gets you the best route into the anandtech network. Our network analyzes packets and all of the peer's for latency, jitter, and packet loss to automatically select the best route. So, don't worry about it, we are not here to probe your firewall

 

[Unforgiven]

thank you for the well explained reply jason

 

[rudeguy]

Originally posted by: Unforgiven
thank you for the shor and well explained reply jason

fixed that for ya

 

[oldman420]

you go jason and bill thatsa great work there deducing it out