<div dir="ltr"><div dir="ltr">On Wed, Feb 9, 2022 at 4:00 PM Jay R. Ashworth <<a href="mailto:jra@baylink.com">jra@baylink.com</a>> wrote:<br></div><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><br>
Well, this conversation has gotten a little cloudy (pun entirely intentional)<br>
or maybe it's me. There are 2 or maybe 3 separate tasks being discussed here:<br>
<br>
1) User tries to find out if a perceived outage is in their building/carrier/<br>
at the other end (or an exchange point, if they're smart enough).<br>
<br>
2) Device wants to know if it's connected to the Greater Internet<br>
<br>
3) Device wants to know *exactly when it loses contact* with the greater Internet.<br>
<br>
The first two are pretty easy for the Internet (or people who said "y'know<br>
what'd be really cool!? Let's pick an IP for our DNS customer resolver servers<br>
that's a really memorable numerical pun!" and then that bit them, like the owners<br>
of 1.1.1.1, 4.2.2.x, 8.8.4.4 and 8.8.8.8) to absorb, even at scale, without<br>
all that much trouble at the *traffic* layer (which, as I noted, is separate<br>
from the layer 8 or 9 bitching).<br>
<br>
The last, though, that's a separate issue entirely, and, even moreso than #2,<br>
is a function that should be dealt with *by pinging addresses the manufacturer<br>
itself owns and operates; if Meraki is hammering 8.8.8.8, as has been suggested<br>
here, then that's a Mortal Sin, and should be being addressed as a P1 task by <br>
whomever is closest to the relevant product manager.<br>
<br>
The 2006 D-Link NTP vandalism incident is the canonical example here:<br>
<br>
<a href="https://web.archive.org/web/20060408150155/http://people.freebsd.org/~phk/dlink/" rel="noreferrer" target="_blank">https://web.archive.org/web/20060408150155/http://people.freebsd.org/~phk/dlink/</a><br>
<br>
(Note that the original version of that page merely notes that an "amicable<br>
olution was reached; I *hate* settlements with gag orders, and so does Wikipedia,<br>
where that link came from.<br></blockquote><div><br></div><div>To give a sense of scale, 8.8.8.8 receives a steady-state 12Mpps (roughly one 10Gbps link) of ICMP ECHO_REQUEST traffic. This is mostly from millions of devices monitoring with one ping each second, but there are a few top-talkers just leaving a ping -f running all day.</div><div><br></div><div>Where do we go from here? Personally, I'd love to just turn it off for 24h each April 1 to help identify all the broken devices that inappropriately depend on it. If this were an annual occurrence perhaps vendors would stop producing abusive gear? (Or perhaps they'd just ping additional unwilling victims for redundancy....)</div><div><br></div><div>Damian</div></div></div>