I recently downloaded a couple of software tools, the intended purpose of
which is to benchmark certain parameters of DNS system performance and
security. I think that it’s great to have such tools available, and I would
certainly encourage their use for the intended purpose.
Nevertheless, one of the first things I noted during the use of these
tools is that they generate a considerable amount of network activity
for the duration of the test. For the moment, and for lack of a better
term, I would suggest that these tools repetitively “bombard” the
servers with lookup requests, then extract certain characteristics based
on the nature of the responses.
Since I employ a fairly high-speed Internet connection, it immediately
occurred to me that the people who operate such servers, or run the
network I’m on, may or may not take a dim view of such network
activity; especially in light of all the DOS’ing that’s going on nowadays.
Although my intentions are certainly benign, and the benchmarking purely
diagnostic in nature, might these tests not raise a red flag here and there
in the course of their use?
Further, if this network activity exceeds certain detection thresholds,
and subsequently triggers intervention on the part of an ISP, could
the results of such benchmarking be negatively affected?
With this in mind, I made a cursory examination of my ISP’s terms and
conditions document, and discovered a particularly relevant section of their
network management policy, which I now reproduce here for your perusal:
Description of Network Management Practices, Performance, and Commercial Terms (Residential & Small Business Broadband Internet Access Services)
[relevant ISP] employs certain practices on a case-by-case and as-needed basis to protect its network and its customers against distributed Denial of Service (“DDOS”) attacks. These practices (which could include limiting traffic to DNS and DHCP servers) could be triggered if [relevant ISP] detects traffic levels that significantly exceed certain baselines; the applicable thresholds are not disclosed here, in order to ensure that these security practices remain effective and cannot be deliberately circumvented.
I am curious to know how those that run DNS systems view the network
activity generated by such tests. Similarly, I would be interested in hearing from
users who have considerable knowledge of the nature of DOS attacks, and
might be able to comment on the issue of ISP countermeasures, and the
potential influence of such countermeasures, on benchmarking tests.