Skip to Content.
Sympa Menu

discuss - Re: [opennic-discuss] Killed an IP due to excessive usage

discuss AT lists.opennicproject.org

Subject: Discuss mailing list

List archive

Re: [opennic-discuss] Killed an IP due to excessive usage


Chronological Thread 
  • From: Günter Grodotzki <guenter AT grodotzki.ph>
  • To: discuss AT lists.opennicproject.org
  • Subject: Re: [opennic-discuss] Killed an IP due to excessive usage
  • Date: Sat, 25 Dec 2010 21:14:30 +0100
  • List-archive: <http://lists.darkdna.net/pipermail/discuss>
  • List-id: <discuss.lists.opennicproject.org>

Assumption is never for sure. I never block any IPs. I have been running a T2 Public server for over a year and I have _never_ experienced malicious traffic, or traffic that would hurt my server traffic wise or hardware wise (1ghz / 1GB RAM ...). Funny is, that rather single requests put my cpu to 100% not massive ones (software was defect, so a single request to a special dns-entry caused crashes)

As you can see in my current graph: http://217.79.186.148/ I do have some bursts/tops but as stated above, as they don't harm - I do not care.

But I would never go that far and think bad for everything. I would rather assume that somebody is benchmarking your dns server, check:

http://code.google.com/p/namebench/

and

http://blog.binfalse.de/2010/12/opennic-dns-network/

e.g. dns benchmarking seems to get more in common. so blocking those IPs is most probably very bad advertisement, as you are blocking potential users.


So as I stated already before in the ML, if you are afraid of traffic, don't host anything public. I always welcome any kind of traffic :)



On 12/25/10 9:14 AM, Jeff Taylor wrote:
I had a couple others that were showing usage in the tens of thousands
for the day, which I briefly considered nuking, but after I blocked this
one IP the traffic dropped off so much that the other queries looked
more like normal usage. I honestly think this was either some kind of
spambot, or a directed attack against my server. The last time I saw
that kind of traffic on my T2, there was clear evidence that it was
related to spam runs. Normal traffic under OpenNic should never approach
enough volume to saturate a basic DSL connection (unless we grow by at
least a factor of 10), so when I see something like this occur, I can
only assume it is malicious traffic.


On 12/24/2010 09:26 PM, Dean Gardiner wrote:

For a minute there I thought it was my "monitor.ing" but that only
does 1 request every 5th minutes.

On Dec 25, 2010 5:08 PM, "Jeff Taylor" <shdwdrgn AT sourpuss.net
<mailto:shdwdrgn AT sourpuss.net>> wrote:
> This evening I have to block an IP address which was pulling *massive*
> amounts of queries off of ns1.co.us.dns.opennic.glue. This address was
> completely flooding my bandwidth and preventing regular traffic
flow, so
> I nuked it with iptables.
>
> If 88.190.13.47 belongs to you, sorry for that but good god what were
> you doing? If there was a legitimate use for so much traffic (about
> 250,000 queries in 10-15 minutes), let me know, and we'll see if we can
> work out something.
> _______________________________________________
> discuss mailing list
> discuss AT lists.opennicproject.org
<mailto:discuss AT lists.opennicproject.org>
> http://lists.darkdna.net/mailman/listinfo/discuss


_______________________________________________
discuss mailing list
discuss AT lists.opennicproject.org
http://lists.darkdna.net/mailman/listinfo/discuss



_______________________________________________
discuss mailing list
discuss AT lists.opennicproject.org
http://lists.darkdna.net/mailman/listinfo/discuss




Archive powered by MHonArc 2.6.19.

Top of Page