Discuss mailing list

[Günter Grodotzki <guenter AT grodotzki.ph>]

Assumption is never for sure. I never block any IPs. I have been running 
a T2 Public server for over a year and I have _never_ experienced 
malicious traffic, or traffic that would hurt my server traffic wise or 
hardware wise (1ghz / 1GB RAM ...). Funny is, that rather single 
requests put my cpu to 100% not massive ones (software was defect, so a 
single request to a special dns-entry caused crashes)

As you can see in my current graph: http://217.79.186.148/ I do have 
some bursts/tops but as stated above, as they don't harm - I do not care.

But I would never go that far and think bad for everything. I would 
rather assume that somebody is benchmarking your dns server, check:

http://code.google.com/p/namebench/

and

http://blog.binfalse.de/2010/12/opennic-dns-network/

e.g. dns benchmarking seems to get more in common. so blocking those IPs 
is most probably very bad advertisement, as you are blocking potential 
users.


So as I stated already before in the ML, if you are afraid of traffic, 
don't host anything public. I always welcome any kind of traffic :)



On 12/25/10 9:14 AM, Jeff Taylor wrote:
> I had a couple others that were showing usage in the tens of thousands
> for the day, which I briefly considered nuking, but after I blocked this
> one IP the traffic dropped off so much that the other queries looked
> more like normal usage. I honestly think this was either some kind of
> spambot, or a directed attack against my server. The last time I saw
> that kind of traffic on my T2, there was clear evidence that it was
> related to spam runs. Normal traffic under OpenNic should never approach
> enough volume to saturate a basic DSL connection (unless we grow by at
> least a factor of 10), so when I see something like this occur, I can
> only assume it is malicious traffic.
>
>
> On 12/24/2010 09:26 PM, Dean Gardiner wrote:
> > For a minute there I thought it was my "monitor.ing" but that only
> > does 1 request every 5th minutes.
> >
> > On Dec 25, 2010 5:08 PM, "Jeff Taylor" <shdwdrgn AT sourpuss.net
> > <mailto:shdwdrgn AT sourpuss.net>> wrote:
> > > This evening I have to block an IP address which was pulling *massive*
> > > amounts of queries off of ns1.co.us.dns.opennic.glue. This address was
> > > completely flooding my bandwidth and preventing regular traffic
> > flow, so
> > > I nuked it with iptables.
> > >
> > > If 88.190.13.47 belongs to you, sorry for that but good god what were
> > > you doing? If there was a legitimate use for so much traffic (about
> > > 250,000 queries in 10-15 minutes), let me know, and we'll see if we can
> > > work out something.
> > > _______________________________________________
> > > discuss mailing list
> > > discuss AT lists.opennicproject.org
> > <mailto:discuss AT lists.opennicproject.org>
> > > http://lists.darkdna.net/mailman/listinfo/discuss
> >
> >
> > _______________________________________________
> > discuss mailing list
> > discuss AT lists.opennicproject.org
> > http://lists.darkdna.net/mailman/listinfo/discuss
>
>
> _______________________________________________
> discuss mailing list
> discuss AT lists.opennicproject.org
> http://lists.darkdna.net/mailman/listinfo/discuss