Discuss mailing list

[Jeff Taylor <shdwdrgn AT sourpuss.net>]

It's not that I'm afraid of traffic, but this was a sustained stream 
that was pulling a huge amount of bandwidth from a single source.  If it 
was a small burst, I wouldn't have even noticed, but the problem 
continued long enough that I had time to look into it, discover where 
the problem was at, monitor the traffic for a bit, and decide what I 
wanted to do about it.  The traffic had completely stopped ALL other 
internet traffic, so it was disrupting all normal service here.

I have run bandwidth tests that never made a dent in my normal traffic.  
If that was a benchmark test, it is very poorly written and has no 
business being run on servers without notification, and it certainly 
should not have been run for such a long length of time.  In the 11 
years I've been running servers, I have never seen legitimate traffic 
(and especially not DNS queries) disrupt a connection like that.

Also consider this... If you have a single connection suddenly take up 
all of your bandwidth for no apparent reason and without any warning, 
would you allow that connection to persist no matter how long it went on 
for, or would you kill the connection in favor of serving traffic to the 
greater number of known queries?


On 12/25/2010 01:14 PM, Günter Grodotzki wrote:
> Assumption is never for sure. I never block any IPs. I have been 
> running a T2 Public server for over a year and I have _never_ 
> experienced malicious traffic, or traffic that would hurt my server 
> traffic wise or hardware wise (1ghz / 1GB RAM ...). Funny is, that 
> rather single requests put my cpu to 100% not massive ones (software 
> was defect, so a single request to a special dns-entry caused crashes)
>
> As you can see in my current graph: http://217.79.186.148/ I do have 
> some bursts/tops but as stated above, as they don't harm - I do not care.
>
> But I would never go that far and think bad for everything. I would 
> rather assume that somebody is benchmarking your dns server, check:
>
> http://code.google.com/p/namebench/
>
> and
>
> http://blog.binfalse.de/2010/12/opennic-dns-network/
>
> e.g. dns benchmarking seems to get more in common. so blocking those 
> IPs is most probably very bad advertisement, as you are blocking 
> potential users.
>
>
> So as I stated already before in the ML, if you are afraid of traffic, 
> don't host anything public. I always welcome any kind of traffic :)
>
>
>
> On 12/25/10 9:14 AM, Jeff Taylor wrote:
> > I had a couple others that were showing usage in the tens of thousands
> > for the day, which I briefly considered nuking, but after I blocked this
> > one IP the traffic dropped off so much that the other queries looked
> > more like normal usage. I honestly think this was either some kind of
> > spambot, or a directed attack against my server. The last time I saw
> > that kind of traffic on my T2, there was clear evidence that it was
> > related to spam runs. Normal traffic under OpenNic should never approach
> > enough volume to saturate a basic DSL connection (unless we grow by at
> > least a factor of 10), so when I see something like this occur, I can
> > only assume it is malicious traffic.
> >
> >
> > On 12/24/2010 09:26 PM, Dean Gardiner wrote:
> > > For a minute there I thought it was my "monitor.ing" but that only
> > > does 1 request every 5th minutes.
> > >
> > > On Dec 25, 2010 5:08 PM, "Jeff Taylor" <shdwdrgn AT sourpuss.net
> > > <mailto:shdwdrgn AT sourpuss.net>> wrote:
> > > > This evening I have to block an IP address which was pulling *massive*
> > > > amounts of queries off of ns1.co.us.dns.opennic.glue. This address was
> > > > completely flooding my bandwidth and preventing regular traffic
> > > flow, so
> > > > I nuked it with iptables.
> > > >
> > > > If 88.190.13.47 belongs to you, sorry for that but good god what were
> > > > you doing? If there was a legitimate use for so much traffic (about
> > > > 250,000 queries in 10-15 minutes), let me know, and we'll see if we 
> > > can
> > > > work out something.
> > > > _______________________________________________
> > > > discuss mailing list
> > > > discuss AT lists.opennicproject.org
> > > <mailto:discuss AT lists.opennicproject.org>
> > > > http://lists.darkdna.net/mailman/listinfo/discuss
> > >
> > >
> > > _______________________________________________
> > > discuss mailing list
> > > discuss AT lists.opennicproject.org
> > > http://lists.darkdna.net/mailman/listinfo/discuss
> >
> >
> > _______________________________________________
> > discuss mailing list
> > discuss AT lists.opennicproject.org
> > http://lists.darkdna.net/mailman/listinfo/discuss
> _______________________________________________
> discuss mailing list
> discuss AT lists.opennicproject.org
> http://lists.darkdna.net/mailman/listinfo/discuss