Discuss mailing list

[Julian De Marchi <julian AT jdcomputers.com.au>]

Heya--

[...]

> Also keep in mind, that security provides no additional use to the
> OpenNIC community if there is no adversary in sight. If there were no
> burglars, you wouldn't need locks in your doors, would you? So dont
> expect too enthusiastic response when you propose security measures
> which involve lots of work (every single command has to be replicated to
> all servers, keep that in mind!) but provide no immediate benefit.

OpenNIC gets abused by spammers and botnets. I personally have had to 
withdraw a few T2 servers due heavy bandwidth used from what I assume to 
be botnets and spammers(trojans on PCs using my T2s).

Operating a T2 by nature introduces this risk. It is easy to solve, 
don't run open resolvers. But this is what OpenNIC does...

[...]

> > That said, i worry that the project is completely open to attack, and
> > that if we are used for anything critical, the first DDOS would bring us
> > down, and it would be an embarrassing defeat.
>
> True, theres that. And then theres this:
>
> <SNIP>
> #!/bin/bash
>
> function axfrall()
> {
>          dig @${1} axfr geek
>          dig @${1} axfr neo
>          dig @${1} axfr fur
>          dig @${1} axfr ing
>          dig @${1} axfr micro
>          dig @${1} axfr bbs
>          dig @${1} axfr dyn
>          dig @${1} axfr gopher
>          dig @${1} axfr free
>          dig @${1} axfr geek
>          dig @${1} axfr indy
>          dig @${1} axfr null
> }
> TMPFILE=/tmp/onic$RANDOM
> axfrall 84.200.228.200 | grep -o
> '[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}' | sort | uniq>
> ${TMPFILE}
> nmap -A -p 21,23,80,443 -iL ${TMPFILE} -oA opennic -vvv
> <SNAP>

Looks embarrassing until you think about the people who offer T1s. They 
are sometimes run on shared infrastructure. I run a few of those above, 
and I can tell you I have 80 and 443 open as it is a dual purpose host 
at this point in time. Not ideal in the perfect world, but this is not.

In my perfect world OpenNIC would run anycast + keepalived DNS farms. 
Sadly this is not an option for OpenNIC at this time. It'd require alot 
off things to occur, mainly funding for the kit...

> > 1) What is the standard operating procedure for protecting name servers
> > against DOS attacks?
>
> Query rate limiting.

One of our members Jeff wrote a ddos detection script[0] which he built 
after many months of research. It detects attacks methods he has seen 
before and blocks the IP for a certain amount of time depending on the 
hits. You should have a basic understanding of perl and iptables before 
trying to play with this script.

[...]

> > 5) What might be some novel techniques to protect name servers from
> > taking the full blow of sudden surges in user demand?
>
> Shut the overloaded nameserves off. This would be a very radical and new
> approach, though I dont recommend it ;-) See my answer to your point 3)
> for a useful hint.

I've had too. Now the IP is fucked forever. Just like being in the NTP 
pool...

[...]

--julian

0 - http://wiki.opennic.glue/ddosDotPl