Discuss mailing list

[Daniel L <daniel.leek AT me.com>]

it is a requirement to run a T2 server if we run a TLD, right?
On 02/05/2012, at 8:00 PM, Julian De Marchi wrote:

> Heya--
> 
> [...]
> 
>> Also keep in mind, that security provides no additional use to the
>> OpenNIC community if there is no adversary in sight. If there were no
>> burglars, you wouldn't need locks in your doors, would you? So dont
>> expect too enthusiastic response when you propose security measures
>> which involve lots of work (every single command has to be replicated to
>> all servers, keep that in mind!) but provide no immediate benefit.
> 
> OpenNIC gets abused by spammers and botnets. I personally have had to 
> withdraw a few T2 servers due heavy bandwidth used from what I assume to be 
> botnets and spammers(trojans on PCs using my T2s).
> 
> Operating a T2 by nature introduces this risk. It is easy to solve, don't 
> run open resolvers. But this is what OpenNIC does...
> 
> [...]
> 
>>> That said, i worry that the project is completely open to attack, and
>>> that if we are used for anything critical, the first DDOS would bring us
>>> down, and it would be an embarrassing defeat.
>> 
>> True, theres that. And then theres this:
>> 
>> <SNIP>
>> #!/bin/bash
>> 
>> function axfrall()
>> {
>>         dig @${1} axfr geek
>>         dig @${1} axfr neo
>>         dig @${1} axfr fur
>>         dig @${1} axfr ing
>>         dig @${1} axfr micro
>>         dig @${1} axfr bbs
>>         dig @${1} axfr dyn
>>         dig @${1} axfr gopher
>>         dig @${1} axfr free
>>         dig @${1} axfr geek
>>         dig @${1} axfr indy
>>         dig @${1} axfr null
>> }
>> TMPFILE=/tmp/onic$RANDOM
>> axfrall 84.200.228.200 | grep -o
>> '[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}' | sort | uniq>
>> ${TMPFILE}
>> nmap -A -p 21,23,80,443 -iL ${TMPFILE} -oA opennic -vvv
>> <SNAP>
> 
> Looks embarrassing until you think about the people who offer T1s. They are 
> sometimes run on shared infrastructure. I run a few of those above, and I 
> can tell you I have 80 and 443 open as it is a dual purpose host at this 
> point in time. Not ideal in the perfect world, but this is not.
> 
> In my perfect world OpenNIC would run anycast + keepalived DNS farms. Sadly 
> this is not an option for OpenNIC at this time. It'd require alot off 
> things to occur, mainly funding for the kit...
> 
>>> 1) What is the standard operating procedure for protecting name servers
>>> against DOS attacks?
>> 
>> Query rate limiting.
> 
> One of our members Jeff wrote a ddos detection script[0] which he built 
> after many months of research. It detects attacks methods he has seen 
> before and blocks the IP for a certain amount of time depending on the 
> hits. You should have a basic understanding of perl and iptables before 
> trying to play with this script.
> 
> [...]
> 
>>> 5) What might be some novel techniques to protect name servers from
>>> taking the full blow of sudden surges in user demand?
>> 
>> Shut the overloaded nameserves off. This would be a very radical and new
>> approach, though I dont recommend it ;-) See my answer to your point 3)
>> for a useful hint.
> 
> I've had too. Now the IP is fucked forever. Just like being in the NTP 
> pool...
> 
> [...]
> 
> --julian
> 
> 0 - http://wiki.opennic.glue/ddosDotPl
> 
> 
> --------
> You are a member of the OpenNIC Discuss list. You may unsubscribe by 
> emailing discuss-unsubscribe AT lists.opennicproject.org