discuss AT lists.opennicproject.org
Subject: Discuss mailing list
List archive
- From: Daniel L <daniel.leek AT me.com>
- To: discuss AT lists.opennicproject.org
- Subject: Re: [opennic-discuss] Attack Countermeasures: An Exercise of Paranoia
- Date: Wed, 02 May 2012 20:05:23 +1000
it is a requirement to run a T2 server if we run a TLD, right?
On 02/05/2012, at 8:00 PM, Julian De Marchi wrote:
> Heya--
>
> [...]
>
>> Also keep in mind, that security provides no additional use to the
>> OpenNIC community if there is no adversary in sight. If there were no
>> burglars, you wouldn't need locks in your doors, would you? So dont
>> expect too enthusiastic response when you propose security measures
>> which involve lots of work (every single command has to be replicated to
>> all servers, keep that in mind!) but provide no immediate benefit.
>
> OpenNIC gets abused by spammers and botnets. I personally have had to
> withdraw a few T2 servers due heavy bandwidth used from what I assume to be
> botnets and spammers(trojans on PCs using my T2s).
>
> Operating a T2 by nature introduces this risk. It is easy to solve, don't
> run open resolvers. But this is what OpenNIC does...
>
> [...]
>
>>> That said, i worry that the project is completely open to attack, and
>>> that if we are used for anything critical, the first DDOS would bring us
>>> down, and it would be an embarrassing defeat.
>>
>> True, theres that. And then theres this:
>>
>> <SNIP>
>> #!/bin/bash
>>
>> function axfrall()
>> {
>> dig @${1} axfr geek
>> dig @${1} axfr neo
>> dig @${1} axfr fur
>> dig @${1} axfr ing
>> dig @${1} axfr micro
>> dig @${1} axfr bbs
>> dig @${1} axfr dyn
>> dig @${1} axfr gopher
>> dig @${1} axfr free
>> dig @${1} axfr geek
>> dig @${1} axfr indy
>> dig @${1} axfr null
>> }
>> TMPFILE=/tmp/onic$RANDOM
>> axfrall 84.200.228.200 | grep -o
>> '[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}' | sort | uniq>
>> ${TMPFILE}
>> nmap -A -p 21,23,80,443 -iL ${TMPFILE} -oA opennic -vvv
>> <SNAP>
>
> Looks embarrassing until you think about the people who offer T1s. They are
> sometimes run on shared infrastructure. I run a few of those above, and I
> can tell you I have 80 and 443 open as it is a dual purpose host at this
> point in time. Not ideal in the perfect world, but this is not.
>
> In my perfect world OpenNIC would run anycast + keepalived DNS farms. Sadly
> this is not an option for OpenNIC at this time. It'd require alot off
> things to occur, mainly funding for the kit...
>
>>> 1) What is the standard operating procedure for protecting name servers
>>> against DOS attacks?
>>
>> Query rate limiting.
>
> One of our members Jeff wrote a ddos detection script[0] which he built
> after many months of research. It detects attacks methods he has seen
> before and blocks the IP for a certain amount of time depending on the
> hits. You should have a basic understanding of perl and iptables before
> trying to play with this script.
>
> [...]
>
>>> 5) What might be some novel techniques to protect name servers from
>>> taking the full blow of sudden surges in user demand?
>>
>> Shut the overloaded nameserves off. This would be a very radical and new
>> approach, though I dont recommend it ;-) See my answer to your point 3)
>> for a useful hint.
>
> I've had too. Now the IP is fucked forever. Just like being in the NTP
> pool...
>
> [...]
>
> --julian
>
> 0 - http://wiki.opennic.glue/ddosDotPl
>
>
> --------
> You are a member of the OpenNIC Discuss list. You may unsubscribe by
> emailing discuss-unsubscribe AT lists.opennicproject.org
- Re: [opennic-discuss] Attack Countermeasures: An Exercise of Paranoia, (continued)
- Re: [opennic-discuss] Attack Countermeasures: An Exercise of Paranoia, Alex, 05/03/2012
- Re: [opennic-discuss] Attack Countermeasures: An Exercise of Paranoia, Brian Koontz, 05/03/2012
- Re: [opennic-discuss] Attack Countermeasures: An Exercise of Paranoia, Alex, 05/03/2012
- [opennic-discuss] OpenNIC Security Management, josen, 05/05/2012
- Re: [opennic-discuss] Security Management, Falk Husemann, 05/05/2012
- Re: [opennic-discuss] Security Management, Jeff Taylor, 05/05/2012
- Re: [opennic-discuss] Security Management, Tully Gray, 05/06/2012
- Re: [opennic-discuss] Security Management, Brian Koontz, 05/06/2012
- Re: [opennic-discuss] Security Management, Tully Gray, 05/07/2012
- Re: [opennic-discuss] Attack Countermeasures: An Exercise of Paranoia, Daniel L, 05/02/2012
- Re: Re: [opennic-discuss] Attack Countermeasures: An Exercise of Paranoia, webmaster, 05/02/2012
- Re: [opennic-discuss] Attack Countermeasures: An Exercise of Paranoia, Alex Hanselka, 05/02/2012
- Re: [opennic-discuss] Attack Countermeasures: An Exercise of Paranoia, Alex, 05/02/2012
- Re: [opennic-discuss] Attack Countermeasures: An Exercise of Paranoia, Brian Koontz, 05/03/2012
- Re: [opennic-discuss] Attack Countermeasures: An Exercise of Paranoia, Falk Husemann, 05/02/2012
- [opennic-discuss] question, Daniel L, 05/02/2012
- Re: [opennic-discuss] question, Alex Hanselka, 05/02/2012
- Re: [opennic-discuss] question, Alex, 05/02/2012
- Re: [opennic-discuss] question, Alex Hanselka, 05/02/2012
- Re: [opennic-discuss] Attack Countermeasures: An Exercise of Paranoia, Alex, 05/02/2012
- Re: [opennic-discuss] Attack Countermeasures: An Exercise of Paranoia, Julian DeMarchi, 05/02/2012
- [opennic-discuss] question, Daniel L, 05/02/2012
Archive powered by MHonArc 2.6.19.