Discuss mailing list

[Falk Husemann <josen AT paketsequenz.de>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Julian,

Am 02.05.2012 12:00, schrieb Julian De Marchi:

> OpenNIC gets abused by spammers and botnets. I personally have had to
> withdraw a few T2 servers due heavy bandwidth used from what I assume to
> be botnets and spammers(trojans on PCs using my T2s).

Can you elaborate on how much traffic in what timeframe, what you did to
stop those idiots and which of the measures you took had what effect?
What kind of Abuse did you see?

This would be very valuable information to have, when thinking about own
countermeasures.

> Operating a T2 by nature introduces this risk. It is easy to solve,
> don't run open resolvers. But this is what OpenNIC does...

This is part of my motivation, so if someone has a botnet at hand, DoS
me! I'm learning in network security and would like to have a reason to
think about this problems (so better dont get me started :P)


> Looks embarrassing until you think about the people who offer T1s. They
> are sometimes run on shared infrastructure. I run a few of those above,
> and I can tell you I have 80 and 443 open as it is a dual purpose host
> at this point in time. Not ideal in the perfect world, but this is not.

More embarrassing is, that there are people running with telnet open to
the world.

> In my perfect world OpenNIC would run anycast + keepalived DNS farms.
> Sadly this is not an option for OpenNIC at this time. It'd require alot
> off things to occur, mainly funding for the kit...

Yeah, thats exactly what I wanted to tell Alex. In this non-commerical
crowd sourcing situation, you cant scale vertically AFAIK, because the
cost of scaling would lie on one persons neck. But on the other side,
who knows?

- - Two Dell PowerEdge Servers ~900 Euros
- - Housing in a Datacenter monthly ~150 Euros
- - Getting an ASN, PI-Space and DDoS protected Transit monthly ~225 Euros
- - The look in the face of all OpenNIC members when they realise you're
THE man: priceless.
(- The look in the face of all OpenNIC members when they realise you've
saved on backups: PRICE-LESS)

;-)

You also cant introduce complex security infrastructure, because there
is no homogenous skill base or enforcement mechanism.

You cannot even audit the whole OpenNIC project, because this would
require allowance from all participating server operators, which IMHO is
also not going to happen.

The only real chance to withstand massive attacks against OpenNIC as a
whole, in my opinion, is to scale frantically.


> One of our members Jeff wrote a ddos detection script[0] which he built
> after many months of research. It detects attacks methods he has seen
> before and blocks the IP for a certain amount of time depending on the
> hits. You should have a basic understanding of perl and iptables before
> trying to play with this script.

Its looks like a great tool, I'm in the process of reading it. Maybe
I'll write a short Install instruction or send a patch.

Greets,
Falk
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJPoSrRAAoJEPPG1NATKThtIc4IAITOblPhdp+6pnqWP6zR9Eb4
MyJ82UhRocgSFu/kH138riTlsgt0NP3GJ5+OBhn1rpPur1a/Zn8hZYjzKbcG0NFt
f8Uk6er2M/hTM874gJZ9RtlrVKz2bBjKCfczJU3YkgdKxggTmZ4bobnQeoiFvmu9
bXVafCXRj1UJgklAzlCdcBpIEw5WKx9luQy54HhbnJ2wZ41UClh8+8zaF5RljZ+c
VWjnlbR1t1XSzp/sVt7w52X3rTXTpcw88HPXbV7dzBMevAwtt3JswEi/CGlKMvAP
kxJ/ddmB9QdhMuZqxsdueV0r97foEWWZHCYXJ01Vt09QwCiALm7WnhBFriZHn2A=
=P8LD
-----END PGP SIGNATURE-----