Discuss mailing list

[Alex <coyo AT darkdna.net>]

On 5/2/2012 7:38 AM, Falk Husemann wrote:
> Hi Julian,
>
> Am 02.05.2012 12:00, schrieb Julian De Marchi:
>
> > OpenNIC gets abused by spammers and botnets. I personally have had to
> > withdraw a few T2 servers due heavy bandwidth used from what I assume to
> > be botnets and spammers(trojans on PCs using my T2s).
>
> Can you elaborate on how much traffic in what timeframe, what you did to
> stop those idiots and which of the measures you took had what effect?
> What kind of Abuse did you see?
>
> This would be very valuable information to have, when thinking about own
> countermeasures.
>
> > Operating a T2 by nature introduces this risk. It is easy to solve,
> > don't run open resolvers. But this is what OpenNIC does...
>
> This is part of my motivation, so if someone has a botnet at hand, DoS
> me! I'm learning in network security and would like to have a reason to
> think about this problems (so better dont get me started :P)
>
>
> > Looks embarrassing until you think about the people who offer T1s. They
> > are sometimes run on shared infrastructure. I run a few of those above,
> > and I can tell you I have 80 and 443 open as it is a dual purpose host
> > at this point in time. Not ideal in the perfect world, but this is not.
>
> More embarrassing is, that there are people running with telnet open to
> the world.
>

Open telnet?? What are they thinking??

> > In my perfect world OpenNIC would run anycast + keepalived DNS farms.
> > Sadly this is not an option for OpenNIC at this time. It'd require alot
> > off things to occur, mainly funding for the kit...
>
> Yeah, thats exactly what I wanted to tell Alex. In this non-commerical
> crowd sourcing situation, you cant scale vertically AFAIK, because the
> cost of scaling would lie on one persons neck. But on the other side,
> who knows?
>
> - Two Dell PowerEdge Servers ~900 Euros
> - Housing in a Datacenter monthly ~150 Euros
> - Getting an ASN, PI-Space and DDoS protected Transit monthly ~225 Euros
> - The look in the face of all OpenNIC members when they realise you're
> THE man: priceless.
> (- The look in the face of all OpenNIC members when they realise you've
> saved on backups: PRICE-LESS)
>

HAHAHAHA!

> ;-)
>
> You also cant introduce complex security infrastructure, because there
> is no homogenous skill base or enforcement mechanism.
>
> You cannot even audit the whole OpenNIC project, because this would
> require allowance from all participating server operators, which IMHO is
> also not going to happen.
>
> The only real chance to withstand massive attacks against OpenNIC as a
> whole, in my opinion, is to scale frantically.
>

Hmm. Decisions decisions..

>
> > One of our members Jeff wrote a ddos detection script[0] which he built
> > after many months of research. It detects attacks methods he has seen
> > before and blocks the IP for a certain amount of time depending on the
> > hits. You should have a basic understanding of perl and iptables before
> > trying to play with this script.
>
> Its looks like a great tool, I'm in the process of reading it. Maybe
> I'll write a short Install instruction or send a patch.
>
> Greets,
> Falk

Attachment: 0xC34ED745.asc
Description: application/pgp-keys

Attachment: signature.asc
Description: OpenPGP digital signature