discuss AT lists.opennicproject.org
Subject: Discuss mailing list
List archive
- From: Julian DeMarchi <julian AT jdcomputers.com.au>
- To: discuss AT lists.opennicproject.org
- Subject: Re: [opennic-discuss] Attack Countermeasures: An Exercise of Paranoia
- Date: Thu, 03 May 2012 08:35:31 +1000
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 05/02/2012 10:38 PM, Falk Husemann wrote:
> Hi Julian,
Heya--
> Am 02.05.2012 12:00, schrieb Julian De Marchi:
>
>> OpenNIC gets abused by spammers and botnets. I personally have
>> had to withdraw a few T2 servers due heavy bandwidth used from
>> what I assume to be botnets and spammers(trojans on PCs using my
>> T2s).
>
> Can you elaborate on how much traffic in what timeframe, what you
> did to stop those idiots and which of the measures you took had
> what effect? What kind of Abuse did you see?
Attached to this email will be a sample log for what I see. I could do
nothing to stop the attacks. Even blocking with iptables, traffic
still hit my pipe which resulted in bandwidth charges....
If I owned the network kit, I could block at the edge, but this is on
a VPS. The only way to stop it for me was to shut bind down.
In one month of operating in this state, I used 50GB of DNS bandwidth.
This is alot!
> This would be very valuable information to have, when thinking
> about own countermeasures.
It's a very hard problem to solve unfortunately, I wish you the best
of luck. :)
>> Operating a T2 by nature introduces this risk. It is easy to
>> solve, don't run open resolvers. But this is what OpenNIC
>> does...
>
> This is part of my motivation, so if someone has a botnet at hand,
> DoS me! I'm learning in network security and would like to have a
> reason to think about this problems (so better dont get me started
> :P)
Run a T2 for awhile, and you'll soon notice the increase of traffic,
then soon the botnets and spammers.
[...]
>> In my perfect world OpenNIC would run anycast + keepalived DNS
>> farms. Sadly this is not an option for OpenNIC at this time. It'd
>> require alot off things to occur, mainly funding for the kit...
>
> Yeah, thats exactly what I wanted to tell Alex. In this
> non-commerical crowd sourcing situation, you cant scale vertically
> AFAIK, because the cost of scaling would lie on one persons neck.
> But on the other side, who knows?
Vertically is useless(in most situations). You're throwing CPU power
to solve a technical problem..... With DNS this does not work.
Horizontally is the only way forward.
[...]
- --julian
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iD8DBQFPobazfM8nSo1lmBQRAg7FAKDA/Kx3KjLgt/NjewU3pyqWC/lshACg2s6R
icRo5lmtcu0358G+2Y6350M=
=UEuJ
-----END PGP SIGNATURE-----
02-May-2012 22:26:30.757 client 14.200.132.108#60260: query:
www.gamegecko.com IN A +
02-May-2012 22:26:30.758 client 180.241.147.188#3072: query:
a.root-servers.net IN A +
02-May-2012 22:26:30.847 client 122.136.118.193#1075: query:
www.microsoft.com IN A +
02-May-2012 22:26:31.093 client 78.42.94.190#57891: query:
ping3.teamviewer.com IN A +
02-May-2012 22:26:31.278 client 194.166.106.45#52278: query:
ocsp.usertrust.com IN A +
02-May-2012 22:26:31.649 client 194.166.106.45#59636: query:
testpilot.mozillalabs.com IN A +
02-May-2012 22:26:31.762 client 180.241.147.188#3072: query:
a.root-servers.net IN A +
02-May-2012 22:26:31.767 client 122.136.118.193#1075: query:
www.microsoft.com IN A +
02-May-2012 22:26:31.839 client 14.200.132.108#57610: query:
www.theaerodrome.com IN A +
02-May-2012 22:26:31.891 client 194.166.106.45#62830: query: www.mozilla.org
IN A +
02-May-2012 22:26:32.038 client 194.166.106.45#59759: query:
ocsp.comodoca.com IN A +
02-May-2012 22:26:32.267 client 14.200.132.108#53919: query:
danmanhnuocgiau.multiply.com IN A +
02-May-2012 22:26:32.285 client 122.136.118.193#1075: query:
www.microsoft.com IN A +
02-May-2012 22:26:32.486 client 202.158.222.130#64602: query:
crl.microsoft.com IN A +
02-May-2012 22:26:32.512 client 194.166.106.45#58065: query:
evssl-ocsp.geotrust.com IN A +
02-May-2012 22:26:32.766 client 180.241.147.188#3072: query:
a.root-servers.net IN A +
02-May-2012 22:26:32.842 client 72.240.140.58#4613: query:
lvvuagyf.yjxjgvh.com IN A +
02-May-2012 22:26:33.093 client 14.200.132.108#52228: query:
truthaboutshugden.wordpress.com IN A +
02-May-2012 22:26:33.485 client 202.158.222.130#64388: query: g.ceipmsn.com
IN A +
02-May-2012 22:26:33.637 client 194.166.106.45#53191: query:
evsecure-ocsp.geotrust.com IN A +
02-May-2012 22:26:33.784 client 14.200.132.108#64073: query: azars.org IN A +
02-May-2012 22:26:33.832 client 68.96.214.10#64700: query:
qrthvrx.bhqelko.com IN A +
02-May-2012 22:26:33.981 client 188.221.95.215#61427: query:
sftjelxjisp.tqsppmvif.com IN A +
02-May-2012 22:26:34.109 client 124.195.201.131#1242: query:
nrkhjaarctb.gerpomgc.com IN A +
02-May-2012 22:26:34.624 client 76.17.68.118#55306: query:
ecdyebkofl.uwkhus.com IN A +
02-May-2012 22:26:34.701 client 14.200.132.108#56392: query:
www.fokusleben.at IN A +
02-May-2012 22:26:34.899 client 62.169.64.129#30235: query: ns2.geek.id.au IN
A -EDC
02-May-2012 22:26:34.906 client 62.169.64.129#35415: query: ns1.geek.id.au IN
A -EDC
02-May-2012 22:26:35.094 client 78.42.94.190#58291: query:
ping3.teamviewer.com IN A +
02-May-2012 22:26:35.188 client 14.200.132.108#56402: query: www.imdb.com IN
A +
02-May-2012 22:26:35.362 client 62.169.64.130#20080: query:
www.opennicproject.org IN A -ED
02-May-2012 22:26:35.590 client 67.241.251.150#57971: query:
iaebcnsqpjn.twhhhnfwj.com IN A +
02-May-2012 22:26:36.486 client 202.158.222.130#62282: query:
crl.microsoft.com IN A +
Attachment:
dnslog.sig
Description: Binary data
- Re: [opennic-discuss] Attack Countermeasures: An Exercise of Paranoia, (continued)
- Re: [opennic-discuss] Attack Countermeasures: An Exercise of Paranoia, Daniel L, 05/02/2012
- Re: Re: [opennic-discuss] Attack Countermeasures: An Exercise of Paranoia, webmaster, 05/02/2012
- Re: [opennic-discuss] Attack Countermeasures: An Exercise of Paranoia, Alex Hanselka, 05/02/2012
- Re: [opennic-discuss] Attack Countermeasures: An Exercise of Paranoia, Alex, 05/02/2012
- Re: [opennic-discuss] Attack Countermeasures: An Exercise of Paranoia, Brian Koontz, 05/03/2012
- Re: [opennic-discuss] Attack Countermeasures: An Exercise of Paranoia, Falk Husemann, 05/02/2012
- [opennic-discuss] question, Daniel L, 05/02/2012
- Re: [opennic-discuss] question, Alex Hanselka, 05/02/2012
- Re: [opennic-discuss] question, Alex, 05/02/2012
- Re: [opennic-discuss] question, Alex Hanselka, 05/02/2012
- Re: [opennic-discuss] Attack Countermeasures: An Exercise of Paranoia, Alex, 05/02/2012
- Re: [opennic-discuss] Attack Countermeasures: An Exercise of Paranoia, Julian DeMarchi, 05/02/2012
- [opennic-discuss] question, Daniel L, 05/02/2012
- Re: [opennic-discuss] Attack Countermeasures: An Exercise of Paranoia, Alex, 05/02/2012
- Re: [opennic-discuss] Attack Countermeasures: An Exercise of Paranoia, Alex, 05/02/2012
- Re: [opennic-discuss] Attack Countermeasures: An Exercise of Paranoia, opennic, 05/02/2012
- Re: [opennic-discuss] Attack Countermeasures: An Exercise of Paranoia, Alex, 05/02/2012
- Re: [opennic-discuss] Attack Countermeasures: An Exercise of Paranoia, Jeff Taylor, 05/04/2012
- Re: [opennic-discuss] Attack Countermeasures: An Exercise of Paranoia, Niels Dettenbach (Syndicat IT&Internet), 05/03/2012
- Re: [opennic-discuss] Attack Countermeasures: An Exercise of Paranoia, Daniel L, 05/02/2012
Archive powered by MHonArc 2.6.19.