Discuss mailing list

[Julian DeMarchi <julian AT jdcomputers.com.au>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 05/02/2012 10:38 PM, Falk Husemann wrote:
> Hi Julian,

Heya--

> Am 02.05.2012 12:00, schrieb Julian De Marchi:
> 
>> OpenNIC gets abused by spammers and botnets. I personally have
>> had to withdraw a few T2 servers due heavy bandwidth used from
>> what I assume to be botnets and spammers(trojans on PCs using my
>> T2s).
> 
> Can you elaborate on how much traffic in what timeframe, what you
> did to stop those idiots and which of the measures you took had
> what effect? What kind of Abuse did you see?

Attached to this email will be a sample log for what I see. I could do
nothing to stop the attacks. Even blocking with iptables, traffic
still hit my pipe which resulted in bandwidth charges....

If I owned the network kit, I could block at the edge, but this is on
a VPS. The only way to stop it for me was to shut bind down.

In one month of operating in this state, I used 50GB of DNS bandwidth.
This is alot!

> This would be very valuable information to have, when thinking
> about own countermeasures.

It's a very hard problem to solve unfortunately, I wish you the best
of luck. :)

>> Operating a T2 by nature introduces this risk. It is easy to
>> solve, don't run open resolvers. But this is what OpenNIC
>> does...
> 
> This is part of my motivation, so if someone has a botnet at hand,
> DoS me! I'm learning in network security and would like to have a
> reason to think about this problems (so better dont get me started
> :P)

Run a T2 for awhile, and you'll soon notice the increase of traffic,
then soon the botnets and spammers.

[...]

>> In my perfect world OpenNIC would run anycast + keepalived DNS
>> farms. Sadly this is not an option for OpenNIC at this time. It'd
>> require alot off things to occur, mainly funding for the kit...
> 
> Yeah, thats exactly what I wanted to tell Alex. In this
> non-commerical crowd sourcing situation, you cant scale vertically
> AFAIK, because the cost of scaling would lie on one persons neck.
> But on the other side, who knows?

Vertically is useless(in most situations). You're throwing CPU power
to solve a technical problem..... With DNS this does not work.
Horizontally is the only way forward.

[...]

- --julian
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iD8DBQFPobazfM8nSo1lmBQRAg7FAKDA/Kx3KjLgt/NjewU3pyqWC/lshACg2s6R
icRo5lmtcu0358G+2Y6350M=
=UEuJ
-----END PGP SIGNATURE-----
02-May-2012 22:26:30.757 client 14.200.132.108#60260: query: 
www.gamegecko.com IN A +
02-May-2012 22:26:30.758 client 180.241.147.188#3072: query: 
a.root-servers.net IN A +
02-May-2012 22:26:30.847 client 122.136.118.193#1075: query: 
www.microsoft.com IN A +
02-May-2012 22:26:31.093 client 78.42.94.190#57891: query: 
ping3.teamviewer.com IN A +
02-May-2012 22:26:31.278 client 194.166.106.45#52278: query: 
ocsp.usertrust.com IN A +
02-May-2012 22:26:31.649 client 194.166.106.45#59636: query: 
testpilot.mozillalabs.com IN A +
02-May-2012 22:26:31.762 client 180.241.147.188#3072: query: 
a.root-servers.net IN A +
02-May-2012 22:26:31.767 client 122.136.118.193#1075: query: 
www.microsoft.com IN A +
02-May-2012 22:26:31.839 client 14.200.132.108#57610: query: 
www.theaerodrome.com IN A +
02-May-2012 22:26:31.891 client 194.166.106.45#62830: query: www.mozilla.org 
IN A +
02-May-2012 22:26:32.038 client 194.166.106.45#59759: query: 
ocsp.comodoca.com IN A +
02-May-2012 22:26:32.267 client 14.200.132.108#53919: query: 
danmanhnuocgiau.multiply.com IN A +
02-May-2012 22:26:32.285 client 122.136.118.193#1075: query: 
www.microsoft.com IN A +
02-May-2012 22:26:32.486 client 202.158.222.130#64602: query: 
crl.microsoft.com IN A +
02-May-2012 22:26:32.512 client 194.166.106.45#58065: query: 
evssl-ocsp.geotrust.com IN A +
02-May-2012 22:26:32.766 client 180.241.147.188#3072: query: 
a.root-servers.net IN A +
02-May-2012 22:26:32.842 client 72.240.140.58#4613: query: 
lvvuagyf.yjxjgvh.com IN A +
02-May-2012 22:26:33.093 client 14.200.132.108#52228: query: 
truthaboutshugden.wordpress.com IN A +
02-May-2012 22:26:33.485 client 202.158.222.130#64388: query: g.ceipmsn.com 
IN A +
02-May-2012 22:26:33.637 client 194.166.106.45#53191: query: 
evsecure-ocsp.geotrust.com IN A +
02-May-2012 22:26:33.784 client 14.200.132.108#64073: query: azars.org IN A +
02-May-2012 22:26:33.832 client 68.96.214.10#64700: query: 
qrthvrx.bhqelko.com IN A +
02-May-2012 22:26:33.981 client 188.221.95.215#61427: query: 
sftjelxjisp.tqsppmvif.com IN A +
02-May-2012 22:26:34.109 client 124.195.201.131#1242: query: 
nrkhjaarctb.gerpomgc.com IN A +
02-May-2012 22:26:34.624 client 76.17.68.118#55306: query: 
ecdyebkofl.uwkhus.com IN A +
02-May-2012 22:26:34.701 client 14.200.132.108#56392: query: 
www.fokusleben.at IN A +
02-May-2012 22:26:34.899 client 62.169.64.129#30235: query: ns2.geek.id.au IN 
A -EDC
02-May-2012 22:26:34.906 client 62.169.64.129#35415: query: ns1.geek.id.au IN 
A -EDC
02-May-2012 22:26:35.094 client 78.42.94.190#58291: query: 
ping3.teamviewer.com IN A +
02-May-2012 22:26:35.188 client 14.200.132.108#56402: query: www.imdb.com IN 
A +
02-May-2012 22:26:35.362 client 62.169.64.130#20080: query: 
www.opennicproject.org IN A -ED
02-May-2012 22:26:35.590 client 67.241.251.150#57971: query: 
iaebcnsqpjn.twhhhnfwj.com IN A +
02-May-2012 22:26:36.486 client 202.158.222.130#62282: query: 
crl.microsoft.com IN A +

Attachment: dnslog.sig
Description: Binary data