discuss AT lists.opennicproject.org
Subject: Discuss mailing list
List archive
- From: Alex <coyo AT darkdna.net>
- To: discuss AT lists.opennicproject.org
- Subject: Re: [opennic-discuss] Attack Countermeasures: An Exercise of Paranoia
- Date: Wed, 02 May 2012 20:25:34 -0500
- Openpgp: id=C34ED745
On 5/2/2012 8:22 PM, opennic AT lewman.us wrote:
> On Wed, 02 May 2012 00:22:39 -0500
> Alex <coyo AT darkdna.net> wrote:
>
>> Out of sheer curiosity, and a desire to protect my friend, Alex
>> Hanselka's pet project, I wanted to ask you all what all can be done
>> to mitigate the threat of attacks such as concerted DDOS attacks
>> against specific name servers, such as the IP address of the single
>> authoritative root name server of OpenNIC.
> Step 1. Do not have a single IP address with a single authoritative
> root name server of OpenNIC.
>
>> What attack countermeasures are possible, to mitigate attack, other
>> than the obvious anti-cracking things like making sure you have a
>> strong password, etc?
> Basically, since opennic is recreating the same environment as the
> current solitary root name servers, do what they do.
>
> Work with the ISP to do BGP routing changes to nullroute DDoS attacks
> when they occur. Implement anycast for root name servers.
>
>> 7) Is there such a thing as name server software that allows for
>> DNSSEC and DANE that makes it easy to rotate certificates?
> Not yet. In fact, DNSSEC/DANE will increase the DoS attack surface. A
> single client can flood requests requiring crypto ops to be performed by
> the authoritative server, thereby overwhelming the CPU or dedicated
> crypto hardware.
>
Is there a way to offload or separately handle DNSSEC/DANE on a separate
farm of servers?
Maybe even if DNSSEC/DANE is out for the count, you could still resolve
the A records?
Attachment:
0xC34ED745.asc
Description: application/pgp-keys
Attachment:
signature.asc
Description: OpenPGP digital signature
- Re: [opennic-discuss] Attack Countermeasures: An Exercise of Paranoia, (continued)
- Re: [opennic-discuss] Attack Countermeasures: An Exercise of Paranoia, Brian Koontz, 05/03/2012
- Re: [opennic-discuss] Attack Countermeasures: An Exercise of Paranoia, Falk Husemann, 05/02/2012
- [opennic-discuss] question, Daniel L, 05/02/2012
- Re: [opennic-discuss] question, Alex Hanselka, 05/02/2012
- Re: [opennic-discuss] question, Alex, 05/02/2012
- Re: [opennic-discuss] question, Alex Hanselka, 05/02/2012
- Re: [opennic-discuss] Attack Countermeasures: An Exercise of Paranoia, Alex, 05/02/2012
- Re: [opennic-discuss] Attack Countermeasures: An Exercise of Paranoia, Julian DeMarchi, 05/02/2012
- [opennic-discuss] question, Daniel L, 05/02/2012
- Re: [opennic-discuss] Attack Countermeasures: An Exercise of Paranoia, Alex, 05/02/2012
- Re: [opennic-discuss] Attack Countermeasures: An Exercise of Paranoia, Alex, 05/02/2012
- Re: [opennic-discuss] Attack Countermeasures: An Exercise of Paranoia, opennic, 05/02/2012
- Re: [opennic-discuss] Attack Countermeasures: An Exercise of Paranoia, Alex, 05/02/2012
- Re: [opennic-discuss] Attack Countermeasures: An Exercise of Paranoia, Jeff Taylor, 05/04/2012
- Re: [opennic-discuss] Attack Countermeasures: An Exercise of Paranoia, Niels Dettenbach (Syndicat IT&Internet), 05/03/2012
Archive powered by MHonArc 2.6.19.