Skip to Content.
Sympa Menu

discuss - Re: [opennic-discuss] Attack Countermeasures: An Exercise of Paranoia

discuss AT lists.opennicproject.org

Subject: Discuss mailing list

List archive

Re: [opennic-discuss] Attack Countermeasures: An Exercise of Paranoia


Chronological Thread 
  • From: Jeff Taylor <shdwdrgn AT sourpuss.net>
  • To: discuss AT lists.opennicproject.org
  • Subject: Re: [opennic-discuss] Attack Countermeasures: An Exercise of Paranoia
  • Date: Fri, 04 May 2012 10:46:43 -0600

A lot of good points have already been discussed on this thread, I just
wanted to add my own bits...

Although NS0 appears to be a potential single point of failure, we
actually maintain offsite backups. If NS0 were taken down, OpenNic's
dns services would continue to function for at least a week. The zones
generated by NS0 can be updated by any of the T1 servers, so full
functionality could be restored within a matter of minutes.

In addition, all of the T1 servers (should) carry all of the TLD zones.
This provides maximum redundancy of all the important data. Each T2
server should list all of the T1 servers as zone masters, this way the
T2s can always access the most recent information regardless of problems
with any of the T1s. As mentioned in other replies, our T1 servers are
operated from a number of different operating systems and are spread
across the globe. It would be quite a feat to take down all of the T1
servers at the same time, and even then many of the T2 servers are
configured to continue operating independently.

With that said, there are still attacks. We can secure our servers to
proactively ward off attacks, but the method of attack will continue to
change, forcing us to work reactively in most situations. The ddos
script that I wrote has gone through a lot of changes, but tries to
recognize botnets without affecting legitimate traffic. The latest perl
version adds new methods of detection over longer periods of time.

An IP address I used to have listed for my public T2 has not answered
dns queries in over 4 years... Despite this, I still get a huge amount
of traffic coming in. Ultimately I would like to expand my
ddos-blocking script to share information between servers. Not only
could I create a list of IP's to block based on hits to my unused IP
address, but any T2 server that sees continued abusive traffic from a
source could share that info so that other T2's would automatically
block those sources. I think by globally sharing this type of
information between servers, we could put a huge dent in the amount of
abusive traffic that actually affects our service, and prevent a repeat
of what happened to Julian's servers.

A lot of your questions seem to focus on spreading the load between T2
servers. I have actually played with load-balancing software here,
trying to distribute queries out to external T2 servers. The problem I
found was that when the T2 servers reply directly back to the original
query, they do so with their own IP address attached. If you do lookups
with the dig command, it will warn you that the reply came from an
unexpected source IP. What we need to make this work is a method of
telling the T2 servers to reply using a given IP address in the packets,
rather than using their own IP address. Sorry if that isn't clear, but
essentially it comes down to having the T2 that answers a query also
spoof the IP of where the query was sent to. If this could be overcome,
then we could possibly do some load-balancing of the T2 services.

Hopefully that helps answer some of your questions?


On 05/01/2012 11:22 PM, Alex wrote:
> Out of sheer curiosity, and a desire to protect my friend, Alex
> Hanselka's pet project, I wanted to ask you all what all can be done to
> mitigate the threat of attacks such as concerted DDOS attacks against
> specific name servers, such as the IP address of the single
> authoritative root name server of OpenNIC.
>
> What attack countermeasures are possible, to mitigate attack, other than
> the obvious anti-cracking things like making sure you have a strong
> password, etc?
>
> Is it wise to protect root name servers behind a VPN, or do the root
> name servers HAVE to be publicly accessible?
>
> If the root name servers, and top-level domain name servers MUST be
> publically addressible, do the authoritative name servers have to be
> publically addressible, or can they hide behind name server proxies?
> (application-layer proxies, for example, such as specialized name
> servers which ONLY act to duplicate records, and are not actually
> responsible for them?)
>
> Maybe I'm betraying my lack of knowledge, maybe I'm ignorant, but if I
> dont ask, I wont learn, and I rather like OpenNIC, and think the project
> has a lot of potential.
>
> That said, i worry that the project is completely open to attack, and
> that if we are used for anything critical, the first DDOS would bring us
> down, and it would be an embarrassing defeat.
>
> So, to that end, I have a few more questions to pelt you guys with, if
> you don't mind...
>
> 1) What is the standard operating procedure for protecting name servers
> against DOS attacks?
>
> 2) How does one protect name servers from being targeted in the first
> place?
>
> 3) What can be done to protect servers from taking the full brunt of
> heavy loads?
>
> 4) What load balancing techniques are standard practice for name servers?
>
> 5) What might be some novel techniques to protect name servers from
> taking the full blow of sudden surges in user demand?
>
> 6) are there any P2P name server protocols to help distribute the load
> and take the strain off authoritative TLD name servers?
>
> 7) Is there such a thing as name server software that allows for DNSSEC
> and DANE that makes it easy to rotate certificates?
>
> 8) Is there such a thing as name server software that is easy to
> configure, period?
>
> 9) Is there such a thing as name servers that serve as mirrors/proxies
> for authoritative servers, and do nothing else?
>
> 10) is it possible to have 30 powerful name servers located on distinct
> networks all over the world sit behind a single IP address using a fast
> iptables/proxychains proxy?
>
> 11) Is it possible to have more than one name server delegation for a
> given domain name? (just want this verified, clarified)



Archive powered by MHonArc 2.6.19.

Top of Page