Discuss mailing list

[Alex Hanselka <alex AT opennicproject.org>]

I was looking at that while it was going on... and I just really didn't get it.  He wasn't good at explaining himself.  If he is here, please do let us know what you meant.

On 5/23/2013 12:37 PM, Guillaume Parent wrote:

Someone suggested limiting bandwidth, but I don't see how it could possibly help.

Does anybody understand what he's saying?

16:22:41 -!- wood_quinn [4ba21578@gateway/web/freenode/ip.75.162.21.120] has joined #opennic
16:23:05 -!- wood_quinn is now known as Guest54438
16:23:49 < Guest54438> Why don't resolver operators, to curb absusive queries (specifically amplification attacks) just limit bandwith used on their servers, period?
16:26:21 < WhoNeedszzz> because then the abusers win
16:26:40 < WhoNeedszzz> they would eat all of the available bandwidth
16:32:00 < Guest54438> Lol.
16:33:12 < Guest54438> That's like saying reducing the sale of unprescribed medication lets junkies win because normal everyday people don't get prescriptions for their controlled substances.
16:33:43 < Guest54438> I highly doubt normal users take up the bandwidth's I've seen reported by some of these attacks.
16:34:15 < Guest54438> If they did, the attacks probably wouldn't have been noticed by the resolver operators nearly as soon, if at all before complaints started rolling in.
16:42:03 < WhoNeedszzz> i think you're missing what i'm saying
16:42:20 < WhoNeedszzz> if you limit the bandwidth the malicious users will eat it up before the normal users can
16:49:42 -!- WhoNeedszzz [~WhoNeedsz@opennic/WNz] has quit [Quit: Leaving]
16:55:52 < Guest54438> I know you're missing what I'm saying. Normal users don't use that much bandwidth so more small resolvers is better than a few big oens.
16:56:21 < cyberanger> Guest54438: issue is, how do you block the abusers?
16:56:39 < Guest54438> That's a non-issue, if your abusers can't hurt anyone by abusing.
16:58:07 < cyberanger> it's an issue if you no longer have bandwidth left
16:58:52 < cyberanger> if your rule is use 50k a week, and an attacker burns that in a minute, do you block a spoofed packet (and how?) or everybody?
16:58:53 < Guest54438> It's not an issue if you run more than one small resolver instead of one large resolver.
16:58:57 < cyberanger> or reset the count
16:58:58 < Guest54438> Forget I mentioned it.
16:59:30 < cyberanger> there's a limit some devices have to setting resolvers, how often should somebody go in and change the ip's due to an attacker
16:59:56 < Guest54438> What?
17:01:34 < cyberanger> better put...
17:02:20 < cyberanger> windows you can set two dns resolvers, if an abuser targets every resolver down the list, hitting the limit, and it stops for everybody, what do I do, primary and backup resolvers are
                       down due to the limit, do I then plug in google public dns to look for a new opennic ip address
17:02:34 < cyberanger> or are you merely talking rate limiting on attacks
17:02:59 < cyberanger> if you shoot 500 packets a second, your abusing the service, and are blocked
17:03:28 < cyberanger> but since the other user hasn't, he can still query on those servers
17:05:16 < Guest54438> That has nothing to do with what I was talking about.
17:05:53 < Guest54438> If someone is going to add every publicly listed resolver to their configuration, the same problems exist for DDoS targets, sure.
17:06:15 < Guest54438> But not for resolvers (because no individual resolver sees 20MBps.)
17:06:51 < Guest54438> There's not much one can do to help DDoS targets, I was just wondering why that isn't done to help resolvers.
17:15:48 < gparent> Guest54438: Because it doesn't help.
17:16:00 < Guest54438> Finally, a good argument?
17:16:11 < gparent> If you can identify attackers, you can block the source IP, which takes as much effort and is more effective.
17:16:48 < gparent> Also I forgot to quote but I'm replying to "why do dns operators not throttle" from earlier
17:17:45 < Guest54438> Umm...
17:17:45 < Guest54438> Sure.
17:17:51 < Guest54438> If your attacker is a single person.
17:17:56 < Guest54438> Which they never are.
17:18:14 < gparent> So you block more than one IP
17:18:16 < gparent> What's the issue exactly
17:18:42 < Guest54438> If you have 20MBps available and you throttle each IP to X, yeah nothing gets solved. I'm not suggesting that.
17:19:13 < gparent> Sorry, then I'll need you to explain what you mean by "< Guest54438> Why don't resolver operators, to curb absusive queries (specifically amplification attacks) just limit bandwith used
                    on their servers, period?"
17:19:21 < Guest54438> I'm suggesting only have 4MBps available period, so attackers can't just pick an IP and start up their Windows batch script.
17:19:52 < Guest54438> And have that server run five IPs, five resolvers, or own five servers on the line.
17:19:55 < gparent> I still don't get how this helps anything.
17:20:16 < Guest54438> Obviously it wouldn't do anything if all five IPs are used by the attacker, but that's no different than all one IP being used by attackers now.
17:20:50 < gparent> Well the solution to have 5 IPs per server is obviously not realistic, but I have yet to see why it helps at all
17:21:01 < gparent> We already do rate limiting at query level, at least some of us
17:21:11 < gparent> Limiting total available pipe won't do anything but create more issues
17:21:18 < gparent> whether you do it per user or per server
17:21:27 < Guest54438> It wouldn't cause more issues.
17:21:36 < Guest54438> It would by definition, remove your provider bitching about your bandwith use.
17:21:52 < Guest54438> Which seems to be the main effect on the resolver end.
17:21:54 < gparent> It'd cause more issues in the sense that you'd create congestion for everyone
17:22:10 < Guest54438> You wouldn't create congestion for legitamite users.
17:22:24 < Guest54438> You scale to legitamite traffic.
17:22:37 < gparent> But to do that, you need to identify what's legitimate and what isn't
17:22:41 < gparent> At which point you can block the source IPs
17:22:46 < gparent> Making the rest irrelevant
17:22:48 < Guest54438> No you don't.
17:22:53 < gparent> Explain how.
17:22:57 < Guest54438> You just look at the damn traffic lol.
17:23:07 < gparent> I want you to explain how
17:23:10 < Guest54438> A DDoS ain't gonna generate a normal looking amount of traffic.
17:23:12 < Guest54438> That's how.
17:23:15 < Guest54438> Pretty simple.,
17:23:24 < gparent> No, it's not that simple.
17:23:36 < gparent> Just because I have 10mbps of traffic instead of 5 doesn't mean I'm getting DDoSed
17:23:38 < Guest54438> And if it is, it's not a DDoS you need to worry about, because it's not a problem.
17:23:57 < Guest54438> But if you have 20MBps instead of 1 you're probably getting DDoSed.
17:24:06 < gparent> Throttling to one won't help
17:24:15 < Guest54438> Whether or not you know how to make a scale isn't what makes it not simple.
17:24:15 < gparent> It will make the service worse for legitimate users and not hinder the attackers in anyway
17:24:17 < Guest54438> y'know, fuck it.
17:24:23 < Guest54438> You're just an idiot.
17:24:25 -!- Guest54438 [4ba21578@gateway/web/freenode/ip.75.162.21.120] has left #opennic []