Discuss mailing list

[Alex Hanselka <alex AT opennicproject.org>]

Certainly! We are generally able to single out DDoSers but we will still be stuck with the inbound traffic.  On top of that, I don't see how we could split load across several servers.  We don't have any sort of anycast or a system for that.  It might work OK if it was say... my load balancing 5 servers in one datacenter I guess.  We aren't like Google or OpenDNS where we can withstand that or distribute load at this time.  Our users choose two (or three) IP addresses and put them in place and thats that.  Not to mention, DDoSers target *all* open resolvers.  Not just large ones or small ones.

There is a lot of negative attitudes towards open dns resolvers since the spamhaus thing and the bringing to light of amplification attacks.  This already puts us at a bit of a disadvantage as well. It sucks and there is no good way to deal with either problem! :)

On 5/23/2013 1:33 PM, Guillaume Parent wrote:

Actually in my case I can identify the source IPs fairly easily. I rarely find bots that mix and match their ANY queries with real ones. It's one of the other. That approach wouldn't scale for 500kr/m though.

On Thu, May 23, 2013 at 2:30 PM, Jamyn Shanley <jshanley AT gmail.com> wrote:

They're saying lots of little resolvers are better than a couple big ones, to distribute load. However, they seem to be operating under the delusion that botnet traffic is easily distinguished from real traffic, which is not always the case. Some clients are well written, and vary their useragent, headers, requests, and timing. He also seems to be unaware of how large botnets really are these days, and think you can just block by IP and move on. When you have 500,000+ bots attacking, and each one sends 1 request a minute (which is probably far below normal DNS traffic, for example), then you're still dealing with 500,000 requests/minute. And even if you DO manage to see a pattern somewhere in the requests, you're still dealing with 100% of the inbound traffic unless your host gets involved.

Guest54438 seems confused on the difference between the ability to detect a DDOS, and effectively mitigating it.

On Thu, May 23, 2013 at 12:37 PM, Guillaume Parent <gparent AT gparent.org> wrote:

Someone suggested limiting bandwidth, but I don't see how it could possibly help.

Does anybody understand what he's saying?

16:22:41 -!- wood_quinn [4ba21578@gateway/web/freenode/ip.75.162.21.120] has joined #opennic
16:23:05 -!- wood_quinn is now known as Guest54438
16:23:49 < Guest54438> Why don't resolver operators, to curb absusive queries (specifically amplification attacks) just limit bandwith used on their servers, period?
16:26:21 < WhoNeedszzz> because then the abusers win
16:26:40 < WhoNeedszzz> they would eat all of the available bandwidth
16:32:00 < Guest54438> Lol.
16:33:12 < Guest54438> That's like saying reducing the sale of unprescribed medication lets junkies win because normal everyday people don't get prescriptions for their controlled substances.
16:33:43 < Guest54438> I highly doubt normal users take up the bandwidth's I've seen reported by some of these attacks.
16:34:15 < Guest54438> If they did, the attacks probably wouldn't have been noticed by the resolver operators nearly as soon, if at all before complaints started rolling in.
16:42:03 < WhoNeedszzz> i think you're missing what i'm saying
16:42:20 < WhoNeedszzz> if you limit the bandwidth the malicious users will eat it up before the normal users can
16:49:42 -!- WhoNeedszzz [~WhoNeedsz@opennic/WNz] has quit [Quit: Leaving]
16:55:52 < Guest54438> I know you're missing what I'm saying. Normal users don't use that much bandwidth so more small resolvers is better than a few big oens.
16:56:21 < cyberanger> Guest54438: issue is, how do you block the abusers?
16:56:39 < Guest54438> That's a non-issue, if your abusers can't hurt anyone by abusing.
16:58:07 < cyberanger> it's an issue if you no longer have bandwidth left
16:58:52 < cyberanger> if your rule is use 50k a week, and an attacker burns that in a minute, do you block a spoofed packet (and how?) or everybody?
16:58:53 < Guest54438> It's not an issue if you run more than one small resolver instead of one large resolver.
16:58:57 < cyberanger> or reset the count
16:58:58 < Guest54438> Forget I mentioned it.
16:59:30 < cyberanger> there's a limit some devices have to setting resolvers, how often should somebody go in and change the ip's due to an attacker
16:59:56 < Guest54438> What?
17:01:34 < cyberanger> better put...
17:02:20 < cyberanger> windows you can set two dns resolvers, if an abuser targets every resolver down the list, hitting the limit, and it stops for everybody, what do I do, primary and backup resolvers are
                       down due to the limit, do I then plug in google public dns to look for a new opennic ip address
17:02:34 < cyberanger> or are you merely talking rate limiting on attacks
17:02:59 < cyberanger> if you shoot 500 packets a second, your abusing the service, and are blocked
17:03:28 < cyberanger> but since the other user hasn't, he can still query on those servers
17:05:16 < Guest54438> That has nothing to do with what I was talking about.
17:05:53 < Guest54438> If someone is going to add every publicly listed resolver to their configuration, the same problems exist for DDoS targets, sure.
17:06:15 < Guest54438> But not for resolvers (because no individual resolver sees 20MBps.)
17:06:51 < Guest54438> There's not much one can do to help DDoS targets, I was just wondering why that isn't done to help resolvers.
17:15:48 < gparent> Guest54438: Because it doesn't help.
17:16:00 < Guest54438> Finally, a good argument?
17:16:11 < gparent> If you can identify attackers, you can block the source IP, which takes as much effort and is more effective.
17:16:48 < gparent> Also I forgot to quote but I'm replying to "why do dns operators not throttle" from earlier
17:17:45 < Guest54438> Umm...
17:17:45 < Guest54438> Sure.
17:17:51 < Guest54438> If your attacker is a single person.
17:17:56 < Guest54438> Which they never are.
17:18:14 < gparent> So you block more than one IP
17:18:16 < gparent> What's the issue exactly
17:18:42 < Guest54438> If you have 20MBps available and you throttle each IP to X, yeah nothing gets solved. I'm not suggesting that.
17:19:13 < gparent> Sorry, then I'll need you to explain what you mean by "< Guest54438> Why don't resolver operators, to curb absusive queries (specifically amplification attacks) just limit bandwith used
                    on their servers, period?"
17:19:21 < Guest54438> I'm suggesting only have 4MBps available period, so attackers can't just pick an IP and start up their Windows batch script.
17:19:52 < Guest54438> And have that server run five IPs, five resolvers, or own five servers on the line.
17:19:55 < gparent> I still don't get how this helps anything.
17:20:16 < Guest54438> Obviously it wouldn't do anything if all five IPs are used by the attacker, but that's no different than all one IP being used by attackers now.
17:20:50 < gparent> Well the solution to have 5 IPs per server is obviously not realistic, but I have yet to see why it helps at all
17:21:01 < gparent> We already do rate limiting at query level, at least some of us
17:21:11 < gparent> Limiting total available pipe won't do anything but create more issues
17:21:18 < gparent> whether you do it per user or per server
17:21:27 < Guest54438> It wouldn't cause more issues.
17:21:36 < Guest54438> It would by definition, remove your provider bitching about your bandwith use.
17:21:52 < Guest54438> Which seems to be the main effect on the resolver end.
17:21:54 < gparent> It'd cause more issues in the sense that you'd create congestion for everyone
17:22:10 < Guest54438> You wouldn't create congestion for legitamite users.
17:22:24 < Guest54438> You scale to legitamite traffic.
17:22:37 < gparent> But to do that, you need to identify what's legitimate and what isn't
17:22:41 < gparent> At which point you can block the source IPs
17:22:46 < gparent> Making the rest irrelevant
17:22:48 < Guest54438> No you don't.
17:22:53 < gparent> Explain how.
17:22:57 < Guest54438> You just look at the damn traffic lol.
17:23:07 < gparent> I want you to explain how
17:23:10 < Guest54438> A DDoS ain't gonna generate a normal looking amount of traffic.
17:23:12 < Guest54438> That's how.
17:23:15 < Guest54438> Pretty simple.,
17:23:24 < gparent> No, it's not that simple.
17:23:36 < gparent> Just because I have 10mbps of traffic instead of 5 doesn't mean I'm getting DDoSed
17:23:38 < Guest54438> And if it is, it's not a DDoS you need to worry about, because it's not a problem.
17:23:57 < Guest54438> But if you have 20MBps instead of 1 you're probably getting DDoSed.
17:24:06 < gparent> Throttling to one won't help
17:24:15 < Guest54438> Whether or not you know how to make a scale isn't what makes it not simple.
17:24:15 < gparent> It will make the service worse for legitimate users and not hinder the attackers in anyway
17:24:17 < Guest54438> y'know, fuck it.
17:24:23 < Guest54438> You're just an idiot.
17:24:25 -!- Guest54438 [4ba21578@gateway/web/freenode/ip.75.162.21.120] has left #opennic []