discuss AT lists.opennicproject.org

Subject: Discuss mailing list

List archive

Re: [opennic-discuss] DDOS, open resolvers, how to solve?

From: Quinn Wood <wood.quinn.s AT gmail.com>
To: discuss AT lists.opennicproject.org
Subject: Re: [opennic-discuss] DDOS, open resolvers, how to solve?
Date: Thu, 12 Dec 2013 20:03:12 -0600

On Thu, Dec 12, 2013 at 7:52 PM, Coyo <coyo AT darkdna.net> wrote:
> I'm really sorry, I've been very busy since we had this discussion. What was
> your idea, again? x.x
>
Step by step, consolidated:
1.) Register an account at members.opennicproject.org (or whatever URL.)
2.) Upon registration, and some type of mild verification, your
account gets a set number of allowed IPs (let's say 5.)
3.) You enter the IPs you want to be allowed to use OpenNIC
nameservers from (or at least nameservers participating in the
whitelisting.)
4.) Your IPs are encrypted using your account password- no one can
just go in and see IP X is associated with user Y (more on this
later.*)
5.) Your IPs along with everyone else's are aggregated into a list
which can be made into an acl (for bind, for example, trivially.)
6.) If you want more IPs, you have to make a request on the mailing
lists. Or you have to mass register accounts.**

* This is a preventative measure, not a punitive one. This isn't to
make it easier to banfuck people based on their behavior, it's to make
OpenNIC no longer the path of least resistance. We can already ban
people based on their behavior using existing methods and tools.
** I believe that having to lie well enough to increase your IP
allocation or having to mass register accounts would make most
would-be botnet operators look for another open resolver to use for
their reflection attacks.

This idea comes from the fact that a centralized members site could do
a lot of things. Without going on a tangent, this is one of them.
Another addition you would probably want in this type of system is a
type of dynamic IP support. Maybe some kind of page that you have to
visit which has a token in the URL to update your IP in the list
associated with your account. In addition, you could allow hosts that
aren't whitelisted to use OpenNIC nameservers in a rate-limited
fashion. That's starting to get into implementation and technical
details though, which I feel should be largely up to individual server
operators.

Re: [opennic-discuss] DDOS, open resolvers, how to solve?, Coyo, 12/12/2013
- Re: [opennic-discuss] DDOS, open resolvers, how to solve?, Quinn Wood, 12/12/2013
  - Re: [opennic-discuss] DDOS, open resolvers, how to solve?, Coyo, 12/12/2013
    - Re: [opennic-discuss] DDOS, open resolvers, how to solve?, Quinn Wood, 12/12/2013
      - Re: [opennic-discuss] DDOS, open resolvers, how to solve?, Guillaume Parent, 12/12/2013
        
        Re: [opennic-discuss] DDOS, open resolvers, how to solve?, Guillaume Parent, 12/12/2013
        
        Re: [opennic-discuss] DDOS, open resolvers, how to solve?, Quinn Wood, 12/12/2013
        
        Re: [opennic-discuss] DDOS, open resolvers, how to solve?, Seth M Rainsdon, 12/12/2013
        
        Re: [opennic-discuss] DDOS, open resolvers, how to solve?, Coyo, 12/12/2013
        
        Re: [opennic-discuss] DDOS, open resolvers, how to solve?, Guillaume Parent, 12/12/2013
        
        Re: [opennic-discuss] DDOS, open resolvers, how to solve?, Coyo, 12/12/2013
        Re: [opennic-discuss] DDOS, open resolvers, how to solve?, Guillaume Parent, 12/12/2013
        Re: [opennic-discuss] DDOS, open resolvers, how to solve?, Quinn Wood, 12/12/2013
        Re: [opennic-discuss] DDOS, open resolvers, how to solve?, Guillaume Parent, 12/12/2013