Discuss mailing list

[Guillaume Parent <gparent AT gparent.org>]

I still believe that heuristics with manual review and rate limiting is the best way to deal with this issue. Also, having a connection that's worth a fuck helps. Home connections, while still very useful for helping the network and OpenNIC users resolving DNS rapidly, are never going to resist any relevant DDoS attack.

Incoming packets will not be stopped by a silly HTML form unless every upstream ISP we have cooperates with us, and that's still a significant threat for people with low transfer connections.

Having a registration system will direct the attacks towards the servers that do not enforce it, simply moving the problem away and directing it to less targets. It also has privacy implications that I do not like.

I am not going to enforce any system that requires users to sign up to use my DNS service.

-gp

On Fri, Dec 13, 2013 at 2:03 AM, Quinn Wood <wood.quinn.s AT gmail.com> wrote:

On Thu, Dec 12, 2013 at 7:52 PM, Coyo <coyo AT darkdna.net> wrote:
> I'm really sorry, I've been very busy since we had this discussion. What was
> your idea, again? x.x
>

Step by step, consolidated:
1.) Register an account at members.opennicproject.org (or whatever URL.)
2.) Upon registration, and some type of mild verification, your
account gets a set number of allowed IPs (let's say 5.)
3.) You enter the IPs you want to be allowed to use OpenNIC
nameservers from (or at least nameservers participating in the
whitelisting.)
4.) Your IPs are encrypted using your account password- no one can
just go in and see IP X is associated with user Y (more on this
later.*)
5.) Your IPs along with everyone else's are aggregated into a list
which can be made into an acl (for bind, for example, trivially.)
6.) If you want more IPs, you have to make a request on the mailing
lists. Or you have to mass register accounts.**

* This is a preventative measure, not a punitive one. This isn't to
make it easier to banfuck people based on their behavior, it's to make
OpenNIC no longer the path of least resistance. We can already ban
people based on their behavior using existing methods and tools.
** I believe that having to lie well enough to increase your IP
allocation or having to mass register accounts would make most
would-be botnet operators look for another open resolver to use for
their reflection attacks.

This idea comes from the fact that a centralized members site could do
a lot of things. Without going on a tangent, this is one of them.
Another addition you would probably want in this type of system is a
type of dynamic IP support. Maybe some kind of page that you have to
visit which has a token in the URL to update your IP in the list
associated with your account. In addition, you could allow hosts that
aren't whitelisted to use OpenNIC nameservers in a rate-limited
fashion. That's starting to get into implementation and technical
details though, which I feel should be largely up to individual server
operators.



--------
You are a member of the OpenNIC Discuss list.
You may unsubscribe by emailing discuss-unsubscribe AT lists.opennicproject.org