Skip to Content.
Sympa Menu

discuss - Re: [opennic-discuss] DDOS, open resolvers, how to solve?

discuss AT lists.opennicproject.org

Subject: Discuss mailing list

List archive

Re: [opennic-discuss] DDOS, open resolvers, how to solve?


Chronological Thread 
  • From: Guillaume Parent <gparent AT gparent.org>
  • To: discuss AT lists.opennicproject.org
  • Subject: Re: [opennic-discuss] DDOS, open resolvers, how to solve?
  • Date: Fri, 13 Dec 2013 03:46:05 +0000

I'm asking you questions I find relevant to a system like this.

I don't think it's worth the effort for what little it seems to solve, that's
all.

I'm not gonna stop others from working on it.

-gp

On Thu, Dec 12, 2013 at 09:00:48PM -0600, Quinn Wood wrote:
> On Thu, Dec 12, 2013 at 8:43 PM, Guillaume Parent <gparent AT gparent.org>
> wrote:
> > -How do you make it so we can remove and add IPs to the list without
> > knowing
> > whose they are?
> >
> The easiest way is to have to databases, which would be more efficient
> anyway. One of which contains user information- including settings,
> hashed passwords, and IPs/dynamic update tokens encrypted with the
> user's password (ideally, client side encryption would be used) and
> the other containing only IPs with no user information. Upon
> submission, the web script would make INSERT/UPDATE/DELETE queries to
> both databases.
>
> > -How do we prevent a user from deleting someone else's IPs if there's
> > nothing tieing them to the IPs?
> >
> Using a second column for "how many users accounts is this IP
> registered under" would be sufficient. Adding if/else logic to
> increment that counter during INSERT if the IP already exists, or
> decrement that counter if non-1 in lieu of doing the actual deletion,
> would be trivial.
>
> > -How does this prevent any random hacker from signing up and then
> > whitelisting five spoofed IPs that all of the DNS servers are now going to
> > accept, willfully participating in the flood?
> >
> You're asking me to tell you how a system not designed to solve part
> of a problem could possibly solve it perfectly. It already solves the
> other part of it (the part it's designed to) *very* effectively and
> that's good enough. (More importantly, it's better than nothing- and
> from what I've seen it's better than what's already being done.) All
> in theory, of course.

>
>
> --------
> You are a member of the OpenNIC Discuss list.
> You may unsubscribe by emailing discuss-unsubscribe AT lists.opennicproject.org




Archive powered by MHonArc 2.6.19.

Top of Page