On 05/09/13 19:03, Mark Andrews wrote:
In message 518bd982.60...@pubnix.net, Alain Hebert writes:
( Ok, ok, another bad customer =D )
Starting today at 5h15m EST...
There is a bigger than usual DDoS amplification against the IP's
listed below.
Granted root servers query is
( Ok, ok, another bad customer =D )
Starting today at 5h15m EST...
There is a bigger than usual DDoS amplification against the IP's
listed below.
Granted root servers query is barely 1k while the usual isc.org is
3.5k and this is a possible 15Mbps from this one source but still :(
Is anyone in particular being pocketed, or are these random addresses?
Sent from my Mobile Device.
Original message
From: Alain Hebert aheb...@pubnix.net
Date: 05/09/2013 10:16 AM (GMT-08:00)
To: nanog@nanog.org
Subject: Open Resolvers pseudo Honey Pot (Was: Open Resolver
It looks like to be a service and some of their customers.
-
Alain Hebertaheb...@pubnix.net
PubNIX Inc.
50 boul. St-Charles
P.O. Box 26770 Beaconsfield, Quebec H9W 6G7
Tel: 514-990-5911 http://www.pubnix.netFax: 514-990-9443
On
In message 518bd982.60...@pubnix.net, Alain Hebert writes:
( Ok, ok, another bad customer =D )
Starting today at 5h15m EST...
There is a bigger than usual DDoS amplification against the IP's
listed below.
Granted root servers query is barely 1k while the usual isc.org is
I think that is .2% - .3%, no?
On Tue, Apr 2, 2013 at 5:41 PM, Joe Abley jab...@hopcount.ca wrote:
On 2013-04-02, at 18:18, John Kristoff j...@cymru.com wrote:
I would expect from stubs this will be close enough to zero to be
effectively zero. At least I would hope so.
This (below) is
On 2013-04-03, at 11:25, Jerry Dent effinjd...@gmail.com wrote:
I think that is .2% - .3%, no?
Oh, you're right -- it does seem substantially closer to zero when you put the
decimal point in the right place :-)
Joe
- Original Message -
From: Joe Abley jab...@hopcount.ca
On 2013-04-03, at 11:25, Jerry Dent effinjd...@gmail.com wrote:
I think that is .2% - .3%, no?
Oh, you're right -- it does seem substantially closer to zero when you
put the decimal point in the right place :-)
Huh?
23 in
On 2013-04-03, at 12:52, Jay Ashworth j...@baylink.com wrote:
- Original Message -
From: Joe Abley jab...@hopcount.ca
On 2013-04-03, at 11:25, Jerry Dent effinjd...@gmail.com wrote:
I think that is .2% - .3%, no?
Oh, you're right -- it does seem substantially closer to zero
His sample was 10K not 1000. Look higher.
On Wed, Apr 3, 2013 at 12:15 PM, Joe Abley jab...@hopcount.ca wrote:
On 2013-04-03, at 12:52, Jay Ashworth j...@baylink.com wrote:
- Original Message -
From: Joe Abley jab...@hopcount.ca
On 2013-04-03, at 11:25, Jerry Dent
Subject: Re: Open Resolver Problems Date: Tue, Apr 02, 2013 at 05:25:53AM +0200
Quoting Mikael Abrahamsson (swm...@swm.pp.se):
On Tue, 2 Apr 2013, Måns Nilsson wrote:
What percentage of the SOHO NAT boxes actually are full-service
resolvers? I was under the impression that most were mere
From: Dobbins, Roland [mailto:rdobb...@arbor.net]
On Apr 2, 2013, at 7:53 AM, Mark Andrews wrote:
Such lines are tantamount to extortion especially if the ISP supplies
commercial grade lines.
Patrick's talking about consumer broadband access. Such AUP stipulations
are quite common.
On Mon, 1 Apr 2013 20:33:36 +0200 (CEST)
Mikael Abrahamsson swm...@swm.pp.se wrote:
You're sending queries, not replies. That's why DPI is needed to
do the blocking, rather than just by port.
What queries are sourced from port 53 nowadays?
I would expect from stubs this will be close
On Mon, 1 Apr 2013 19:40:03 +0100
Tony Finch d...@dotat.at wrote:
You should be able to get a reasonable sample of IPv6 resolvers from
the query logs of a popular authoritative server.
When I tried this in the past for IPv4, I missed the majority of
potential open resolvers / open forwarders
On 2013-04-02, at 18:18, John Kristoff j...@cymru.com wrote:
I would expect from stubs this will be close enough to zero to be
effectively zero. At least I would hope so.
This (below) is one of four resolvers, together providing service for two
recursive DNS servers used by residential DSL
On Tue, 2 Apr 2013 18:41:17 -0400
Joe Abley jab...@hopcount.ca wrote:
26/1000 is more than zero but still quite small. Subsequent samples
with bigger sizes give 332/10, 3017/100.
No science here, but 2% - 3% is what it looks like, which is big
enough to be a noticeable support cost
On Mar 31, 2013, at 11:16 PM, valdis.kletni...@vt.edu wrote:
On Sun, 31 Mar 2013 16:09:35 -0500, Jimmy Hess said:
On 3/29/13, Scott Noel-Hemming frogstar...@gmail.com wrote:
Some of us have both publicly-facing authoritative DNS, and inward
facing recursive servers that may be open resolvers
On Mar 31, 2013, at 8:46 PM, Jared Mauch wrote:
Many thanks to everyone that is treating this as a critical issue to close
these hosts.
Just back to the office, and started checking my networks. Found one of the
resolvers is a Netgear SOHO NAT box. EoL'd, no new firmware available.
On Mon, Apr 1, 2013 at 7:35 AM, Chris Boyd cb...@gizmopartners.com wrote:
On Mar 31, 2013, at 8:46 PM, Jared Mauch wrote:
Many thanks to everyone that is treating this as a critical issue to close
these hosts.
Just back to the office, and started checking my networks. Found one of the
On Mon, 1 Apr 2013, Chris Boyd wrote:
Just back to the office, and started checking my networks. Found one of
the resolvers is a Netgear SOHO NAT box. EoL'd, no new firmware
available. Anyone have any feeling for what percentage are these types
of boxes?
If you buy type of box mean small
the DNS amplification attacks.
-Original Message-
From: Mikael Abrahamsson [mailto:swm...@swm.pp.se]
Sent: Monday, April 01, 2013 11:51 AM
To: Chris Boyd
Cc: nanog@nanog.org
Subject: Re: Open Resolver Problems
On Mon, 1 Apr 2013, Chris Boyd wrote:
Just back to the office, and started checking
,
patrick
-Original Message-
From: Mikael Abrahamsson [mailto:swm...@swm.pp.se]
Sent: Monday, April 01, 2013 11:51 AM
To: Chris Boyd
Cc: nanog@nanog.org
Subject: Re: Open Resolver Problems
On Mon, 1 Apr 2013, Chris Boyd wrote:
Just back to the office, and started checking my
On Apr 1, 2013, at 11:03 PM, Patrick W. Gilmore wrote:
You can always make an exception if the user is extremely loud.
It might be a good idea to make pinholes for the Google and OpenDNS recursors,
as they're fairly popular.
I agree that this is a good idea, similar to the same sort of
On Apr 01, 2013, at 12:09 , Dobbins, Roland rdobb...@arbor.net wrote:
On Apr 1, 2013, at 11:03 PM, Patrick W. Gilmore wrote:
You can always make an exception if the user is extremely loud.
It might be a good idea to make pinholes for the Google and OpenDNS
recursors, as they're fairly
For filtering to/from client-only networks, here's the filtering rules
(in pseudo-code, convert to appropriate code for whatever devices you
operate), for DNS.
The objective here is:
- prevent spoofed-source DNS reflection attacks from your customers, from
leaving your network
- prevent your
On Apr 1, 2013, at 11:18 PM, Patrick W. Gilmore wrote:
Of course, since users shouldn't be using off-net name servers anyway, this
isn't really a problem! :)
;
It's easy enough to construct ACLs to restrict the broadband consumer access
networks from doing so. Additional egress filtering
- Original Message -
From: Roland Dobbins rdobb...@arbor.net
On Apr 1, 2013, at 11:18 PM, Patrick W. Gilmore wrote:
Of course, since users shouldn't be using off-net name servers
anyway, this isn't really a problem! :)
;
It's easy enough to construct ACLs to restrict the
On Mon, 01 Apr 2013 14:19:16 -0400, Jay Ashworth said:
So, how would Patrick's caveat affect me, whose recursive resolver *is
on my Linux laptop*? Would not that recursor be making queries he
advocates blocking?
You're sending queries, not replies. That's why DPI is needed to do the
Original Message -
From: Valdis Kletnieks valdis.kletni...@vt.edu
On Mon, 01 Apr 2013 14:19:16 -0400, Jay Ashworth said:
So, how would Patrick's caveat affect me, whose recursive resolver *is
on my Linux laptop*? Would not that recursor be making queries he
advocates blocking?
On Mon, 1 Apr 2013, valdis.kletni...@vt.edu wrote:
You're sending queries, not replies. That's why DPI is needed to do the
blocking, rather than just by port.
What queries are sourced from port 53 nowadays?
I'd imagine it's pretty safe to block Internet-customer UDP/53 packets.
--
Mikael
On 2013-04-01, at 14:19, Jay Ashworth j...@baylink.com wrote:
From: Roland Dobbins rdobb...@arbor.net
On Apr 1, 2013, at 11:18 PM, Patrick W. Gilmore wrote:
Of course, since users shouldn't be using off-net name servers
anyway, this isn't really a problem! :)
;
It's easy enough to
On 1 Apr 2013, at 14:44, Jared Mauch ja...@puck.nether.net wrote:
On Mar 31, 2013, at 11:16 PM, valdis.kletni...@vt.edu wrote:
Anybody who is looking at this as an IPv4 issue is woefully misinformed
about the nature of the problem.
:)
IPv4 it's easy to collect an inventory (the math
On Mon, 01 Apr 2013 19:40:03 +0100, Tony Finch said:
You should be able to get a reasonable sample of IPv6 resolvers from the query
logs of a popular authoritative server.
Hopefully, said logs are not easily accessible to the miscreants.
(I still expect the most feasible method for the
On 4/1/13 11:59 AM, valdis.kletni...@vt.edu wrote:
On Mon, 01 Apr 2013 19:40:03 +0100, Tony Finch said:
You should be able to get a reasonable sample of IPv6 resolvers from the query
logs of a popular authoritative server.
Hopefully, said logs are not easily accessible to the miscreants.
On Apr 01, 2013, at 11:55 , Milt Aitken m...@net2atlanta.com wrote:
Most of our DSL customers have modem/routers that resolve DNS
externally.
And most of those have no configuration option to stop it.
So, we took the unfortunate step of ACL blocking DNS requests to from
the DSL network unless
* patr...@ianai.net (Patrick W. Gilmore) [Mon 01 Apr 2013, 18:18 CEST]:
Of course, since users shouldn't be using off-net name servers
anyway, this isn't really a problem! :)
You're joking, right? Should they also use only the telco-approved
search engine, via the telco-hosted portal?
On Apr 1, 2013, at 4:19 PM, Niels Bakker niels=na...@bakker.net wrote:
On Apr 01, 2013, at 11:55 , Milt Aitken m...@net2atlanta.com wrote:
Most of our DSL customers have modem/routers that resolve DNS externally.
And most of those have no configuration option to stop it.
So, we took the
* ja...@puck.nether.net (Jared Mauch) [Mon 01 Apr 2013, 22:24 CEST]:
I would say this is the wrong solution. Prevent your customers from
spoofing is the first step, then ask them to fix their broken CPE.
I daresay that after ten years of discussion NANOG has reached
consensus that
...@bakker.net]
Sent: Monday, 01 April, 2013 14:22
To: nanog@nanog.org
Subject: Re: Open Resolver Problems
* patr...@ianai.net (Patrick W. Gilmore) [Mon 01 Apr 2013, 18:18 CEST]:
Of course, since users shouldn't be using off-net name servers
anyway, this isn't really a problem! :)
You're joking, right
Subject: Re: Open Resolver Problems Date: Mon, Apr 01, 2013 at 10:21:42PM +0200
Quoting Niels Bakker (niels=na...@bakker.net):
* patr...@ianai.net (Patrick W. Gilmore) [Mon 01 Apr 2013, 18:18 CEST]:
Of course, since users shouldn't be using off-net name servers
anyway, this isn't really
In message 44ecd7b5-d9a4-408b-a132-29241de3a...@ianai.net, Patrick W.
Gilmore writes:
On Apr 01, 2013, at 11:55 , Milt Aitken m...@net2atlanta.com wrote:
Most of our DSL customers have modem/routers that resolve DNS
externally.
And most of those have no configuration option to stop it.
On Apr 2, 2013, at 7:53 AM, Mark Andrews wrote:
Such lines are tantamount to extortion especially if the ISP supplies
commercial grade lines.
Patrick's talking about consumer broadband access. Such AUP stipulations are
quite common.
This is in no way 'tantamount to extortion'. Folks can
In message cf4e9f59-4a9e-4e03-8eb4-469c3db15...@arbor.net, Dobbins, Roland
writes:
On Apr 2, 2013, at 7:53 AM, Mark Andrews wrote:
Such lines are tantamount to extortion especially if the ISP supplies
commercial grade lines.
Patrick's talking about consumer broadband access. Such
On Apr 2, 2013, at 8:21 AM, Mark Andrews wrote:
I know and I would still argue that they are tantamount to extortion.
There is no coercion involved, so, by definition, it can't be called
'extortion'. If you don't like the AUP, don't sign up for the service - simple
as that.
Hyperbole isn't
On Apr 1, 2013, at 6:38 PM, Dobbins, Roland rdobb...@arbor.net wrote:
On Apr 2, 2013, at 8:21 AM, Mark Andrews wrote:
I know and I would still argue that they are tantamount to extortion.
There is no coercion involved, so, by definition, it can't be called
'extortion'. If you don't
On Mon, Apr 1, 2013 at 6:45 PM, Owen DeLong o...@delong.com wrote:
On Apr 1, 2013, at 6:38 PM, Dobbins, Roland rdobb...@arbor.net wrote:
On Apr 2, 2013, at 8:21 AM, Mark Andrews wrote:
I know and I would still argue that they are tantamount to extortion.
There is no coercion involved,
On Apr 2, 2013, at 8:45 AM, Owen DeLong wrote:
In an oligopoly situation, that's hardly a valid set of choices
There's enough choice in most US markets (not all) to provide for a variety of
services offered, AUPs, and price points. Wireless has brought an additional
option to many
On Apr 2, 2013, at 8:52 AM, Paul Ferguson wrote:
Yeah, I thought so, too, but apparently the FCC and the SEC hasn't seen it
that way for the past 20 years. Go figure. :-)
The situation is gradually getting better, not worse - and that's progress,
even if it isn't as fast as we'd all like.
Yeah, I thought so, too, but apparently the FCC and the SEC hasn't
seen it that way for the past 20 years. Go figure. :-)
The FCC doesn't understand that 4Mbps customer-facing speed on the tail circuit
alone does NOT define broadband in a meaningful way.
The SEC does not understand that
On Apr 1, 2013, at 6:54 PM, Dobbins, Roland rdobb...@arbor.net wrote:
On Apr 2, 2013, at 8:45 AM, Owen DeLong wrote:
In an oligopoly situation, that's hardly a valid set of choices
There's enough choice in most US markets (not all) to provide for a variety
of services offered, AUPs,
On Apr 2, 2013, at 9:09 AM, Owen DeLong wrote:
With all due respect, sir, you are mistaken.
Even in such populous areas as San Jose, there is a limited selection to a
majority of the customers, especially if they want more than 1.5Mbps.
I lived in San Jose for several years, and had
On Apr 2, 2013, at 9:09 AM, Owen DeLong wrote:
In the majority of the US where it is rural, there is even less choice.
Largest in geography largest in population.
Even where there are multiple providers, they often all provide the same
limitations in their AUP unless you go to higher
On Mon, Apr 1, 2013 at 7:38 PM, Dobbins, Roland rdobb...@arbor.net wrote:
On Apr 2, 2013, at 9:09 AM, Owen DeLong wrote:
Even in such populous areas as San Jose, there is a limited selection to a
majority of the customers, especially if they want more than 1.5Mbps.
I lived in San Jose for
On Apr 2, 2013, at 9:48 AM, Paul Ferguson wrote:
In any event, depending on where you are in the U.S., many consumers have a
choice between bad and worse. :-)
I certainly do agree with that general sentiment. Living abroad, I have more
choices in terms of both wired broadband and wireless.
On Tue, 2 Apr 2013, Måns Nilsson wrote:
What percentage of the SOHO NAT boxes actually are full-service
resolvers? I was under the impression that most were mere forwarders;
just pushing queries on toward the DHCP'd full service resolvers of the
ISP.
What does that help? They can still be
On 3/29/13, Scott Noel-Hemming frogstar...@gmail.com wrote:
Some of us have both publicly-facing authoritative DNS, and inward
facing recursive servers that may be open resolvers but can't be
found via NS entries (so the IP addresses of those aren't exactly
publicly available info).
Sounds
On Mar 31, 2013, at 5:09 PM, Jimmy Hess mysi...@gmail.com wrote:
On 3/29/13, Scott Noel-Hemming frogstar...@gmail.com wrote:
Some of us have both publicly-facing authoritative DNS, and inward
facing recursive servers that may be open resolvers but can't be
found via NS entries (so the IP
On Sun, 31 Mar 2013 16:09:35 -0500, Jimmy Hess said:
On 3/29/13, Scott Noel-Hemming frogstar...@gmail.com wrote:
Some of us have both publicly-facing authoritative DNS, and inward
facing recursive servers that may be open resolvers but can't be
found via NS entries (so the IP addresses of
On 3/28/13, Ben Aitchison b...@meh.net.nz wrote:
On Tue, Mar 26, 2013 at 07:07:16PM -0700, Tom Paseka wrote:
Authoritative DNS servers need to implement rate limiting. (a client
shouldn't query you twice for the same thing within its TTL).
The RFC doesn't say that is a should; a client MAY
On Thu, 28 Mar 2013, Jared Mauch wrote:
I wanted to share PER-ASN data for those that are interested in this
generally. If you are a contact for these ASNs, you can e-mail me from
your corporate address to get access to the list.
Interesting. My guess is that at least some of these have a
In message 20130329034419.ga26...@meh.net.nz, Ben Aitchison writes:
That said, a lot of these amplifications attacks use ANY requests, which
normal clients don't. And those could be rate limited down without
effecting normal traffic I'm sure.
Ben.
And you need to learn that normal
In message 20130329034419.ga26...@meh.net.nz, Ben Aitchison writes:
That said, a lot of these amplifications attacks use ANY requests, which
normal clients don't. And those could be rate limited down without
effecting normal traffic I'm sure.
And you need to learn that normal clients
Ben Aitchison wrote:
Authoritative DNS servers need to implement rate limiting. (a client
shouldn't query you twice for the same thing within its TTL).
unbound with it's dns-prefetching queries a dns servers again in I think the
last 10% of ttl when
returning hit to client to refresh ttl
On Mar 29, 2013, at 6:58 PM, Joe Greco wrote:
Really, I've spent a disappointing amount of time listening to the but but
but you can't DO that
What they're really worried about is folks arbitrarily deciding to permanently
mask out ANY queries altogether as a matter of policy,
On Mar 29, 2013, at 6:58 PM, Joe Greco wrote:
Really, I've spent a disappointing amount of time listening to the but b=
ut but you can't DO that=20
What they're really worried about is folks arbitrarily deciding to permanen=
tly mask out ANY queries altogether as a matter of
On 03/25/2013 08:44 AM, valdis.kletni...@vt.edu wrote:
On Mon, 25 Mar 2013 15:38:01 -, Nick Hilliard said:
On 25/03/2013 14:33, Mikael Abrahamsson wrote:
I would like to be able to request an IP list of open resolvers in my ASN,
perhaps sent to the contact details in RIPE whois database to
On 03/29/2013 04:58 AM, Joe Greco wrote:
Really, I've spent a disappointing amount of time listening to the
but but but you can't DO that from the ISC camp over the
years
Joe,
Perhaps you haven't been keeping up with the Response Rate Limiting work?
Am 27.03.2013 00:04, schrieb Alain Hebert:
We're on it here...
Been using the work of http://bindguard.activezone.de/ to watch it =D
There is a lot of targets... kinda hard to figure out the goal...
-
Alain Hebertaheb...@pubnix.net
PubNIX
AsI think as we all know the deficiency is the design of the DNS system overall.
No disrespect to anybody, but lots of companies make money off of the design
deficiencies and try to position themselves as offering 'value add services' or
something similar. Basically they make money because the
On Mar 27, 2013, at 10:11 PM, Michael DeMan na...@deman.com wrote:
AsI think as we all know the deficiency is the design of the DNS system
overall.
One of the largest DDoS attacks I've witnessed was SNMP-based, walking entire
OID sub-trees (with spoofed source addresses) across thousands of
On (2013-03-27 22:27 -1000), David Conrad wrote:
One of the largest DDoS attacks I've witnessed was SNMP-based, walking entire
OID sub-trees (with spoofed source addresses) across thousands of CPEs that
defaulted to allowing SNMP queries over the WAN interface. Oops. Topped out
around 70
I wanted to share PER-ASN data for those that are interested in this generally.
If you are a contact for these ASNs, you can e-mail me from your corporate
address to get access to the list.
Thank you for many of you that have secured hosts
COUNT ASN#
1357979 4134
1144551 8151
1089464
On Thu, 28 Mar 2013 14:16:58 -0400, Jared Mauch said:
I wanted to share PER-ASN data for those that are interested in this
generally. If you are a contact for these ASNs, you can e-mail me from your
corporate address to get access to the list.
Thank you for many of you that have secured
On Tue, Mar 26, 2013 at 07:07:16PM -0700, Tom Paseka wrote:
On Tue, Mar 26, 2013 at 7:04 PM, Matthew Petach mpet...@netflight.comwrote:
On Tue, Mar 26, 2013 at 6:06 PM, John Levine jo...@iecc.com wrote:
As a white-hat attempting to find problems to address through legitimate
means, how
On 26/03/2013 14:21, valdis.kletni...@vt.edu wrote:
And if you get a recursive lookup for www.ebay.com from a hotel network,
I'm struggling to understand why it's necessary to hard-code dns servers
into the ip networking configuration of a portable device. By definition,
these devices will
Well,
On 03/27/13 07:20, Nick Hilliard wrote:
On 26/03/2013 14:21, valdis.kletni...@vt.edu wrote:
And if you get a recursive lookup for www.ebay.com from a hotel network,
I'm struggling to understand why it's necessary to hard-code dns servers
into the ip networking configuration of a
On 27/03/2013 12:40, Rich Kulawiec wrote:
It's necessary because many operations are screwing with DNS results in
order to advance/suppress political agendas, impose their moral code
via censorship, profit via redirection to search portals, etc. If we
could actually trust that J. Random Hotel
Little bit of fun with http://bindguard.activezone.de/
This little example with an open resolver with only 200 queries a
minute...
The following list show the # of queries made followed by the query
in question.
False positive:
69.x.x.x
2 a1.mzstatic.com IN A +
On Tue, Mar 26, 2013 at 10:07 PM, Tom Paseka t...@cloudflare.com wrote:
Authoritative DNS servers need to implement rate limiting. (a client
shouldn't query you twice for the same thing within its TTL).
Right now that's a complaint for the mainstream software authors, not
for the system
On 2013-03-27, at 09:47, William Herrin b...@herrin.us wrote:
On Tue, Mar 26, 2013 at 10:07 PM, Tom Paseka t...@cloudflare.com wrote:
Authoritative DNS servers need to implement rate limiting. (a client
shouldn't query you twice for the same thing within its TTL).
Right now that's a
On Mar 27, 2013, at 8:47 AM, Nick Hilliard n...@foobar.org wrote:
then use a vpn and/or provide that service to your users. Sure, hotels and
public access wifi does all sorts of stupid and obnoxious stuff, but the
way to work around this is not by hardwiring your dns to some open resolver.
On 3/27/2013 8:47 AM, William Herrin wrote:
On Tue, Mar 26, 2013 at 10:07 PM, Tom Paseka t...@cloudflare.com wrote:
Authoritative DNS servers need to implement rate limiting. (a client
shouldn't query you twice for the same thing within its TTL).
Right now that's a complaint for the mainstream
On Wed, Mar 27, 2013 at 10:00 AM, Jack Bates jba...@brightok.net wrote:
On 3/27/2013 8:47 AM, William Herrin wrote:
Right now that's a complaint for the mainstream software authors, not
for the system operators. When the version of Bind in Debian Stable
implements this feature, I'll surely
On 3/27/2013 9:34 AM, William Herrin wrote:
On Wed, Mar 27, 2013 at 10:00 AM, Jack Bates jba...@brightok.net wrote:
Tracking the clients would be a huge dataset and be especially complicated
in clusters. They'd be better off at detecting actual attack vectors rather
than rate limiting.
I
In message 51530632.3020...@brightok.net, Jack Bates writes:
On 3/27/2013 9:34 AM, William Herrin wrote:
On Wed, Mar 27, 2013 at 10:00 AM, Jack Bates jba...@brightok.net wrote:
Tracking the clients would be a huge dataset and be especially complicated
in clusters. They'd be better off at
It's been available in linux for a long time, just not in BIND…
Here is a working ip6tales example:
-A RH-Firewall-1-INPUT -s 2620:0:930::/48 -m state --state NEW -m udp -p udp
--dport 53 -j ACCEPT
-A RH-Firewall-1-INPUT -s 2001:470:1f00:3142::/64 -m state --state NEW -m udp
-p udp --dport 53
Op 27-03-13 16:54, Owen DeLong schreef:
It's been available in linux for a long time, just not in BIND…
Not entirely true:
http://www.redbarn.org/dns/ratelimits
Here is a working ip6tales example:
Tricky...
There is also the 'hashlimit' module (at least for v4, not sure about
v6), that may
On Mar 27, 2013, at 11:54 AM, Owen DeLong o...@delong.com wrote:
It's been available in linux for a long time, just not in BIND…
Here is a working ip6tales example:
-A RH-Firewall-1-INPUT -s 2620:0:930::/48 -m state --state NEW -m udp -p udp
--dport 53 -j ACCEPT
-A RH-Firewall-1-INPUT
On 2013-03-27, at 14:52, Jared Mauch ja...@puck.nether.net wrote:
I am very concerned about examples such as this possibly being implemented by
a well intentioned sysadmin or neteng type without understanding their query
load and patterns. bind with the rrl patch does log when things are
The root cause of high scale directed amplification attacks is the failure
to assure the integrity of the source IP address. This failure leads to a
large set of directed amplification attack vectors.
BCP38 was written in 2000, coming up on its 13th anniversary. This root
cause, and various
Joe Abley jab...@hopcount.ca wrote:
My assessment is that the implementations I have seen are ready for
production use, but I think it's understandable given the moving
goalpoasts that some vendors have not yet promoted the code to be
included in stable releases.
It is in the current stable
Jack Bates jba...@brightok.net wrote:
Tracking the clients would be a huge dataset and be especially complicated in
clusters.
The memory usage is guite manageable: for the BIND patch it is at most
40-80 bytes (for 32 or 64 bit machines) per request per second. You're
doing well if you need a
Jack Bates jba...@brightok.net wrote:
You'll also find that [DNS RRL] serves little purpose.
In my experience it works extremely well. Yes it is possible to work
around it, but you still need to stop the attacks that are happening now.
It is good to make the attacker's job harder.
1) tcp
RRL
On 3/27/2013 4:49 PM, Tony Finch wrote:
Jack Bates jba...@brightok.net wrote:
3) BCP38 (in spirit)
That should be deployed as well as RRL.
Tony.
If BCP38 was properly deployed, what would be the purpose of RRL outside
of misbehaving clients or direct attacks against that one server?
We
Jack Bates jba...@brightok.net wrote:
If BCP38 was properly deployed, what would be the purpose of RRL outside of
misbehaving clients or direct attacks against that one server?
If fictional scenario, irrelevant answer. Given the current situation,
efforts to deploy both RRL and BCP38 in
On 2013-03-27, at 17:59, Jack Bates jba...@brightok.net wrote:
DNS is UDP for a reason.
Not a great reason, as it turns out. But hindsight is 20/20.
The infrastructure to switch it to TCP is prohibitive and completely destroys
the anycast mechanisms.
No.
Joe
On Wed, 27 Mar 2013 16:59:16 -0500, Jack Bates said:
On 3/27/2013 4:49 PM, Tony Finch wrote:
Jack Bates jba...@brightok.net wrote:
3) BCP38 (in spirit)
That should be deployed as well as RRL.
Tony.
If BCP38 was properly deployed, what would be the purpose of RRL outside
of
On Mon, 25 Mar 2013 23:19:31 -0400, Christopher Morrow said:
Some of us have both publicly-facing authoritative DNS, and inward
facing recursive servers that may be open resolvers but can't be
found via NS entries (so the IP addresses of those aren't exactly
publicly available info).
On 26/03/2013 07:51, valdis.kletni...@vt.edu wrote:
Now explain how you find a recursive nameserver that isn't listed in an NS
entry and *hasn't* been publicized someplace that Google can find it.
Um, you run one of e.g.:
http://nmap.org/nsedoc/scripts/dns-recursion.html
On Mar 26, 2013, at 3:13 PM, Nick Hilliard wrote:
The whole point of this thread is that dns amplification hurts other people,
not the resolver which is being abused.
Actually, it often hurts the resolver(s) being abused, as well, leading to
availability problems for those who legitimately
1 - 100 of 173 matches
Mail list logo
