monkeys.dom UPL being DDOSed to death

• Previous message (by thread): monkeys.dom UPL being DDOSed to death
• Next message (by thread): monkeys.dom UPL being DDOSed to death
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 9/23/2003 at 5:16 PM, "Mike Tancsa" <mike at sentex.net> wrote:

> http://www.openrbl.org

> is also offline due to a DDoS.

And the ignorance of front-end personnel in LE agencies, unless you are
the NY Times and claim $500,000 in purely fictious damages, can be a bit
frustrating.

Spamcop and Spamhaus have been undergoing intense DDoS attacks for
months, and I am only partially aware how they are being mitigated.

If certain large operators can donate bandwidth and equipment for
IRC servers in locations with OC-12 and better connectivity, AND
live through the DDoS attacks that come with it, why not step forward
and provide some forwarding-proxy service for some of the websites
and distribution sites for DNSBLs, plus possibly proxying DNS traffic?

OpenRBL.org has stated (http://www.openrbl.org/index-2.htm) that the
bandwidth required for actual application traffic can be very low
(0.5Mbps or less), not counting DDoS traffic.

No arrangements of that kind have to be public knowledge.

Other measures:

- Got a spare /20 that can be used to make the forwarding proxy hop around
  a bit, every 5 minutes or so, with DNS TTLs in the 10-minute range?

  It's been done with 'moving-target' spamvertised sites like
  optinspecialists.info , which is currently using a LARGE number of
  compromised Windows hosts illegally to proxy DNS and HTTP traffic for
  them. They've been doing it for weeks. Do the registrars care? Hell no.
  (see morozreg.biz, bubra.biz, the domains used for DNS, domains you
  probably want to add local zone overrides for, in your nameservers,
  not your HOSTS file. Now we know how Al-Quaeda is hiding their websites,
  at last.

  It would be trivial to 'sinkhole' DoS traffic still going on to IPs of
  the recent past, greatly increasing the chances of catching the
  perpetrators as they keep switching their trojans to new IPs,
  hitting a few fully-sniffed honeypots while they are at it.

- BGP anycast, ideally suited for such forwarding proxies.
  Anyone here feeling very adapt with BGP anycast (I don't) for
  the purpose of running such a service? This is a solution that
  has to be suggested and explained to some of the DNSBL operators.

If someone reading this has gone forward with a private mailing list to
discuss all these issues, I'd be happy to receive an invitation to donate
my [lack of] smarts to the cause.

bye,Kai

• Previous message (by thread): monkeys.dom UPL being DDOSed to death
• Next message (by thread): monkeys.dom UPL being DDOSed to death
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]