monkeys.dom UPL being DDOSed to death
Kai Schlichting
kai at pac-rim.net
Tue Sep 23 22:11:23 UTC 2003
On 9/23/2003 at 5:16 PM, "Mike Tancsa" <mike at sentex.net> wrote:
> http://www.openrbl.org
> is also offline due to a DDoS.
And the ignorance of front-end personnel in LE agencies, unless you are
the NY Times and claim $500,000 in purely fictious damages, can be a bit
frustrating.
Spamcop and Spamhaus have been undergoing intense DDoS attacks for
months, and I am only partially aware how they are being mitigated.
If certain large operators can donate bandwidth and equipment for
IRC servers in locations with OC-12 and better connectivity, AND
live through the DDoS attacks that come with it, why not step forward
and provide some forwarding-proxy service for some of the websites
and distribution sites for DNSBLs, plus possibly proxying DNS traffic?
OpenRBL.org has stated (http://www.openrbl.org/index-2.htm) that the
bandwidth required for actual application traffic can be very low
(0.5Mbps or less), not counting DDoS traffic.
No arrangements of that kind have to be public knowledge.
Other measures:
- Got a spare /20 that can be used to make the forwarding proxy hop around
a bit, every 5 minutes or so, with DNS TTLs in the 10-minute range?
It's been done with 'moving-target' spamvertised sites like
optinspecialists.info , which is currently using a LARGE number of
compromised Windows hosts illegally to proxy DNS and HTTP traffic for
them. They've been doing it for weeks. Do the registrars care? Hell no.
(see morozreg.biz, bubra.biz, the domains used for DNS, domains you
probably want to add local zone overrides for, in your nameservers,
not your HOSTS file. Now we know how Al-Quaeda is hiding their websites,
at last.
It would be trivial to 'sinkhole' DoS traffic still going on to IPs of
the recent past, greatly increasing the chances of catching the
perpetrators as they keep switching their trojans to new IPs,
hitting a few fully-sniffed honeypots while they are at it.
- BGP anycast, ideally suited for such forwarding proxies.
Anyone here feeling very adapt with BGP anycast (I don't) for
the purpose of running such a service? This is a solution that
has to be suggested and explained to some of the DNSBL operators.
If someone reading this has gone forward with a private mailing list to
discuss all these issues, I'd be happy to receive an invitation to donate
my [lack of] smarts to the cause.
bye,Kai
More information about the NANOG
mailing list