lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
From: j.hall at f5.com (John Hall)
Subject: FW: Question for DNS pros

We're starting to get way beyond answering the initial request and
into design decisions that are likely competitively useful, but I'll
try to answer what I can.

Nils Ketelsen wrote:

>I do not know anyhting about 3-DNS apart from what I read in this thread, so
>please excuse me if I get anything wrong or seem to be not understanding:
>
>1. Why do you need to measure metrics for my DNS days after I might have
>visited a site?
>  
>
Sites using 3-DNS want to ensure performance and reliability of their
sites on an ongoing basis and are usually popular enough for it to
make sense to keep metrics for a site that has visited recently, since
chances are good they'll visit again soon.

>2. How does this kind of setup scale (imagine everyone did that)?
>  
>
If everyone bought 3-DNS's, I could retire and not worry about this
stuff at all!  ;)  I agree that if "everyone" did this, it might cause
a noticable amount of traffic (still, probably a lot less than the amount
of traffic you see in unsolicited email though).  Remember that those
probe packets are all very small.

>And if I, for example, spoof DNS requests from each IP-Adress in the /8 of
>the organization I dislike?
>
>Or I spoof DNS requests from every IP-Address in 0.0.0.0/0?
>
>Will you then be sending out probe packets for a few days to all these
>IP-Adresses? That sounds like a DOS Amplifier to me.
>  
>
In addition to rate limiting the number of packets we send to any local
DNS (LDNS), we also limit the number of "factories" that do the probing,
so the total probe packet output from a group of 3-DNS's is also limited
to a very reasonable value.

>So worst case:
>
>20 packets per hour times 2^32 possible IP Addresses makes you send out
>85899345920 an hour. Not bad. And that is for each of your customers, right?
>
>If I happen to have a /8 I might receive 5592405 Probe packets a second per
>3-DNS group. I would call that significant.
>
>  
>
No.  The total probe packet generation capacity of a 3-DNS group is limited.

>Nils
>  
>
JMH

-- 

John Hall              Test Manager - Switch Team             F5 Networks, Inc.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ