lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <200309181600.h8IG0uOQ021761@turing-police.cc.vt.edu>
From: Valdis.Kletnieks at vt.edu (Valdis.Kletnieks@...edu)
Subject: Petition against VeriSlime's DNS abuse 

On Thu, 18 Sep 2003 09:01:27 EDT, "Jonathan A. Zdziarski" said:

>       * Establish a new set of root servers and top level registry
>       * Publish a new root server list over 80% of ISPs will likely use,
>         resulting in Verisign's root servers to become obsolete
>       * Provide the legal and financial backing it will take to
>         accomplish this

The financial backing is non-trivial. You're going to need some pretty
serious big iron, and some pretty bad-ass bandwidth.  Remember - there's
13 root server addresses - and most of them are anycast, meaning there's
actually like 5-10 identical copies all over the place.   So be ready to
pay for 20-30 machines that have *real* reliability - you don't want to
be trying this with a Dell 2U rackmount.

http://www.caida.org/~kkeys/dns/2002-08-14/2002-08-14-queries.png

That's normal traffic. 5K queries/second per server. That's a 10-minute average,
so statistically you're going to have short bursts of MUCH higher that you need
to handle to keep the latency down.

Did I mention that you need to have enough muscle to survive a DDoS attack?
"Filter it all at the upstream" isn't a viable defense when you're a root nameserver,
since if you don't answer, things start to suck.

Oh.. and you'll need trusted and experienced people, and be willing to pay them.

And this is overlooking the fact that it isn't the root servers that are the problem.
Those have been rock solid and remarkably controversy free.  In fact, the root
is *SO* solid that in close to 20 years, the *biggest* controversy was that Postel
switched the primary one night without written permission - by feeding a different
root server the same exact config file and letting it propagate it rather than the
usual server that did the propagation.

Your culprits are elsewhere:

Don't like the selection of top-level domains?  Talk to ICANN.

Don't like how a TLD is run? Talk to ICANN and the administrator of that TLD.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 226 bytes
Desc: not available
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20030918/15035835/attachment.bin

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ