On 9/23/2003 at 5:16 PM, "Mike Tancsa" <mike@sentex.net> wrote:
is also offline due to a DDoS.
And the ignorance of front-end personnel in LE agencies, unless you are the NY Times and claim $500,000 in purely fictious damages, can be a bit frustrating. Spamcop and Spamhaus have been undergoing intense DDoS attacks for months, and I am only partially aware how they are being mitigated. If certain large operators can donate bandwidth and equipment for IRC servers in locations with OC-12 and better connectivity, AND live through the DDoS attacks that come with it, why not step forward and provide some forwarding-proxy service for some of the websites and distribution sites for DNSBLs, plus possibly proxying DNS traffic? OpenRBL.org has stated (http://www.openrbl.org/index-2.htm) that the bandwidth required for actual application traffic can be very low (0.5Mbps or less), not counting DDoS traffic. No arrangements of that kind have to be public knowledge. Other measures: - Got a spare /20 that can be used to make the forwarding proxy hop around a bit, every 5 minutes or so, with DNS TTLs in the 10-minute range? It's been done with 'moving-target' spamvertised sites like optinspecialists.info , which is currently using a LARGE number of compromised Windows hosts illegally to proxy DNS and HTTP traffic for them. They've been doing it for weeks. Do the registrars care? Hell no. (see morozreg.biz, bubra.biz, the domains used for DNS, domains you probably want to add local zone overrides for, in your nameservers, not your HOSTS file. Now we know how Al-Quaeda is hiding their websites, at last. It would be trivial to 'sinkhole' DoS traffic still going on to IPs of the recent past, greatly increasing the chances of catching the perpetrators as they keep switching their trojans to new IPs, hitting a few fully-sniffed honeypots while they are at it. - BGP anycast, ideally suited for such forwarding proxies. Anyone here feeling very adapt with BGP anycast (I don't) for the purpose of running such a service? This is a solution that has to be suggested and explained to some of the DNSBL operators. If someone reading this has gone forward with a private mailing list to discuss all these issues, I'd be happy to receive an invitation to donate my [lack of] smarts to the cause. bye,Kai