Re: Vixie warns: DNS Changer ‘blackouts’ inevitable
On Wed, May 23, 2012 at 1:40 AM, <bmanning@vacation.karoshi.com> wrote:
Paul will be there to turn things off when they no longer make money for his company.
is the dns changer thingy making money for isc?
On Wed, May 23, 2012 at 04:33:28PM -0400, Christopher Morrow wrote:
On Wed, May 23, 2012 at 1:40 AM, <bmanning@vacation.karoshi.com> wrote:
Paul will be there to turn things off when they no longer make money for his company.
is the dns changer thingy making money for isc?
pretty sure. a contract w/ the Feds, outsouring contracts w/ affected ISPs when the Fed deal runs out, development funding to code these kinds of fixes into future versions of software, any number of second and third order fallout. No telling how effective constent self-promotion is. One thing is clear, Paul is able to tell a great story. but its all speculation from here. ISC is well positioned to extract value from both ends of the spectrum. They have a great business model. The optics look pretty odd from here, at lesat to me however - I am very glad for: )open source & )other vendors of DNS SW. /bill
[Dnschanger substitute server operations]
One thing is clear, Paul is able to tell a great story.
PR for ISC is somewhat limited, it's often attributed to the FBI: | The effort, scheduled to begin this afternoon, is designed to let | those people know that their Internet connections will stop working | on July 9, when temporary servers set up by the FBI to help | DNSChanger victims are due to be disconnected. <http://news.cnet.com/8301-1009_3-57439407-83/google-will-alert-users-to-dnschanger-malware-infection/> | The FBI has now seized control of the malicious DNS servers, but | countless computers are still infected with the malware. <http://www.h-online.com/security/news/item/Google-warns-DNSChanger-victims-1583037.html> | The malware is so vicious — it can interfere with users' Web | browsing, steer them to fraudulent websites and make their computers | vulnerable to other malicious software — that the FBI has put a | safety net of sorts in place, using government computers to prevent | any Internet disruptions for users whose computers may be infected. <http://www.technolog.msnbc.msn.com/technology/technolog/infected-users-get-legit-warning-about-july-9-internet-doomsday-751078> (I'm justing quoting what I found. Some of the linked articles contain bogus information.) In any case, this isn't what bugs me about the whole process. I don't like the way this is implemented—mainly the use of RPZ, but there are other concerns. The notification process has some issues as well, but it's certainly a great learning exercise for all folks involved with this. To me, it doesn't really matter that Dnschanger is fairly minor as far as such things go. Hopefully, the knowledge and the contacts established can be applied to other cases as well.
On Mon, May 28, 2012 at 2:56 PM, Florian Weimer <fw@deneb.enyo.de> wrote:
[Dnschanger substitute server operations]
One thing is clear, Paul is able to tell a great story.
PR for ISC is somewhat limited, it's often attributed to the FBI:
| The effort, scheduled to begin this afternoon, is designed to let | those people know that their Internet connections will stop working | on July 9, when temporary servers set up by the FBI to help | DNSChanger victims are due to be disconnected.
| The FBI has now seized control of the malicious DNS servers, but | countless computers are still infected with the malware.
<http://www.h-online.com/security/news/item/Google-warns-DNSChanger-victims-1583037.html>
| The malware is so vicious — it can interfere with users' Web | browsing, steer them to fraudulent websites and make their computers | vulnerable to other malicious software — that the FBI has put a | safety net of sorts in place, using government computers to prevent | any Internet disruptions for users whose computers may be infected.
(I'm justing quoting what I found. Some of the linked articles contain bogus information.)
In any case, this isn't what bugs me about the whole process. I don't like the way this is implemented—mainly the use of RPZ, but there are other concerns. The notification process has some issues as well, but it's certainly a great learning exercise for all folks involved with this. To me, it doesn't really matter that Dnschanger is fairly minor as far as such things go. Hopefully, the knowledge and the contacts established can be applied to other cases as well.
Exactly how much can it cost to serve up those requests... I mean for 9$ a month I have a cpu that handles 2000 *Recursive* Queries a second. 900 bux could net me *200,000* a second if not more. The government overspends on a lot of things.. they need some one whos got the experience to use a bunch of cheap servers for the resolvers and a box that hosts the IPs used and then distributes the query packets.
On Thu, May 31, 2012 at 9:14 AM, cncr04s/Randy <cncr04s@gmail.com> wrote:
Exactly how much can it cost to serve up those requests... I mean for 9$ a month I have a cpu that handles 2000 *Recursive* Queries a
network bandwidth people/monitoring router(s) redundancy geo-local copies you are asking the wrong question -chris
cncr04s/Randy wrote:
Exactly how much can it cost to serve up those requests... I mean for 9$ a month I have a cpu that handles 2000 *Recursive* Queries a second. 900 bux could net me *200,000* a second if not more. The government overspends on a lot of things..
Looks like you just answered your own question:
they need some one whos got the experience to use a bunch of cheap servers for the resolvers and a box that hosts the IPs used and then distributes the query packets.
I expect part of what the FBI is paying for is the time of people with that expertise. -- In theory, there is no difference between theory and practice. In practice, there is. .... Yogi Berra
On Thu, 31 May 2012 08:14:40 -0500, "cncr04s/Randy" said:
Exactly how much can it cost to serve up those requests... I mean for 9$ a month I have a cpu that handles 2000 *Recursive* Queries a second. 900 bux could net me *200,000* a second if not more. The government overspends on a lot of things.. they need some one whos got the experience to use a bunch of cheap servers for the resolvers and a box that hosts the IPs used and then distributes the query packets.
For $50/mo I can have a connection from Comcast. That doesn't mean that I could run my own cable to the nearest major exchange for anywhere near $50. Also, what's the failover if your $9/mo CPU develops a bad RAM card? Does your $9/mo CPU have sufficient geographic diversity to survive a backhoe? And about 4 zillion other things that people that actually have to run production services worry about...
On Thu, May 31, 2012 at 10:39 AM, <valdis.kletnieks@vt.edu> wrote:
On Thu, 31 May 2012 08:14:40 -0500, "cncr04s/Randy" said:
Exactly how much can it cost to serve up those requests... I mean for 9$ a month I have a cpu that handles 2000 *Recursive* Queries a second. 900 bux could net me *200,000* a second if not more. The government overspends on a lot of things.. they need some one whos got the experience to use a bunch of cheap servers for the resolvers and a box that hosts the IPs used and then distributes the query packets.
For $50/mo I can have a connection from Comcast. That doesn't mean that I could run my own cable to the nearest major exchange for anywhere near $50.
Also, what's the failover if your $9/mo CPU develops a bad RAM card? Does your $9/mo CPU have sufficient geographic diversity to survive a backhoe? And about 4 zillion other things that people that actually have to run production services worry about...
My comment was directed at government spending... no need to have such a angry tone about the "comment". I was only comparing to what I spend on my large volumes of queries and what this so called expensive stuff the government is running... And I have never developed a bad ram card, even if I did, replacements are easy as i'm talking about distributed vps in this case.
On 31/05/2012 17:11, cncr04s/Randy wrote:
My comment was directed at government spending... no need to have such a angry tone about the "comment". I was only comparing to what I spend on my large volumes of queries and what this so called expensive stuff the government is running... And I have never developed a bad ram card, even if I did, replacements are easy as i'm talking about distributed vps in this case.
I'm getting the impression that the ISC involvement with the FBI on this issue went well beyond the notion of sticking a couple of noddy DNS servers on the Internet and well into the realm of engineering consultancy, court appearances, engineering and management all-nighters, providing a level of trustworthy service that could be justified to a court of criminal law and so on. All for $87k? Personally, I don't have a problem with that level of expenditure. Nick
Is it time to drop this yet? Three weeks old. Let's move on. Richard Golodner
Exactly how much can it cost to serve up those requests... I mean for 9$ a month I have a cpu that handles 2000 *Recursive* Queries a second. 900 bux could net me *200,000* a second if not more. The government overspends on a lot of things.. they need some one whos got the experience to use a bunch of cheap servers for the resolvers and a box that hosts the IPs used and then distributes the query packets.
For $50/mo I can have a connection from Comcast. That doesn't mean that I could run my own cable to the nearest major exchange for anywhere near
$50.
Also, what's the failover if your $9/mo CPU develops a bad RAM card? Does your $9/mo CPU have sufficient geographic diversity to survive a backhoe? And about 4 zillion other things that people that actually have to run
production
services worry about...
Why should the taxpayers pay for geographic diversity or any of those 4 zillion other things required to keep these DNS servers up so infected computers can continue to reach the Internet? I don't really mind paying $9/300 millionths per month to help folks make a smooth transition back to proper DNS, but I wouldn't want to pay much more. The FBI should have just pulled the plug and let the folks who can't connect inundate their ISPs with support calls, which might encourage the ISPs to be a little more proactive about shutting down the botnets they host.
On Thu, 31 May 2012, cncr04s/Randy wrote:
Exactly how much can it cost to serve up those requests... I mean for 9$ a month I have a cpu that handles 2000 *Recursive* Queries a second. 900 bux could net me *200,000* a second if not more. The government overspends on a lot of things.. they need some one whos got the experience to use a bunch of cheap servers for the resolvers and a box that hosts the IPs used and then distributes the query packets.
So you'd offer your expertise for $9 (or $900) a month 24/7? Since you imply server cost is the only cost in operating such a service...... -- david raistrick http://www.netmeister.org/news/learn2quote.html drais@icantclick.org
In a message written on Thu, May 31, 2012 at 08:14:40AM -0500, cncr04s/Randy wrote:
Exactly how much can it cost to serve up those requests... I mean for 9$ a month I have a cpu that handles 2000 *Recursive* Queries a second. 900 bux could net me *200,000* a second if not more. The government overspends on a lot of things.. they need some one whos got the experience to use a bunch of cheap servers for the resolvers and a box that hosts the IPs used and then distributes the query packets.
The interesting bit with DNSChanger isn't serving up the requests, but the engineering to do it in place. Remember, all of the clients are pointed to specific IP addresses by the malware. The FBI comes in and takes all the servers because they are going to be used in the court case, and then has to pay someone to figure out how to stand a service back up at the exact same IP's serving those infected clients in a way they won't notice. This includes include working with the providers of the IP Routing, IP Address blocks, colocation space and so on to keep providing the service. In this case it was also pre-planned to be nearly seamless so that end users would not see any down time, and the servers had to be fully instrumented to capture all of the infected client IP addresses and report them to various parties for remediation, including further evidence to the court for the legal proceedings. The FBI also had to convince a judge this was the right thing to do, so I'm sure someone had to pay some experts to explain all of this to a judge to make it happen. I suspect the cost of the hardware to handle the queries is neglegable, I doubt of all the money spent more than a few thousand dollars went to the hardware. It seems like the engineering and coordination was rather significant here, and I'll bet that's where all the money was spent. -- Leo Bicknell - bicknell@ufp.org - CCIE 3440 PGP keys at http://www.ufp.org/~bicknell/
participants (11)
-
bmanning@vacation.karoshi.com
-
Christopher Morrow
-
cncr04s/Randy
-
david raistrick
-
Florian Weimer
-
John Lightfoot
-
Leo Bicknell
-
Miles Fidelman
-
Nick Hilliard
-
Richard Golodner
-
valdis.kletnieks@vt.edu