[63711] in North American Network Operators' Group
Re: Sitefinder and DDoS
daemon@ATHENA.MIT.EDU (bmanning@karoshi.com)
Thu Oct 9 15:04:51 2003
From: bmanning@karoshi.com
To: hcb@gettcomm.com (Howard C. Berkowitz)
Date: Thu, 9 Oct 2003 11:25:09 -0700 (PDT)
Cc: nanog@merit.org
In-Reply-To: <p05100345bbab44c0b33e@[192.168.0.2]> from "Howard C. Berkowitz" at Oct 09, 2003 01:06:44 PM
Errors-To: owner-nanog-outgoing@merit.edu
>
>
> Let's assume for a moment that Verisign's wildcards and Sitefinder go
> back into operation.
>
> Let's also assume someone sets up a popular webpage with malware HTML
> causing it, perhaps with a time delay, to issue rapid GETs to
> deliberately nonexistent domains.
>
> What would be the effect on overall Internet traffic patterns if
> there were one Sitefinder site? (flashback to ARPANET node
> announcing it had zero cost to any route)
>
> How many Sitefinder nodes would we need to avoid massive single-point
> congestion?
you may wish to review/examine the AS112 project
materials. I used to run the single instance of
the authoritative DNS service for RFC 1918 space.
We were periodically hammered and discovered an
interesting "local" optimization from one vendor
who did not respect the "negative-caching" timers.
The upshot was that the normal "blow-the-bolts"
tactic that usually compartmentalizes failures
actually aggrevated the problem. :)
The single instance was migrated to the anycast
model under the AS112 folks.
> I am NOT suggesting this simply as an argument against Sitefinder,
> and I'd like to see engineering analysis of how this vulnerability
> could be prevented.
--bill
