At 3:50 AM -0700 2005-09-09, Nelson Minar wrote:
I realized after sending my mail that we do have a means of group
defense; DNS entries. If we have a way to identify bad clients we
could simply stop serving DNS requests for pool.ntp.org to those
clients. But maybe there's no need to develop this kind of thing.
Bad client A contacts their DNS server B, to find the IP address
of poor abused time server C. DNS query comes in from B to pool
nameserver D, which knows nothing about A. B is told about the IP
address(es) of C, and returns that information to A. A now starts
abusing C.
Good client E contacts the same DNS server B, which has cached
the information it got from D, and returns that to E. E now starts
sending queries to C as well.
C reports A as an abusive client back to D, but how can D tell
where this client got the information? Maybe the owner of A found a
list taped to a wall somewhere and copied down the entries by hand.
Now, if C includes the date/time stamp of when it first started
seeing queries from A, then D may be able to look through the logs to
see if it got any queries around that timeframe.
But what happens if A is the good client and E is the bad one?
Do we want server D to blame some other poor unsuspecting site that
happened to query for this same information around the same time that
E started hammering on C?
You'd have to also look at the IP address of the abusive client
and see if a DNS query came in from another machine on the same
network, but many ISPs have a number of /24, /16, or other size
networks assigned to them, and you might see DNS queries come in from
any of these networks on behalf of any of their users.
So, you'd have to go back to something like the Route Arbiter
database to see what networks are registered to what organizations,
and then you'd have to iterate through all IP addresses that could
potentially have resulted in a given client that started abusing a
given server, to see if any of them are owned by the same
organization. You can't just ask the Route Arbiter database to tell
you what all other networks are owned by that same organization --
you have to come in from the other way around, and brute-force the
issue.
Even then, it's possible that someone may have copied an IP
address off a list taped to a wall somewhere, and never did a DNS
query at all before they started hammering the respective time
servers.
I don't think that this problem can be solved. Even if you could
definitively tie down a particular abusive client as coming through a
given nameserver (or set of nameservers), what would you do?
Would you direct all clients coming from those nameservers over
to bogus IP addresses, or just black hole all queries coming in from
those nameservers? Would you throw away all clients coming in from
that network, just because of a single abusive client that hammered
your server?
That would be far worse than throwing the baby away with the bath
water. That would be like throwing away the whole country that the
baby came from, and everything else included, when throwing away the
bath water.
I don't think that this problem can be solved. At least, it
certainly can't be solved the way you're thinking.
--
Brad Knowles, <[EMAIL PROTECTED]>
"Those who would give up essential Liberty, to purchase a little
temporary Safety, deserve neither Liberty nor Safety."
-- Benjamin Franklin (1706-1790), reply of the Pennsylvania
Assembly to the Governor, November 11, 1755
SAGE member since 1995. See <http://www.sage.org/> for more info.
_______________________________________________
timekeepers mailing list
[email protected]
https://fortytwo.ch/mailman/cgi-bin/listinfo/timekeepers
