At 10:51 AM +0200 2005-09-12, Miroslaw Jaworski wrote:
Okay, that's a little different. Running a blacklist of this
sort is quite an undertaking, however. A lot of work goes on behind
the scenes that most people who are otherwise knowledgeable with
regards to DNS wouldn't understand, much less anyone else.
I don't think using DNS is the best idea here, I would suggest something
more simple.
Just to be noted: DNS is simple. Most of the blacklists use it.
I understand the DNS. I've been mucking about with it since the
very early 90s. I know all about how the blacklists are implemented
on the back-end, and many of them are actually quite painful to
operate. You may see them as being trivially simple to use, but
that's only because people like me have done backflips to make that
happen. Of course, all our work goes on behind the scenes, and you
are never aware of any of that.
I meant to use DNS as technical mean to share the data. It can be textfile
to be wget'ted or mysql with bunch of scripts - it doesn't matter.
You sticked to the word 'DNS' instead review the idea.
You definitely do not want a firewall dependant on the DNS. A
flat text file would be a much better solution.
Of course, then you get into massive memory expansion just to
store the entire contents of that flat text file in memory, and the
firewall rules get more complex to monitor and maintain, and the
firewall as a whole probably gets a lot slower -- that is, assuming
it just doesn't break down completely.
Dont you think an abusive ntp clients database, with couple example
scripts for ntp servers' admins ( usable by ANY ntp servers BTW ),
- how to use the list, with a lookup tool ( "check if you're on the
blacklist" ), appropiate faq note on pool.ntp.org webpage ( "i don't
get the answer from ntp pool servers" ) and "personalized" webpage
( "IP address X.X.X.X is on ntp pool's blacklist. It was listed on Y,
because of Z" ) for those who not only detect abusive clients and filter
them, but also like to contact them.
I think that this would be a reasonably good idea, so long as you
were careful about the implementation. However, regardless of how
it's implemented, running a blacklist is quite an undertaking.
If nothing else, you have to have a reliable database system with
potentially large amounts of storage, you have to have a reliable way
for certified operators to insert data into that system (and make
sure that no one else can do so, or spoof any of the certified
operators), you have to have a query mechanism for people to use to
check to see if their server is included and why, you have to run a
help desk to deal with all the complaints and operational issues on
both sides, you have to be prepared for major DoS attacks against
your systems because the Bad Guys don't like the Good Guys to be
keeping black lists (even if they aren't currently affected by them,
and of course some people will decide to go after you because they
don't like you, or just because they think you're an easy target),
and there are many other issues that would also need to be handled.
I'm not sure that this is an area where our efforts would be best
spent at the moment.
But, if you want to pursue this issue, I would encourage you to
talk to existing operators of large-scale blacklists like MAPS,
SORBS, SpamHaus, etc... and ask them about their experiences.
I've already heard more than a few stories from groups like this,
but you're clearly not going to believe anything I say.
Such list would decrease the burden of current self-protection each
of ntp pool admins spend and distribute the load of abuse detection
among all of those who decide to be list feeders.
True, but it would greatly increase the load on the people at the
core of the system, and I seriously doubt that Ask has the additional
resources and personal time required to make something like this
successful.
I think that this is a case where distributing that workload
across the various server operators is a much better solution, at
least as far as pool.ntp.org is concerned and the amount of resources
that Ask has available to operate it.
--
Brad Knowles, <[EMAIL PROTECTED]>
"Those who would give up essential Liberty, to purchase a little
temporary Safety, deserve neither Liberty nor Safety."
-- Benjamin Franklin (1706-1790), reply of the Pennsylvania
Assembly to the Governor, November 11, 1755
SAGE member since 1995. See <http://www.sage.org/> for more info.
_______________________________________________
timekeepers mailing list
[email protected]
https://fortytwo.ch/mailman/cgi-bin/listinfo/timekeepers
