* Brad Knowles ([EMAIL PROTECTED]) [050912 16:00] wrote:
>> I mention DNS as an technical mean to make data available. From the
>> blacklist's user point of view the "complexity" of getting blacklist's
>> data by wgetting file is same as listing zone and redirecting it to
>> a file.
> In this case, I think it's better not to muddy the waters by
> mentioning DNS at all. The blacklist concept is a potentially valid
> one, but given that it would have to be implemented inside of some
> sort of set of firewall rules, I think we have to assume some sort of
> static input file.
> Yes, there are a variety of methods you could use to pull down
> that static input file, but I think it would be best not to even try
> to discuss or even mention any of those, except to say that there are
> a variety of methods possible.
My fault, could have darkened the subject for some :)
BTW - when it comes to mechanics - i though of using ntpd with wrappers
and regenerating wrapper's included ntpd abusers static file every XX
minutes. No slow dynamically changing firewall rules, no frequent
static firewall rules updates and restarts influencing ntp service
quality.
> If you're looking for an NTP-related project that could take on a
> task like this, then I think the only possible organization that
> could qualify would be the NTP Public Services Project.
> number of part-time volunteers on the project, we've got a very good
> network location at ISC (and the ability to call on some of the best
> network and DNS engineers in the business), and between us I think we
> have all the necessary knowledge of how to run something like this.
It's very strong base to do the custom dns service serving pool zones.
> But what we don't have is people, or time. IMO, we'd need at
> least two or three salaried full-time people, whose sole job it is to
> maintain the black list, to operate the help desk (you'd have to have
> 24x7 operations, even if it's just being on-call after hours),
> etc.... On top of that, I think we'd probably need another large
> group of volunteers, putting in enough work to be equivalent to
> another three or four full-time employees, and all of that would be
> sucked up by just the black list and related operations. In other
> words, I think we would quickly become about the same size as MAPS or
> SpamHaus, or some of the other large blacklist operations.
No. Because:
1. mail services are hundred times more often used
2. abusing mail services is much more hmm... beneficial to abusers
3. mail blacklists work more or less real-time ( query every connect
to get the data about the second end )
4. there a tens, possibly hundreds of thousands of mail systems
using blacklists
Here we talk about much smaller service, much less abused ( i can
hardly see benefits from abusing ntp, most ( all?) of the abuse is
unintentional ), without need to be real-time.
Some numbers to compare - dns queries from all my mail servers to
single dns blacklist are hundreds of thousands up to 1 million
per day ( some cached by my resolvers, i admit, therefore spamcops )
To protect my ntp server using ntp abuse blacklist i would need to
contact it 24 times a day ( to refresh a list every hour ), or ~100
( to refresh my wrappers every 15 minutes ).
To start such a project one won't need to have 7 people company-like
structure prepared. I know - it would be great to have such
operation structure, but noone would put the money into it.
> We just don't have that kind of money, nor do we have that kind
> of personnel resources.
How did ntp pool project started? Were there 7 fulltime workers? :)
Or were there single subject "fans" with strong technical background?
> If you can help us find the funding to make that sort of thing
> happen, I know the place to get the proposal started. But I'm not
> even going to try unless someone can convince me that they can get at
> least most of the funding necessary.
I could possibly donate my time. I won't, unless the situation with my
current job will straighten ( integration of the two big telco players
on the country's market ). It may be i won't have the time to scratch
my a** with systems integration, it may be i will look for another job
though.
MJ
--
[EMAIL PROTECTED] ( Psyborg ) MJ102-RIPE GTS Polska sp. z o.o.
Servers Administration Department Manager
"I don't suffer from insanity, I enjoy every minute of it."
_______________________________________________
timekeepers mailing list
[email protected]
https://fortytwo.ch/mailman/cgi-bin/listinfo/timekeepers
