Stories
Slash Boxes
Comments

SoylentNews is people

posted by NCommander on Thursday August 25 2016, @01:00PM   Printer-friendly
from the you-can-haz-RRSIG dept.

In the ongoing battle of site improvements and shoring up security, I finally managed to scratch a long-standing itch and signed the soylentnews.org domain. As of right now, our chain is fully validated and pushed to all our end-points.

Right now, I'm getting ready to dig in with TheMightyBuzzard to work on improving XSS protection for the site, and starting to lay out new site features (which will be in a future post). As with any meta post, I'll be reading your comments below.

~ NCommander

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 2, Insightful) by Anonymous Coward on Thursday August 25 2016, @01:14PM

    by Anonymous Coward on Thursday August 25 2016, @01:14PM (#392973)

    Don't slashdot yourself.

    Starting Score:    0  points
    Moderation   +2  
       Insightful=2, Total=2
    Extra 'Insightful' Modifier   0  

    Total Score:   2  
  • (Score: 0) by Anonymous Coward on Thursday August 25 2016, @01:40PM

    by Anonymous Coward on Thursday August 25 2016, @01:40PM (#392984)
    • (Score: 2) by NCommander on Thursday August 25 2016, @07:01PM

      by NCommander (2) Subscriber Badge <michael@casadevall.pro> on Thursday August 25 2016, @07:01PM (#393143) Homepage Journal

      DDOS attacks against DNS aren't anything new;its an inherent problem in UDP. Hell, you could already get a reply like that against some cloudflare servers just asking for the NS set without DNSSEC.

      ISPs need to prevent obviously bad traffic from their network, or UDP needs an overhual.

      --
      Still always moving
      • (Score: 0) by Anonymous Coward on Friday August 26 2016, @06:39AM

        by Anonymous Coward on Friday August 26 2016, @06:39AM (#393371)

        ISPs need to prevent obviously bad traffic from their network, or UDP needs an overhual.

        Which is the proper approach, either from a technical or liability/moral perspective?

        The only reason I can imagine ISPs not wanting to drop bad traffic leaving their network is due to the work involved, either man-hours or equipment processing load.

        Giving UDP an overhaul seems like trying to close the barn door after the horse has left. In hindsight, designing UDP to make DDoS attacks more difficult seems like a good idea, but my mind boggles at how much stuff would break if the protocol itself was heavily changed. By contrast, nothing stops the system making use of UDP to demand its own syn/ack type of handshake before dumping data back at the source IP...

      • (Score: 0) by Anonymous Coward on Friday August 26 2016, @09:49AM

        by Anonymous Coward on Friday August 26 2016, @09:49AM (#393415)

        ISPs need to prevent obviously bad traffic from their network, or UDP needs an overhual.

        Neither looks likely to happen soon.

        How large are the replies you get for an NS query from cloudflare servers? I'm getting about 500+ bytes for a 70+byte NS query which is an amplification of 7-8x.

        I got 1514 bytes for a 70 byte query from this: dig +bufsize=65535 +notcp +ignore . ANY
        Which is an amplification of 20x.

        In theory DNSSEC replies can be significantly bigger since they can be over via multiple UDP packets: https://en.wikipedia.org/wiki/Extension_mechanisms_for_DNS#Issues [wikipedia.org]
        The fact that EDNS0 was actually approved shows how silly the DNS standards people are.

        To me it seems very unlikely that a small IP range or a single IP would want hundreds or thousands of DNS replies per second from your DNS server/resolver. Thus perhaps a more practical solution would be to keep the reply rates and bandwidth per IP range to a "sane" level. DNS queries are supposed to be cached for minutes so if you appear to be asking too many times either your connection is too crappy or you are a victim of a DoS attack in which case you don't want the replies.

        That way an attacker would probably use a different DNSSEC server for amplification. Or need to find and use 10000 different DNS servers like yours to send 10-100Mbps at a target.