|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: Sitefinder and DDoS
> > > Let's assume for a moment that Verisign's wildcards and Sitefinder go > back into operation. > > Let's also assume someone sets up a popular webpage with malware HTML > causing it, perhaps with a time delay, to issue rapid GETs to > deliberately nonexistent domains. > > What would be the effect on overall Internet traffic patterns if > there were one Sitefinder site? (flashback to ARPANET node > announcing it had zero cost to any route) > > How many Sitefinder nodes would we need to avoid massive single-point > congestion? you may wish to review/examine the AS112 project materials. I used to run the single instance of the authoritative DNS service for RFC 1918 space. We were periodically hammered and discovered an interesting "local" optimization from one vendor who did not respect the "negative-caching" timers. The upshot was that the normal "blow-the-bolts" tactic that usually compartmentalizes failures actually aggrevated the problem. :) The single instance was migrated to the anycast model under the AS112 folks. > I am NOT suggesting this simply as an argument against Sitefinder, > and I'd like to see engineering analysis of how this vulnerability > could be prevented. --bill
|