[AusNOG] census issues tonight

[Paul Wilkins]

Mark,
If your point is that if an attacker can flood a server with traffic, the
DOS will succeed, then we agree.

The point is to ensure that your attacker has an upper limit to resources
available to them on the server. This is much harder to achieve with HTTPS,
where you can't successfully create a session with a spoofed IP.

Kind regards

Paul Wilkins

On 10 August 2016 at 15:11, Mark Delany <g2x at juliet.emu.st> wrote:

> On 10Aug16, Paul Wilkins allegedly wrote:
>
> > Assuming the architects have done basic due diligence
>
> I see two unicast name servers for abs.gov.au
>
> I see four unicast name servers for census.abs.gov.au all in the same
> /24 and all (obviously) accessible via the same route. They also
> accept TCP queries.
>
> They still have absurdly large TTLs on the A RRs.
>
> As best as I can tell, still no GSLB-like responses though they are
> now blocking DNS queries from the US which will stop the most naive
> DDOSes.
>
> Seems like they haven't even thought about their DNS being a
> vulnerable DDOS target yet. I would put that in basic due diligence.
>
>
> > how does one DDOS an HTTPS site exactly?
>
> Get a million bots to repeatedly establish an HTTPS connection? Embed
> <img src=https://150.207.169.6/foolish.jpg> into a hijacked adsense ad
> or spam email?
>
> You only need to keep hitting it with the expensive TLS setup to kill
> most servers.
>
> > And if they're running on SoftLayer, did they really have no ability to
> > scale out elastically?
>
> I thought the SoftLayer folks had made in pretty clear they weren't
> involved.
>
>
> Mark.
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20160810/69092e34/attachment.html>