* Posts by dirkjumpertz

8 publicly visible posts • joined 13 Aug 2015

Microsoft’s Azure mishap betrays an industry blind to a big problem

dirkjumpertz

Re: If a tiny typo brings down half of Brazil, perhaps we’re the nuts

Abrupt outage -> BGP

Gradual outage -> DNS

Microsoft says Azure fended off what might just be the world's biggest-ever DDoS attack

dirkjumpertz

Re: Mine is bigger than yours

"a network and collaborative mitigation strategy"

Nope... regulation and BCP38 but as long as DDOS attacks are a source of revenue and carriers, ISP, IXP and all in between claim that BCP38 is too costly/complex or any other nonsense...

https://www.internetsociety.org/blog/2014/07/anti-spoofing-bcp-38-and-the-tragedy-of-the-commons/

Facebook apologizes to users, businesses for Apple’s monstrous efforts to protect its customers' privacy

dirkjumpertz

Re: Bad guy vs bad guy

I hope you're running your own DOH server on a network you tightly control then.

DNS resolver 9.9.9.9 will check requests against IBM threat database

dirkjumpertz
Boffin

Re: One should note that running DNS resolvers is rather cheap

Running resolver domain name services is not that cheap anymore and has become a tad more complex than 15 years ago.

15 years ago it sufficed to have a medium sized box, gig ethernet, some Linux distro and bind (or whatever is your fancy) and off you went. Monitor memory and disk space and that was it.

Today we're talking about DNSSEC and preventive measures to protect your DN server to become part of a DDOS amplification attack. Preferably you go the ANYCAST way and that is anything but cheap nor simple.

So NO, running a resolver for mass consumption is NOT cheap nor EASY.

dirkjumpertz
Meh

what's the answer when looking for something is a threat

I tried some queries on Domain Names that are DGA - quite interesting. Querying for google.com and other well knows DNs makes little sense IMHO if you want to have an impression of the quality of the service.

If the DN is considered problematic, it returns NXDOMAIN and omits the AUTHORITY section.

Here are some examples, enjoy - queried against 8.8.8.8 and 9.9.9.9

; <<>> DiG 9.10.6 <<>> NS drohppbkxj.com @8.8.8.8 +multi

;; global options: +cmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 61557

;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:

; EDNS: version: 0, flags:; udp: 512

;; QUESTION SECTION:

;drohppbkxj.com. IN NS

;; AUTHORITY SECTION:

com. 872 IN SOA a.gtld-servers.net. nstld.verisign-grs.com. (

1536574009 ; serial

1800 ; refresh (30 minutes)

900 ; retry (15 minutes)

604800 ; expire (1 week)

86400 ; minimum (1 day)

)

;; Query time: 19 msec

;; SERVER: 8.8.8.8#53(8.8.8.8)

;; WHEN: Mon Sep 10 12:07:41 CEST 2018

;; MSG SIZE rcvd: 116

----------------------------------------------------------------------------------------

; <<>> DiG 9.10.6 <<>> NS drohppbkxj.com @9.9.9.9 +multi

;; global options: +cmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 47957

;; flags: qr rd ad; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:

; EDNS: version: 0, flags:; udp: 4096

;; QUESTION SECTION:

;drohppbkxj.com. IN NS

;; Query time: 17 msec

;; SERVER: 9.9.9.9#53(9.9.9.9)

;; WHEN: Mon Sep 10 12:07:53 CEST 2018

;; MSG SIZE rcvd: 43

----------------------------------------------------------------------------------------

----------------------------------------------------------------------------------------

; <<>> DiG 9.10.6 <<>> NS ngdvmtwodjjuovsnfj.ru @8.8.8.8 +multi

;; global options: +cmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 51420

;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:

; EDNS: version: 0, flags:; udp: 512

;; QUESTION SECTION:

;ngdvmtwodjjuovsnfj.ru. IN NS

;; AUTHORITY SECTION:

ru. 1799 IN SOA a.dns.ripn.net. hostmaster.ripn.net. (

4035250 ; serial

86400 ; refresh (1 day)

14400 ; retry (4 hours)

2592000 ; expire (4 weeks 2 days)

3600 ; minimum (1 hour)

)

;; Query time: 69 msec

;; SERVER: 8.8.8.8#53(8.8.8.8)

;; WHEN: Mon Sep 10 12:08:45 CEST 2018

;; MSG SIZE rcvd: 111

----------------------------------------------------------------------------------------

; <<>> DiG 9.10.6 <<>> NS ngdvmtwodjjuovsnfj.ru @9.9.9.9 +multi

;; global options: +cmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 27399

;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:

; EDNS: version: 0, flags:; udp: 4096

;; QUESTION SECTION:

;ngdvmtwodjjuovsnfj.ru. IN NS

;; AUTHORITY SECTION:

ru. 1113 IN SOA a.dns.ripn.net. hostmaster.ripn.net. (

4035250 ; serial

86400 ; refresh (1 day)

14400 ; retry (4 hours)

2592000 ; expire (4 weeks 2 days)

3600 ; minimum (1 hour)

)

;; Query time: 15 msec

;; SERVER: 9.9.9.9#53(9.9.9.9)

;; WHEN: Mon Sep 10 12:09:04 CEST 2018

;; MSG SIZE rcvd: 111

----------------------------------------------------------------------------------------

----------------------------------------------------------------------------------------

; <<>> DiG 9.10.6 <<>> NS e70ae5a2.eu @8.8.8.8 +multi

;; global options: +cmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21315

;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:

; EDNS: version: 0, flags:; udp: 512

;; QUESTION SECTION:

;e70ae5a2.eu. IN NS

;; ANSWER SECTION:

e70ae5a2.eu. 299 IN NS ns1.honeybot.us.

e70ae5a2.eu. 299 IN NS ns2.honeybot.us.

;; Query time: 135 msec

;; SERVER: 8.8.8.8#53(8.8.8.8)

;; WHEN: Mon Sep 10 12:12:21 CEST 2018

;; MSG SIZE rcvd: 87

----------------------------------------------------------------------------------------

; <<>> DiG 9.10.6 <<>> NS e70ae5a2.eu @9.9.9.9 +multi

;; global options: +cmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41743

;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:

; EDNS: version: 0, flags:; udp: 4096

;; QUESTION SECTION:

;e70ae5a2.eu. IN NS

;; ANSWER SECTION:

e70ae5a2.eu. 300 IN NS ns1.honeybot.us.

e70ae5a2.eu. 300 IN NS ns2.honeybot.us.

;; Query time: 118 msec

;; SERVER: 9.9.9.9#53(9.9.9.9)

;; WHEN: Mon Sep 10 12:12:44 CEST 2018

;; MSG SIZE rcvd: 87

Uncle Sam slams plans to give govts final say over domain privacy

dirkjumpertz

The GDPR is not going to end the universe

It's unbelievable how much nonsense is being published about the GDPR.

This regulation does not forbid the use of personal data. A company or business can process personal data as long as it is limited in purpose, lawful, fair and transparent to the individual.

The whois has a clear reason to exist, just like the yellow pages. Surely measures must be taken to prevent the unauthorized collection of the data, but there's nothing wrong with a repository of domain name holders as long as it is protected adequately from abuse.

Will Data Protection Authorities suddenly burst in at domain name registries and start fining them those "monster" fines? Of course not... there's other fish to fry, there's abuse of sensitive data, insufficient protection of personal (sensitive) data and the joy of machine learning without people knowing what's going on (FaceApp anyone?).

dirkjumpertz

Re: Whois is already useless

And then there is the plethora of fake addresses.

Rise up against Oracle class stupidity and join the infosec strike

dirkjumpertz

So sad but true

And even sadder when

s/security/environment/g

is a regex that makes perfect sense.

I'm a chemical engineer by education; today I work in IT security (governance mainly). Often I tell people that the real problem with IT is that people don't die by their own mistakes. In a chemical plant, if you don't follow procedures, guidelines and standards, you will end up hurt and in the worst case dead. Sitting behind a desk, fiddling with code might be bad for your back, but that's as far as it goes.

Personal harm is the best motivator for taking the right decisions and doing the right thing.