Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 11 Aug 2016 21:20:10 -0300
From:      "Dr. Rolf Jansen" <rj@obsigna.com>
To:        freebsd-ipfw@freebsd.org
Subject:   Re: your thoughts on a particualar ipfw action.
Message-ID:  <18FB78EB-B93F-4E03-8DCC-83294133C323@obsigna.com>
In-Reply-To: <20160812014005.V79687@sola.nimnet.asn.au>
References:  <20160805024301.H56585@sola.nimnet.asn.au> <B26AAEC0-593A-46D9-A22F-F6B4B78E7E8E@obsigna.com> <7486c7ce-49db-b6b9-a6bb-13f04b4ce6d6@freebsd.org> <F3D40C57-831D-4A7C-B84B-8DA34E4DC701@obsigna.com> <242DF6D8-4287-43BF-BE9F-CE1665D31ED2@obsigna.com> <9D024314-57A2-4079-B630-FB0D844DD5B5@obsigna.com> <20160811200425.F79687@sola.nimnet.asn.au> <DA5B5C46-9505-4A3E-948A-7392844F21C3@obsigna.com> <20160812014005.V79687@sola.nimnet.asn.au>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
> Am 11.08.2016 um 14:20 schrieb Ian Smith <smithi@nimnet.asn.au>:
> On Thu, 11 Aug 2016 10:09:24 -0300, Dr. Rolf Jansen wrote:
>>> Am 11.08.2016 um 08:06 schrieb Ian Smith <smithi@nimnet.asn.au>:
>>> On Wed, 10 Aug 2016 -0300, Dr. Rolf Jansen wrote:
>>> ...
>>> ...
>>>> I just submitted a PR asking to add the new port =
'sysutils/ipdbtools'.
>>>> https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D211744
>>>=20
>>> Wonderful.
>>=20
>> The port maintainers were really quick. The port has been accepted=20
>> and has been already committed.
>=20
> So it has, on refreshing the page.  Smooth and fast.
>=20
> Re __uint128_t I _guess_ there may be macro/s to do that maths for =
i386?

Yeah, I am exploring the options. Comparisons, addition and subtraction =
are working already, multiplication, division and remainder operations =
are a tad more difficult, I must leave this for some weekend.

>>> ...
>>> A more tech-savvy article than ABC or other news media managed so =
far:
>>> =
https://www.theguardian.com/australia-news/2016/aug/10/computer-says-no-au=
stralian-census-shambles-explanation-depends-on-who-you-ask
>>=20
>> Well, I tend to believe that this has nothing to do with DoS attacks,=20=

>=20
> Some should have been expected, planned for, mitigation anticipated, =
as=20
> well as expecting at least 5 times the legit connections/hr they =
tested=20
> for, and as the guardian article pointed to, their DNS was screwed in=20=

> several ways: way too long TTL (can't move fast), hard-coded subdomain=20=

> in SSL cert (couldn't readily add load-sharing capacity?) and such.
>=20
> But they admit the geo-blocking fell over - whether inline as firewall=20=

> or on another server fielding lookup requests not disclosed - but they=20=

> say that failure caused a/the/some router to fail (crash? explode? :)

Perhaps they did Geo-blocking in the way that I mentioned in the summary =
of the ipdbtool's manual to be a no-go:

...
Unfortunately, online database look-up is by far too slow for even =
think-
ing about being utilized on the firewall level, where IP packets need to
be processed in a microsecond time scale. Therefore, a locally =
maintained
IP Geo-location database is indispensable in the given respect.
...

> IBM, FFS! but they'll point to govt specs and disclaim hardware =
failure=20
> but still it's not great product endorsement for their SoftLayer =
Cloud.

Natural but non-professional reaction. My mother always told us, if you =
point
with your index finger to others, three fingers are pointing back to =
you.
So IBM not only failed technically but also the PR devision did a bad =
job.=20

>> I mean, of course it is DoS, but not caused by an attack. Exactly the=20=

>> same happens every year on 30th of April between 17:00 and 24:00 on=20=

>> the servers of the Federal Bureau of Finance here in Brazil. That is=20=

>> the deadline for the online-submission of the annual tax declaration=20=

>> of the Brazilian citizens. Seems that the bureaucrats all over the=20
>> world share the same deficiency of creative problem solving.
>=20
> Seems it's a requirement for the job, world wide.  Creativity is =
scary,=20
> but you think they could guess that ~8 million households in the =
eastern=20
> timezone were going to have dinner then do their census within ~2 =
hours.

Of course they could not guess this, because public servants are trained
to assume that the normal citizen does not meet her/his obligations, and
for sure they were (are) prepared to send out 8 million penalty notices
in 24 hours.

>> Who in the bureaucrats hell told them to go with one deadline for=20
>> everybody? For the census in Australia, I would have told the=20
>> citizens that everybody got an individual deadline which is his or=20
>> her birthday in 2016 -- problem solved.
>=20
> That'd be great load-balancing .. shall I let them know? :)

Doesn't cost anything giving it a try, however, you could as well slap =
an
ox on his horn - same effect.




Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?18FB78EB-B93F-4E03-8DCC-83294133C323>