From owner-freebsd-ipfw@freebsd.org Fri Aug 12 00:20:17 2016 Return-Path: Delivered-To: freebsd-ipfw@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 9B554BB5BA7 for ; Fri, 12 Aug 2016 00:20:17 +0000 (UTC) (envelope-from rj@obsigna.com) Received: from mo6-p00-ob.smtp.rzone.de (mo6-p00-ob.smtp.rzone.de [IPv6:2a01:238:20a:202:5300::9]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "*.smtp.rzone.de", Issuer "TeleSec ServerPass DE-2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 398E114E6 for ; Fri, 12 Aug 2016 00:20:16 +0000 (UTC) (envelope-from rj@obsigna.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; t=1470961215; l=4092; s=domk; d=obsigna.com; h=To:References:Content-Transfer-Encoding:Date:In-Reply-To:From: Subject:Mime-Version:Content-Type; bh=vVB3M11DxV2Q5bCpZXRrym3zVaI7sBZX2E9uZWT9jYA=; b=xoL+yMNir86nTDkHdFGZ/PM2tGPSDJw1z8HZPhx3JhwJegWclWa/fhWR3m1GIm1Wa3A KYvS4NmAf8s7ZVkd6d7TmpW0nCGslJbi0HlQQfsGy1qW/wxLTh08dacOirbKDg5K9S0Oa 7MSqAQWTnPVp0VpW71rF1fzvhkJ3O9iYonk= X-RZG-AUTH: :O2kGeEG7b/pS1EK7WHa0hxqKZr4lnx6UhToX1IWHkW4X7v2ImaU2B+3KSGnPFnK+130WokEw X-RZG-CLASS-ID: mo00 Received: from mail.obsigna.com (bfb6bdb7.virtua.com.br [191.182.189.183]) by smtp.strato.de (RZmta 38.13 DYNA|AUTH) with ESMTPSA id e02906s7C0KENPk (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (curve secp521r1 with 521 ECDH bits, eq. 15360 bits RSA)) (Client did not present a certificate) for ; Fri, 12 Aug 2016 02:20:14 +0200 (CEST) Received: from rolf.projectworld.net (rolf.projectworld.net [192.168.222.25]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.obsigna.com (Postfix) with ESMTPSA id 3E0BD229861E for ; Thu, 11 Aug 2016 21:20:11 -0300 (BRT) Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\)) Subject: Re: your thoughts on a particualar ipfw action. From: "Dr. Rolf Jansen" In-Reply-To: <20160812014005.V79687@sola.nimnet.asn.au> Date: Thu, 11 Aug 2016 21:20:10 -0300 Content-Transfer-Encoding: quoted-printable Message-Id: <18FB78EB-B93F-4E03-8DCC-83294133C323@obsigna.com> References: <20160805024301.H56585@sola.nimnet.asn.au> <7486c7ce-49db-b6b9-a6bb-13f04b4ce6d6@freebsd.org> <242DF6D8-4287-43BF-BE9F-CE1665D31ED2@obsigna.com> <9D024314-57A2-4079-B630-FB0D844DD5B5@obsigna.com> <20160811200425.F79687@sola.nimnet.asn.au> <20160812014005.V79687@sola.nimnet.asn.au> To: freebsd-ipfw@freebsd.org X-Mailer: Apple Mail (2.3124) X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 12 Aug 2016 00:20:17 -0000 > Am 11.08.2016 um 14:20 schrieb Ian Smith : > On Thu, 11 Aug 2016 10:09:24 -0300, Dr. Rolf Jansen wrote: >>> Am 11.08.2016 um 08:06 schrieb Ian Smith : >>> On Wed, 10 Aug 2016 -0300, Dr. Rolf Jansen wrote: >>> ... >>> ... >>>> I just submitted a PR asking to add the new port = 'sysutils/ipdbtools'. >>>> https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D211744 >>>=20 >>> Wonderful. >>=20 >> The port maintainers were really quick. The port has been accepted=20 >> and has been already committed. >=20 > So it has, on refreshing the page. Smooth and fast. >=20 > Re __uint128_t I _guess_ there may be macro/s to do that maths for = i386? Yeah, I am exploring the options. Comparisons, addition and subtraction = are working already, multiplication, division and remainder operations = are a tad more difficult, I must leave this for some weekend. >>> ... >>> A more tech-savvy article than ABC or other news media managed so = far: >>> = https://www.theguardian.com/australia-news/2016/aug/10/computer-says-no-au= stralian-census-shambles-explanation-depends-on-who-you-ask >>=20 >> Well, I tend to believe that this has nothing to do with DoS attacks,=20= >=20 > Some should have been expected, planned for, mitigation anticipated, = as=20 > well as expecting at least 5 times the legit connections/hr they = tested=20 > for, and as the guardian article pointed to, their DNS was screwed in=20= > several ways: way too long TTL (can't move fast), hard-coded subdomain=20= > in SSL cert (couldn't readily add load-sharing capacity?) and such. >=20 > But they admit the geo-blocking fell over - whether inline as firewall=20= > or on another server fielding lookup requests not disclosed - but they=20= > say that failure caused a/the/some router to fail (crash? explode? :) Perhaps they did Geo-blocking in the way that I mentioned in the summary = of the ipdbtool's manual to be a no-go: ... Unfortunately, online database look-up is by far too slow for even = think- ing about being utilized on the firewall level, where IP packets need to be processed in a microsecond time scale. Therefore, a locally = maintained IP Geo-location database is indispensable in the given respect. ... > IBM, FFS! but they'll point to govt specs and disclaim hardware = failure=20 > but still it's not great product endorsement for their SoftLayer = Cloud. Natural but non-professional reaction. My mother always told us, if you = point with your index finger to others, three fingers are pointing back to = you. So IBM not only failed technically but also the PR devision did a bad = job.=20 >> I mean, of course it is DoS, but not caused by an attack. Exactly the=20= >> same happens every year on 30th of April between 17:00 and 24:00 on=20= >> the servers of the Federal Bureau of Finance here in Brazil. That is=20= >> the deadline for the online-submission of the annual tax declaration=20= >> of the Brazilian citizens. Seems that the bureaucrats all over the=20 >> world share the same deficiency of creative problem solving. >=20 > Seems it's a requirement for the job, world wide. Creativity is = scary,=20 > but you think they could guess that ~8 million households in the = eastern=20 > timezone were going to have dinner then do their census within ~2 = hours. Of course they could not guess this, because public servants are trained to assume that the normal citizen does not meet her/his obligations, and for sure they were (are) prepared to send out 8 million penalty notices in 24 hours. >> Who in the bureaucrats hell told them to go with one deadline for=20 >> everybody? For the census in Australia, I would have told the=20 >> citizens that everybody got an individual deadline which is his or=20 >> her birthday in 2016 -- problem solved. >=20 > That'd be great load-balancing .. shall I let them know? :) Doesn't cost anything giving it a try, however, you could as well slap = an ox on his horn - same effect.