Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 12 Aug 2016 13:31:37 +0800
From:      Julian Elischer <julian@freebsd.org>
To:        freebsd-ipfw@freebsd.org
Subject:   Re: your thoughts on a particualar ipfw action.
Message-ID:  <8b40f50e-cff6-3be9-f6f7-7f1d7449a93e@freebsd.org>
In-Reply-To: <18FB78EB-B93F-4E03-8DCC-83294133C323@obsigna.com>
References:  <20160805024301.H56585@sola.nimnet.asn.au> <B26AAEC0-593A-46D9-A22F-F6B4B78E7E8E@obsigna.com> <7486c7ce-49db-b6b9-a6bb-13f04b4ce6d6@freebsd.org> <F3D40C57-831D-4A7C-B84B-8DA34E4DC701@obsigna.com> <242DF6D8-4287-43BF-BE9F-CE1665D31ED2@obsigna.com> <9D024314-57A2-4079-B630-FB0D844DD5B5@obsigna.com> <20160811200425.F79687@sola.nimnet.asn.au> <DA5B5C46-9505-4A3E-948A-7392844F21C3@obsigna.com> <20160812014005.V79687@sola.nimnet.asn.au> <18FB78EB-B93F-4E03-8DCC-83294133C323@obsigna.com>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
On 12/08/2016 8:20 AM, Dr. Rolf Jansen wrote:
>> Am 11.08.2016 um 14:20 schrieb Ian Smith <smithi@nimnet.asn.au>:
>> On Thu, 11 Aug 2016 10:09:24 -0300, Dr. Rolf Jansen wrote:
>>>> Am 11.08.2016 um 08:06 schrieb Ian Smith <smithi@nimnet.asn.au>:
>>>> On Wed, 10 Aug 2016 -0300, Dr. Rolf Jansen wrote:
>>>> ...
>>>> ...
>>>>> I just submitted a PR asking to add the new port 'sysutils/ipdbtools'.
>>>>> https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=211744
>>>> Wonderful.
>>> The port maintainers were really quick. The port has been accepted
>>> and has been already committed.
>> So it has, on refreshing the page.  Smooth and fast.
>>
>> Re __uint128_t I _guess_ there may be macro/s to do that maths for i386?
> Yeah, I am exploring the options. Comparisons, addition and subtraction are working already, multiplication, division and remainder operations are a tad more difficult, I must leave this for some weekend.
>
>>>> ...
>>>> A more tech-savvy article than ABC or other news media managed so far:
>>>> https://www.theguardian.com/australia-news/2016/aug/10/computer-says-no-australian-census-shambles-explanation-depends-on-who-you-ask
>>> Well, I tend to believe that this has nothing to do with DoS attacks,
>> Some should have been expected, planned for, mitigation anticipated, as
>> well as expecting at least 5 times the legit connections/hr they tested
>> for, and as the guardian article pointed to, their DNS was screwed in
>> several ways: way too long TTL (can't move fast), hard-coded subdomain
>> in SSL cert (couldn't readily add load-sharing capacity?) and such.
>>
>> But they admit the geo-blocking fell over - whether inline as firewall
>> or on another server fielding lookup requests not disclosed - but they
>> say that failure caused a/the/some router to fail (crash? explode? :)
> Perhaps they did Geo-blocking in the way that I mentioned in the summary of the ipdbtool's manual to be a no-go:
>
> ...
> Unfortunately, online database look-up is by far too slow for even think-
> ing about being utilized on the firewall level, where IP packets need to
> be processed in a microsecond time scale. Therefore, a locally maintained
> IP Geo-location database is indispensable in the given respect.
> ...
>
>> IBM, FFS! but they'll point to govt specs and disclaim hardware failure
>> but still it's not great product endorsement for their SoftLayer Cloud.
> Natural but non-professional reaction. My mother always told us, if you point
> with your index finger to others, three fingers are pointing back to you.
> So IBM not only failed technically but also the PR devision did a bad job.
>
>>> I mean, of course it is DoS, but not caused by an attack. Exactly the
>>> same happens every year on 30th of April between 17:00 and 24:00 on
>>> the servers of the Federal Bureau of Finance here in Brazil. That is
>>> the deadline for the online-submission of the annual tax declaration
>>> of the Brazilian citizens. Seems that the bureaucrats all over the
>>> world share the same deficiency of creative problem solving.
>> Seems it's a requirement for the job, world wide.  Creativity is scary,
>> but you think they could guess that ~8 million households in the eastern
>> timezone were going to have dinner then do their census within ~2 hours.
> Of course they could not guess this, because public servants are trained
> to assume that the normal citizen does not meet her/his obligations, and
> for sure they were (are) prepared to send out 8 million penalty notices
> in 24 hours.
Actually we have until mid September to lodge the information, but if you
forget who was at you rplace that evening (guests?) then it makes sense to
do it earlier rather than later.
>>> Who in the bureaucrats hell told them to go with one deadline for
>>> everybody? For the census in Australia, I would have told the
>>> citizens that everybody got an individual deadline which is his or
>>> her birthday in 2016 -- problem solved.

see above..  it's a 6 week window from memory.


>> That'd be great load-balancing .. shall I let them know? :)
> Doesn't cost anything giving it a try, however, you could as well slap an
> ox on his horn - same effect.
>
> _______________________________________________
> freebsd-ipfw@freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
> To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org"
>




Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?8b40f50e-cff6-3be9-f6f7-7f1d7449a93e>