koldfront

DNS DoS again #net

๐Ÿ•๏ธŽ - 2024-05-05

A little over a month ago my DNS servers for asjo.org were getting a lot of traffic - I never figured out why, but it was enough to bring my home router to its knees.

The same thing happened today - I noticed because my jukebox kept rebooting, because it couldn't ping the router and assumed that it itself had fallen off the network.

But it hadn't, the router was just swamped and not answering:

smokeping graph showing the latency to the router shooting up to over 100ms

The cause seems to be the same as he last time, one IP address located in China sending an eccessive amount of udp DNS requests for asjo.org. Litteraly 998/1000 packets were that.

Looking at the two other DNS servers clearly shows that they were being hit as well:

traffic graph from DNS server spiking

On this one you can see the outgoing graph plunging after I added an iptables rule to DROP packets coming from the offending IP-address, no more answers for you:

traffic graph from the other external DNS server spiking

I couldn't get to the firewall interface in the router as it was too overloaded - so I had to reboot it, and then I was able to add this second IP-address to my "Drop DNS flood"-rule, and then smokeping started looking much better:

smokeping graph from home server to router falling back to normal

I still have no idea what the reason for these low-key DoS attacks are.

clear and reset - but fast #commandline

๐Ÿ•ง๏ธŽ - 2024-04-28

When working in a terminal emulator the command clear is nice to declutter and still allow scrolling back through old output, and reset is nice to also get rid of the scrollback - eg if you are debugging and don't want to accidentally be confused by old output.

There's one annoying thing though, while clear is almost instant, reset takes a second. Ugh.

From a fediverse post I learned that tput reset does the same thing only without the delay! So I quickly made a symlink from ~/bin/reset pointing to /usr/bin/tput and now reset is instant - at least in Sakura.

The latest release of ncurses was yesterday, and the release announcement has this paragraph:

tput and tset

   + add "-v" option to tput, to show warnings
   + modify reset command to avoid altering clocal if the terminal
     uses a modem
   + modify  reset feature to avoid 1-second sleep if running in a
     pseudo-terminal

I don't quite understand it, as tput is fast for me, but let's see when ncurses 6.5 rolls into the various operating systems.

Devops Engineer position at Novonesis in Copenhagen #biotech #linux

๐Ÿ•ฅ๏ธŽ - 2024-04-23
Novonesis

If you're good a Linux and want to work in a research organisation in an environment where you're expected to look after racks of servers, from making sure the right ones are there with the right components, to keeping the operating system (Ubuntu) updated, the virtual machines spinning (Proxmox), the distributed network storage in top shape (Ceph), and the tape robot fed, here is a job ad for you to check out:

ยท Devops Engineer, Lyngby, Denmark

You'll be expected to analyze trends (Grafana) and catch problems before they get out of hand, learn from your mistakes and document them via improved monitoring (Nagios), and to respond to the whims of researchers changing focus. A bunch of responsibility and the freedom to find a good solution - and some opinionated colleagues to discuss it with as well.

Just call me Mr. NNTP #nntp #usenet #lantern #illuminant #activitypub

๐Ÿ•ค๏ธŽ - 2024-04-15

Today I counted the number of NNTP-servers I have implemented for different purposes over the years.

I wonder if I qualify for Guinness book of records - I have implemented 5 different NNTP-servers:

  • d-a-d.com discussion forum (Perl)
  • Feedbase - RSS/Atom reader (Perl)
  • Lantern - blog engine (Haskell)
  • olduse.net - nntp time travel (Haskell)
  • Illuminant - ActivityPub server (Haskell)

Some years before implementing Illuminant I also sketched up an NNTP-based microblogging system, which hasn't been implemented (yet?)

Under attack?! #net

๐Ÿ•š๏ธŽ - 2024-03-31

Yesterday evening my home router started acting up. Instead of ping showing a latency of a couple of ms it went up to hundreds, and on top of that it started dropping 40-80% of the packets.

I tried turning it off and on again, wildly guessing that my ISP maybe had done some kind of upgrade or something.

It started up nicely, but then bogged down again. After a while I looked at the smokeping graph, which confirmed that something was wrong:

Smokeping graph showing the latency to the router on my LAN going haywire

I noticed that on my three DNS servers, one behind this router and two on VPS's, named was in the top of the CPU usage list. Hm.

ngrep'ing traffic on port 53 revealed a single IP doing a lot of requests for asjo.org. As in thousands.

I even got a warning from one of the VPS hosters telling me about the sudden spike in outbound traffic.

I started dropping the packets from that IP on the servers, and in the router, the outbound traffic disappeared, and my router no longer suffered. Yay!

Graph showing the sudden increase in traffic on one VPS

It seems like a weird low-key DoS attack, but it's kind of hard to understand. It's not that disruptive - luckily - and it seems to come from one IP-address only.

Well, almost. After I started dropping all packets from that IP, another one showed up as excessively active, so I started dropping packet from that one as well. Almost as soon as I did, the barrage from this second IP stopped completely.

The first IP, however, is still sending UDP packets at some 1-2 MBps to each VPS, here more than 24 hours later. Go figure.

I know that various people mistake my domain asjo.org for something else from time to time (when I had a Twitter account @asjo that also happened quite a bit), but what this IP-address - apparently somewhere in central China - has against my DNS servers, I can't tell. It's odd.

Atomic Blonde (2017) #movies

๐Ÿ•ฅ๏ธŽ - 2024-03-29

Tried to watch Atomic Blonde tonight, as it is available on Danish National Television - I bailed after 30 odd minutes; it wasn't for me.

Early Unix rand() #unix

๐Ÿ•ฅ๏ธŽ - 2024-03-12

I have mentioned The Unix Heritage Society mailing list before - fun stuff comes by on it from time to time.

Today Douglas McIlroy replied to a thread about the early Unix rand() routine and who had written a funny note in the documentation, recalling an early story of password breaking:

When Ken pioneered password cracking by trying every word in word lists at hand, one of the password files he found plenty of hits in came from Berkeley. He told them and they responded by assigning random passwords to everybody. That was a memorable error. Guessing that the passwords were generated by a simple encoding of the output of rand, Ken promptly broke 100% of the newly "hardened" password file.

Ken Thompson replied:

i wrote the generator.
dmr or rhm wrote the comment.

Lille langebro

Today

Jazz trumpeter Miles Davis (98).

Towel day.

Tomorrow

Kronprins Frederik (56).

Tuesday

John Berchtold (41).

Mathias Rust lands on the Red Square (37).

Wednesday

Bob Hope (121).

Friday

Clint Eastwood (94).

World Smokefree Day (37).