Date: Thu, 11 Aug 2016 21:20:10 -0300 From: "Dr. Rolf Jansen" <rj@obsigna.com> To: freebsd-ipfw@freebsd.org Subject: Re: your thoughts on a particualar ipfw action. Message-ID: <18FB78EB-B93F-4E03-8DCC-83294133C323@obsigna.com> In-Reply-To: <20160812014005.V79687@sola.nimnet.asn.au> References: <20160805024301.H56585@sola.nimnet.asn.au> <B26AAEC0-593A-46D9-A22F-F6B4B78E7E8E@obsigna.com> <7486c7ce-49db-b6b9-a6bb-13f04b4ce6d6@freebsd.org> <F3D40C57-831D-4A7C-B84B-8DA34E4DC701@obsigna.com> <242DF6D8-4287-43BF-BE9F-CE1665D31ED2@obsigna.com> <9D024314-57A2-4079-B630-FB0D844DD5B5@obsigna.com> <20160811200425.F79687@sola.nimnet.asn.au> <DA5B5C46-9505-4A3E-948A-7392844F21C3@obsigna.com> <20160812014005.V79687@sola.nimnet.asn.au>
next in thread | previous in thread | raw e-mail | index | archive | help
> Am 11.08.2016 um 14:20 schrieb Ian Smith <smithi@nimnet.asn.au>: > On Thu, 11 Aug 2016 10:09:24 -0300, Dr. Rolf Jansen wrote: >>> Am 11.08.2016 um 08:06 schrieb Ian Smith <smithi@nimnet.asn.au>: >>> On Wed, 10 Aug 2016 -0300, Dr. Rolf Jansen wrote: >>> ... >>> ... >>>> I just submitted a PR asking to add the new port = 'sysutils/ipdbtools'. >>>> https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D211744 >>>=20 >>> Wonderful. >>=20 >> The port maintainers were really quick. The port has been accepted=20 >> and has been already committed. >=20 > So it has, on refreshing the page. Smooth and fast. >=20 > Re __uint128_t I _guess_ there may be macro/s to do that maths for = i386? Yeah, I am exploring the options. Comparisons, addition and subtraction = are working already, multiplication, division and remainder operations = are a tad more difficult, I must leave this for some weekend. >>> ... >>> A more tech-savvy article than ABC or other news media managed so = far: >>> = https://www.theguardian.com/australia-news/2016/aug/10/computer-says-no-au= stralian-census-shambles-explanation-depends-on-who-you-ask >>=20 >> Well, I tend to believe that this has nothing to do with DoS attacks,=20= >=20 > Some should have been expected, planned for, mitigation anticipated, = as=20 > well as expecting at least 5 times the legit connections/hr they = tested=20 > for, and as the guardian article pointed to, their DNS was screwed in=20= > several ways: way too long TTL (can't move fast), hard-coded subdomain=20= > in SSL cert (couldn't readily add load-sharing capacity?) and such. >=20 > But they admit the geo-blocking fell over - whether inline as firewall=20= > or on another server fielding lookup requests not disclosed - but they=20= > say that failure caused a/the/some router to fail (crash? explode? :) Perhaps they did Geo-blocking in the way that I mentioned in the summary = of the ipdbtool's manual to be a no-go: ... Unfortunately, online database look-up is by far too slow for even = think- ing about being utilized on the firewall level, where IP packets need to be processed in a microsecond time scale. Therefore, a locally = maintained IP Geo-location database is indispensable in the given respect. ... > IBM, FFS! but they'll point to govt specs and disclaim hardware = failure=20 > but still it's not great product endorsement for their SoftLayer = Cloud. Natural but non-professional reaction. My mother always told us, if you = point with your index finger to others, three fingers are pointing back to = you. So IBM not only failed technically but also the PR devision did a bad = job.=20 >> I mean, of course it is DoS, but not caused by an attack. Exactly the=20= >> same happens every year on 30th of April between 17:00 and 24:00 on=20= >> the servers of the Federal Bureau of Finance here in Brazil. That is=20= >> the deadline for the online-submission of the annual tax declaration=20= >> of the Brazilian citizens. Seems that the bureaucrats all over the=20 >> world share the same deficiency of creative problem solving. >=20 > Seems it's a requirement for the job, world wide. Creativity is = scary,=20 > but you think they could guess that ~8 million households in the = eastern=20 > timezone were going to have dinner then do their census within ~2 = hours. Of course they could not guess this, because public servants are trained to assume that the normal citizen does not meet her/his obligations, and for sure they were (are) prepared to send out 8 million penalty notices in 24 hours. >> Who in the bureaucrats hell told them to go with one deadline for=20 >> everybody? For the census in Australia, I would have told the=20 >> citizens that everybody got an individual deadline which is his or=20 >> her birthday in 2016 -- problem solved. >=20 > That'd be great load-balancing .. shall I let them know? :) Doesn't cost anything giving it a try, however, you could as well slap = an ox on his horn - same effect.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?18FB78EB-B93F-4E03-8DCC-83294133C323>