Rackspace Restored After DDOS Takes Out DNS

An anonymous reader sends word that Rackspace has recovered from a severe distributed denial of service attack. "Over on the company's Google+ page Rackspace warned of 'intermittent periods of latency, packet loss, or connectivity failures when attempting to reach rackspace.com or subdomains within rackspace.com.' The company's status report later confirmed it had '... identified a UDP DDoS attack targeting the DNS servers in our IAD, ORD, and LON data centers [North Virigina, Chicago and London]. As a result of this issue, authoritative DNS resolution for any new request to the DNS servers began to fail in the affected data centers. In order to stabilize the issue, our teams placed the impacted DNS infrastructure behind mitigation services. This service is designed to protect our infrastructure, however, due to the nature of the event, a portion of legitimate traffic to our DNS infrastructure may be inadvertently blocked. Our teams are actively working to mitigate the attack and provide service stability.'"

"designed to protect our infrastructure"

[mexsudo]

what about your customers?

Re:"designed to protect our infrastructure"

[OhPlz]

BYOB.

Bring your own body-guard.

Re: "designed to protect our infrastructure"

If the infrastructure goes down so do their customers

Re:"designed to protect our infrastructure"

[petermgreen]

Typically you have peices of infrastructure which is required by many service instances belonging to many customers.

It's nearly always better to have one service instance drop offline than to have the whole peice of shared infrastructure become unusable.

What, no blaming haxxorz?

Who else could possibly have done this? Only cyberbogeymen could have been quite this evil, obviously.

Re:What, no blaming haxxorz?

[Frosty+Piss]

Who else could possibly have done this? Only cyberbogeymen could have been quite this evil, obviously.

It was those pesky North Koreans, of course...

The story is 3 days old

Seriously.. if you actually read the horse's mouth, you would know that this all transpired back 3 days ago.

Re: The story is 3 days old

Seriously if everyone read from every horse's mouth, there wouldn't be a need for a new aggregator service like Slashdot. Also slashdot doesn't even race primary news services, let alone the horse's mouths. If you are here for sure, you are here for the wrong reason.

Merry Christmas & a present

Article submitter here too: This http://start64.com/index.php?o... solves problems w/ DNS by avoiding it totally & operating locally from RAM, your IP stack (hosts file), & diskcaching kernelmode subsystems (less messagepassing overheads, native parts you already have that are proven, work + refined - For going faster, safer, and more reliably online).

* Enjoy...

I do for 24 of my fav. sites I spend 95++% of my time online, placing them @ the TOP of my hosts file to avoid DNS redirect poisoning (kaminsky bug, of which 99.999% of ISP DNS are *NOT PATCHED* against mind you) & downed DNS too (or exploited ones per this article), & it ends up resolving sites FASTER, locally from RAM, once cached.

That equates to approximately 2-3 MILLION indexed lookups worth saved (wasting time querying remote DNS which is exploitable as hell & insecure, mostly) & works for me locally, faster & more reliably by far vs. such exploits this article notes + more, & 95++% of the time (per my router logs).

Now - Sub 4% of the time, when I DO have to use remote DNS, I use OpenDNS (secured, filtered vs. threats, patched vs. the Kaminsky flaw & DNSSEC secured to its upstream updaters too) BOTH in my router/firewall + OS IP Stack settings.

APK

P.S.=> It's 100% free, works ("Stronger than steel and a 3rd the weight" ala Howard Stark) - No strings attached, & my program is recommended + hosted by MalwareBytes' hpHosts (reputable + reliable as it gets) -> http://hosts-file.net/?s=Downl...

... apk

Re:Merry Christmas & a present

There are over 300 million active domains, with more coming and going every day. Does your hosts file account for this? Where do I get the version with every active domain in it? Otherwise I find it highly impractical to "avoid [DNS] totally".

Re: Merry Christmas & a present

Why does that matter though? So you can't connect to the latest malware serving domains? Sounds like a good thing to me. Most sites' addresses never change, the ones that do are crap and viruses.

Re:Merry Christmas & a present

Jesus, I never thought I'd end up defending He Who Must Not Be Named, but he's right that most people spend most of their online time visiting a small number of sites. If you analyzed the frequency of your web browsing habits, you'll probably find that at least 70% of your browsing is to a small set of sites (for me, slashdot, stackexchange, google news, a few porn sites). Putting just those in /etc/hosts will save you a lot of lookups. It won't let you avoid DNS totally if you wander off your usual paths, but it will do some good.

I submitted it back then too... apk

Article submitter here: See subject-line, & this (the cure for stuff like this, per yours truly) -> http://it.slashdot.org/comment...

(Per my subject line - it was rejected then, but it's accepted tonite - that's fine by me)

APK

P.S.=> Enjoy & Merry Christmas world - back to food & enjoying fun... apk

Astroturf

Can you feel it?

Surely the controlling powers of /. aren't so dumb that they can't hide their statistically recurring concentration of themed stories to push their agenda, every 2 months like clockwork - come on guys!

Alex Jones attacks!

Why? Because of Alex Jones!

Should have gone for an F5 GTM balancer

i heard they protect against such attacks

How to mitigate similar UDP port DDOS attack

TFA mentioned a UDP port DDPS attack at 3 rackspace's datacenter

TFA also mentioned that rackspace people are working to mitigate the DDOS attack and the ensuing effect, but never tell us how and what they do

Can anybody kindly share with us what small flies like us, can do, if we are under similar kind of attack?

Re: How to mitigate similar UDP port DDOS attack

There are numerous affordable ddos mitigation providers (e.g x4b, staminus, etc).

Re: How to mitigate similar UDP port DDOS attack

Yeah it's called start dropping packets from the attackers.

There is only so much you can do depending on how bad you are being DDoS'd but good firewalls running linux or one of the BSDs can handle a ton of DDoS traffic if you completely drop packets from the source hosts and don't let the traffic reach a server at all.

Once packets start reaching a server (like a DNS server) and the server needs to respond or figure out what to do based on it's config, that's when you're dead in the water.

The tough part is how the attack is carried out, is most of the traffic coming from the same subnet or area? Is it someone running a botnet with 5000+ hosts all around the world? It really depends. Sometimes it's best to go offline completely or shift to a secondary method of serving legitimate customer traffic, etc.

Re:How to mitigate similar UDP port DDOS attack

[Gumbercules!!]

People generally use UDP because it doesn't require a handshake and the amplification attacks are generally UDP (time server or DNS server amplification attacks can go as high as 200x - i.e. you can send 1mb outbound and get 200mb back; so with address spoofing, it's easy to overwhelm someone with such an attack).

What can you do about it to protect yourself? Stuff all, I am afraid. At the end of the day, if you cop a 100gbps attack on a 100mbps pipe, it's game over, no matter what you try to pull. All you can do is beg for help upstream, where someone can handle that traffic.

If you're talking about websites, I guess CloudFlare would help - and it's basically free (and no, I don't work for them or have any association with them) but that pretty much only works for websites, I think - not other services.

Re:How to mitigate similar UDP port DDOS attack

[RabidReindeer]

UDP reflection attacks are one case when "economies of scale" work in reverse.

I can throttle such attacks on my DNS servers, since I'm only serving for a few domains and there's not much urgency.

For large ISPs, however, there's going to be a lot more legitimate traffic for a lot more domains and if you bounce a request, you may be turning away the one legitimate customer in the flood.

I hate UDP reflection with a passion. Ordinary attacks are annoying enough, but if I ever got my hands on the people behind this, I could cheerfully do things involving crudely-sharpened objects, live coals and molten plastic. The CIA could take notes and learn new techniques.

Re:How to mitigate similar UDP port DDOS attack

[Gumbercules!!]

I don't see how throttling works in a UDP reflection attack, from the perspective of the intended target? Sure you can throttle the number of requests per minute you answer from your DNS server - but if someone is requesting DNS packets from you, you're not likely the target (so it works for you, the DNS server owner but doesn't help the attack victim, in short, unless every DNS server does it - and there's a hell of a lot of IPs in the open resolver project).

What's far more likely is that they'd be using one of the multitudes of locations that allows spoofed IP addresses, and then requesting a 50x amplified DNS dump from you back to a spoofed address - and that address it the real target. Plus they'd be hitting up 100 other DNS servers at the same time.

Collectively, that spoofed IP address can be made to cop a 100gbps attack with virtually no effort and then those poor bastards basically can't do a thing about it. They can throttle or firewall anything they like but unless their router and pipe can handle 100gbps - and chances are it can't - they're screwed.

Re:How to mitigate similar UDP port DDOS attack

[RabidReindeer]

That's why I hate it. The "mirror" can throttle, but that's just a drop in the bucket. Only if all the reflection mirrors are throttling can it help, and the larger the mirror, the larger the number of apparently legitimate requests would be, so it's harder to make them good throttles.

Plus, not only the target system is getting blasted. The mirroring systems are getting a pretty heavy load. They can throttle this, but then they risk choking off the legitimate requests, since a legitimate request and a reflection attack request are indistinguishable.

I think the only real cure would be to drop UDP. You can't do a reflection attack from TCP, since you cannot spoof the sender. At least without some major mucking around with the Internet as a whole.

Learn to read (for your favorite sites)

See my subject-line above, & the post you replied to - LEARN TO READ!

* In case you hadn't noticed, I note that in my original post...

APK

Had to inform an illiterate on that too

See my subject above: That's what I had to fill "illiterate boy" in on here http://it.slashdot.org/comment... on FAVORITE SITES YOU GO TO AND SPEND YOUR TIME ONLINE AT PRIMARILY, hosts make an excellent faster local resolution machine for that

*AND*

Hosts usage thus also gets you by/secures you vs. THIS kind of thing happening too (DNS going down, being redirect poisoned, OR being DDoS'd/exploited)...

* NOW - As far as your "He Who Must Not Be Named" bullshit too? Please - grow up (or do better software than I do or have, ok?? Good...) - good luck (you'll need it, since this particular one from me makes you FASTER, SAFER, MORE RELIABLE, & even MORE ANONYMOUS online...).

APK

P.S.=> Of course, the USUAL MORON(s) "downmodded" my posts here - I wonder why (not)? Guess they're just jealous and unskilled themselves (now THAT oughtta "get a rise" outta them again, eh? LOL! Nothing like the truth to do that for ya!)... apk

Merry Christmas (& a present)

Article submitter here too: This-> http://start64.com/index.php?o... solves THIS & other problems w/ DNS by avoiding it totally FOR YOUR FAVORITE SITES (emphasizing that point for the moron who downmddded me earlier on this same post here since HE CAN'T READ-> http://it.slashdot.org/comment... that was my reply to his illiterate/adhd ass, pointing that out to him) & operating locally from RAM, your IP stack (hosts file), & diskcaching kernelmode subsystems (less messagepassing overheads, native parts you already have that are proven, work + refined - For going faster, safer, and more reliably online).

* Enjoy...

I do for 24 of my fav. sites I spend 95++% of my time online, placing them @ the TOP of my hosts file to avoid DNS redirect poisoning (kaminsky bug, of which 99.999% of ISP DNS are *NOT PATCHED* against mind you) & downed DNS too (or exploited ones per this article), & it ends up resolving sites FASTER, locally from RAM, once cached.

That equates to approximately 2-3 MILLION indexed lookups worth saved (wasting time querying remote DNS which is exploitable as hell & insecure, mostly) & works for me locally, faster & more reliably by far vs. such exploits this article notes + more, & 95++% of the time (per my router logs).

Now - Sub 4% of the time, when I DO have to use remote DNS, I use OpenDNS (secured, filtered vs. threats, patched vs. the Kaminsky flaw & DNSSEC secured to its upstream updaters too) BOTH in my router/firewall + OS IP Stack settings.

APK

P.S.=> It's 100% free, & it works ("Stronger than steel and a 3rd the weight" ala Howard Stark) - No strings attached, & my program is recommended + hosted by MalwareBytes' hpHosts (reputable + reliable as it gets) -> http://hosts-file.net/?s=Downl...

... apk

Re:Merry Christmas (& a present)

Would you please fuck off?

Thanks!

Re: Merry Christmas (& a present)

LOL, who the fuck needs a host file program. I bet not many n*x people use this tool. probably a windows only program. you are a bigger tool than your host file tool ;)

Re:Merry Christmas (& a present)

Dear offtopic troll, would you take your own advice please? Thanks. Apk's solution works. Where's yours? It ain't.

Re: Merry Christmas (& a present)

Who needs it? Users of the affected networks. Apk's solution works against this and other DNS issues. What a stupid question on your end. Have you made a better solution yourself? Obviously not.

I submitted it back then too (was rejected)

Article submitter here: See subject-line, & this (a cure for stuff like this, per yours truly) -> http://it.slashdot.org/comment...

(Per my subject line - it was rejected then, but it's accepted tonite - that's fine by me)

NOW - whoever downmodded this SAME reply (the link I posted above in fact to illustrate the downmod bombing some little asswipe's doing to my posts as usual) is nothing but a little asshole troll with modpoints, no questions asked, and I invite their LAME ASS to do a BETTER tool than mine (which is *NEVER* going to happen, since the downmodder's nothing more than an idiot troll obviously) that gets folks more SPEED online, more SECURITY online, & more RELIABILITY online also, from 1 single moving part (hosts) via a 1 moving part program to make hosts so.

APK

P.S.=> I get major satisfaction knowing that last part - the downmodder's a do-nothing "ne'er-do-well", & NOTHING more - that can't manage to produce something more useful on as many levels as I have... apk

Re:I submitted it back then too (was rejected)

A simpler and easier solution is to just manually set your primary, secondary, and tertiary DNS resolvers to point to different companies' servers. And you can still go and tinker with your hosts files on top of that for sites which have fairly static/stable DNS entries.

The reason you always get modded down is because a) you're spamming your own personal 'service' and b) you're a pompous dick about it. Your posts are also a disjointed, rambling series of poorly connected sentences which consist mainly of misused and/or unrelated buzzwords and jargon.

The dolt you replied to's illiterate

I don't put every host-domain there is in hosts: Only favorite sites http://it.slashdot.org/comment... at the TOP of the hosts file, properly resolved (which is where you spend most of your time online, & in MY case? I spend, literally, over 95++% of my time at my favorite sites online, per analyzing my router log data to do so, and to GO FASTER ONLINE since locally ram cached data for this resolves FAR FASTER than remote DNS queries - especially when DNS is in doubt, being under attack or exploited by redirect poisoning/kaminsky flaw (of which 99.999% of ISP's are NOT patched against, mind you)).

The rest are blocked entries (vs. known bad sites/hosts-domains that serve up malware, or malicious script exploits, botnet C&C servers, rogue DNS servers, etc. - et al) to protect you...

(3,352,217++ worth of them here, & counting (growing that list here since 1997 in fact)).

APK

You *CAN* do the following things

Microsoft Windows NT-based OS settings vs. DDoS/DoS:

Protect Against SYN Attacks

FROM -> http://msdn.microsoft.com/en-u...

A SYN attack exploits a vulnerability in the TCP/IP connection establishment mechanism. To mount a SYN flood attack, an attacker uses a program to send a flood of TCP SYN requests to fill the pending connection queue on the server. This prevents other users from establishing network connections.

To protect the network against SYN attacks, follow these generalized steps, explained later in this document:

Enable SYN attack protection
Set SYN protection thresholds
Set additional protections

Enable SYN Attack Protection

---

The named value to enable SYN attack protection is located beneath the registry key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TcpIp\Parameters.

Value name: SynAttackProtect

Recommended value: 2

Valid values: 0, 1, 2

Description: Causes TCP to adjust retransmission of SYN-ACKS. When you configure this value the connection responses timeout more quickly in the event of a SYN attack. A SYN attack is triggered when the values of TcpMaxHalfOpen or TcpMaxHalfOpenRetried are exceeded.

---

Set SYN Protection Thresholds

The following values determine the thresholds for which SYN protection is triggered. All of the keys and values in this section are under the registry key

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TcpIp\Parameters

These keys and values are:

Value name: TcpMaxPortsExhausted

Recommended value: 5

Valid values: 0?65535

Description: Specifies the threshold of TCP connection requests that must be exceeded before SYN flood protection is triggered.

Value name: TcpMaxHalfOpen

Recommended value data: 500

Valid values: 100?65535

Description: When SynAttackProtect is enabled, this value specifies the threshold of TCP connections in the SYN_RCVD state. When SynAttackProtect is exceeded, SYN flood protection is triggered.

Value name: TcpMaxHalfOpenRetried

Recommended value data: 400

Valid values: 80?65535

Description: When SynAttackProtect is enabled, this value specifies the threshold of TCP connections in the SYN_RCVD state for which at least one retransmission has been sent. When SynAttackProtect is exceeded, SYN flood protection is triggered.

---

Set Additional Protections

All the keys and values in this section are located under the registry key

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TcpIp\Parameters. These keys and values are:

Value name: TcpMaxConnectResponseRetransmissions

Recommended value data: 2

Valid values: 0?255

Description: Controls how many times a SYN-ACK is retransmitted before canceling the attempt when responding to a SYN request.

Value name: TcpMaxDataRetransmissions

Recommended value data: 2

Valid values: 0?65535

Description: Specifies the number of times that TCP retransmits an individual data segment (not connection request segments) before aborting the connection.

Value name: EnablePMTUDiscovery

Recommended value data: 0

Valid values: 0, 1

Description: Setting this value to 1 (the default) forces TCP to discover the maximum transmission unit or largest packet size over the path to a remote host. An attacker can force packet fragmentation, which overworks the stack.

Specifying 0 forces the MTU of 576 bytes for connections from hosts not on the local subnet.

Value name: KeepAliveTime

Recommended value data: 300000

Valid values: 80?4294967295

Description: Specifies how often TCP attempts to verify that an idle connection is still intact by sending a keep-alive packet.

---

Lastly, of cou

Re: You *CAN* do the following things

for fuck sakes man. why would someone set all those registry keys to protect one fucking personal computer. oh yea and it's running windows. people rarely ddos personal computers inside homes.

just another post so APK can troll his host file solution. same posts over and over and over again. I would like to meet this guy in real life. I bet he has a mangina. fucking faggot troll.

Re: You *CAN* do the following things

Apk didn't note hosts in his post and why? Stupid question, answer is to protect themselves is why and they aren't just registry hacks, there's far more listed there with practical examples from articles that actually work on large scale against DDOS!

I offer a solution for end users

See subject-line: That I built myself that works- Do YOU? LOL, hell no!

In fact not only do I help end users not get hurt by this using hosts in this article's posts, but I also offer TONS of mitigation support vs. DDoS/DoS of *most* kinds, here -> http://it.slashdot.org/comment... - so AGAIN: Do you? No.

* Go away, puny ac troll!

(Man... it's obvious YOU are the one downmodding my posts, asshole, since you posted ac to avoid removing those bogus downmods of yours! )

APK

P.S.=>

"The reason you always get modded down is because a) you're spamming your own personal 'service'' - by Anonymous Coward on Friday December 26, 2014 @09:07AM (#48675089)

See above, & "tell us another one", Mr. AC "ne'er-do-well"... ok? Good... @ least I OFFER ONE THAT WORKS that I built myself, for others... you haven't (being the no-talent DOUCHE that you are, windbag).

---

"and b) you're a pompous dick about it.'' - by Anonymous Coward on Friday December 26, 2014 @09:07AM (#48675089)

You're a do-nothing "ne'er-do-well" that can't develop something BETTER than I have for end users in my hosts program -> http://start64.com/index.php?o... which YES, works to protect end users here AND vs. MANY OTHER TYPES OF THREATS ONLINE, and yet it makes them FASTER too (do any other security solutions? No, not really... they slow you down!)

---

"Your posts are also a disjointed, rambling series of poorly connected sentences which consist mainly of misused and/or unrelated buzzwords and jargon.'' - by Anonymous Coward on Friday December 26, 2014 @09:07AM (#48675089)

And lastly, after that crap of yours? You're a full of shit LAZY "ne'er-do-well" that can't manage to build his OWN solutions as I have (much less share them with others, freely, no charge/no strings attached)... apk

Re:I offer a solution for end users

Even if you made the worlds best bagels, and gave them away for free, people at the coffee shop, bus station, and laundromat would probably get sick to death of hearing you talk about them at every f'n opportunity. You'd actually get fewer people trying them than if you were polite and relevant about your advertising. Maybe try as a personal challenge to only throw in host file ads on 1/3 of the threads you comment on for a while?

-Someone else, not the original poster, and not a mod in this conversation

Re:I offer a solution for end users

If a solution works (apk's does) shout it from the rooftops, troll. Where's yours? It isn't. Just off topic troll crap from you.

Re:I offer a solution for end users

With all the bolding, quoting and capitalization, you need to stop drinking coffee. Makes it hard to follow you!

Re:I offer a solution for end users

You need to stop drinking alcohol so you can read.

TCP vs. UDP for DNS *should* work

I outline it here in my p.s., per my subject-line above http://games.slashdot.org/comm... but also point out potential downsides in doubling overheads that way...

Hey - THAT just *might* work here (vs. DNS amplification attacks) along with monitoring systems like AMAZON & MS use for their other networks that actually works vs. large-scale DDoS attacks...

APK

P.S.=> Which is what they essentially monitor against (large requests of *ANY* kind from any single, or multiple, sources & shutting them out *IF/WHEN* they're spotted doing so via a number of methods (nullrouting's my guess, & they've automated it vs. using the route command manually OR router tables for it)... apk

Re:TCP vs. UDP for DNS *should* work

Let's play a simple game, shall we?

You give us the IP address of a box you have modified the HOSTS file and registry on and we'll see if registry hacks are any use against a volumetric attack which is simply larger than the pipe leading to the registry key in question....

Not as many use *NIX vs. Windows... apk

To "start things off" w/ fact since 94% of the world's PC's & Servers combined use Windows? I wrote it for Windows users.

Secondly: Porting it would be *FAIRLY* trivial - how/why?

This -> http://www.embarcadero.com/pro...

Using it, I can target JUST ABOUT *ANY* PLATFORM THERE IS - it's "up there" in the class of C/C++ in fact on those grounds and more!

(E.G.-> Delphi Object Pascal's outraced MSVC++, doubling it in MATH & STRINGS WORK in "Visual Basic Programmer's Journal" Sept./Oct. issue 1997 titled "Inside the VB Compiler" - where it swept the FLOOR with *BOTH* Microsoft's VB & VC++, by DOUBLE or more in math & strings especially - which EVERY program does, mind you - & 4-6 tests overall...)

APK

P.S.=> NOW, afaik, for Linux specifically, there's FreePascal & the Lazarus IDE for that port!

(They're almost an EXACT CLONE of Delphi's object pascal front end/ide, with a VERY similar instruction set)

AND - there USED to be Kylix, but Borland gave up on it, too bad...

STILL: All I'd *REALLY* have to "look out for" in the port, would be sockets differences (not a problem, I used a multiplatform componentset for that much) between *NIX sockets & WinSock2, - AND - drive letters, vs. mounted devices...

So - guess what?

That's NOT a LOT OF WORK for a port... apk

I thought we solved this already.

[The+New+Guy+2.0]

The key to this is the ability to send NAK packets back upstream so that the DDoSers' ping requests get returned to sender instead of making it to their intended target. Seems like we need a better roll-out of this idea if RackSpace is still falling victim to this.

Remember...
ACK means acknowledged, I've got that and it sticks.
RST means reset, I didn't get that right, we've got something that doesn't add up to the checksum, let's go back to a previous numbered packet.
NAK means, I got that and I don't like that. Go away, and would a router upstream please add a firewall rule blocking whoever sent me that.

Try do it to AMAZON instead - ok?

Especially when you have trouble shutting down your own PC, lol!

* Per my subject-line above: Good luck "taking 'em down", ok?

APK

P.S.=> I only put out valid information with backing evidences thereof from reputable sources - you don't & haven't! Thus, you're full of shit & mere "hot-air" on your end, lmao... apk

Merry Christmas (& a present vs. this)

Article submitter here: This-> http://start64.com/index.php?o... solves THIS & other DNS issues by avoiding it FOR FAVORITE SITES (emphasizing that for the moron who downmddded me earlier on this same post since HE's ILLITERATE-> http://it.slashdot.org/comment... & LATER HERE AGAIN http://it.slashdot.org/comment... w/ BOTH POSTS pointing that out to him)...

ALL operating locally from RAM + your IP stack (hosts file) & diskcaching kernelmode subsystems (less messagepassing overheads & GREATER EFFICIENCY by far being ALL in ring 0/kernelmode native parts you already have that are proven + refined - For going faster, safer, & more reliably online).

* Enjoy...

---

I.E./E.G.-> I do for 24 of my fav. sites I spend 95++% of my time online, placing them @ the TOP of my hosts file to avoid DNS redirect poisoning (kaminsky bug of which 99.999% of ISP DNS are *NOT PATCHED* against mind you) & downed DNS too (or exploited ones per this article), & it ends up resolving sites FASTER locally from RAM once cached.

Equating to approximately 2-3 MILLION indexed REMOTE DNS lookups worth saved (wasting time querying remote DNS which is exploitable as hell & insecure mostly) & works for me locally faster & more reliably by far vs. such exploits this article notes + more 95++% of the time (per my router logs analyzed on where I spend my time online MOSTLY).

---

Now - Sub 4% of the time when I DO use remote DNS, I use OpenDNS (secured, filtered vs. threats, patched vs. the Kaminsky flaw & DNSSEC secured to its upstream updaters) BOTH in my router/firewall + OS IP Stack settings.

APK

P.S.=> It's 100% free, & works doing MORE with LESS, no less (especially vs. other "so-called 'solutions'", it's "Stronger than steel and a 3rd the weight" ala Howard Stark) & my program is recommended + hosted by MalwareBytes' hpHosts (reputable + reliable as it gets) -> http://hosts-file.net/?s=Downl...

... apk

I offer a solution for end users

See subject: One I built myself that works- Do YOU? No!

In fact not only do I help end users not get hurt by this using hosts in this article's posts but I offered TONS of mitigation support vs. DDoS/DoS of *most* kinds here -> http://it.slashdot.org/comment... - so AGAIN: Do you? No.

* Man... lol: It's SO painfully obvious YOU are the one downmodding my posts like you did this very one too no less earlier-> http://it.slashdot.org/comment... to "hide" your fails (we see it anyways) since you posted ac to avoid removing those bogus downmods of yours! )

APK

P.S.=>

"The reason you always get modded down is because a) you're spamming your own personal 'service'' - by Anonymous Coward on Friday December 26, 2014 @09:07AM (#48675089)

See above, & "tell us another one", Mr. AC "ne'er-do-well"... ok? Good... @ least I OFFER ONE THAT WORKS that I built myself, for others... you haven't & CAN'T (being the no-talent DOUCHE that you are, windbag).

---

""and b) you're a pompous dick about it. - by Anonymous Coward on Friday December 26, 2014 @09:07AM (#48675089)

You're a do-nothing "ne'er-do-well" that can't develop something BETTER than I have for end users in my hosts program -> http://start64.com/index.php?o... that's recommended & HOSTED by hpHosts' malwarebytes http://hosts-file.net/?s=Downl... no less (as reputable as it gets) which YES, works to protect end users here AND vs. MANY OTHER TYPES OF THREATS ONLINE, and yet it makes them FASTER too (do any other security solutions? No, not really... they slow you down!)

---

"Your posts are also a disjointed, rambling series of poorly connected sentences which consist mainly of misused and/or unrelated buzzwords and jargon. - by Anonymous Coward on Friday December 26, 2014 @09:07AM (#48675089)

And lastly, after that crap of yours? You're a full of shit LAZY "ne'er-do-well" that can't manage to build his OWN solutions as I have (much less share them with others, freely, no charge/no strings attached)... apk

Merry Christmas (& a present vs. this)

Article submitter here: This-> http://start64.com/index.php?o... solves THIS & other DNS issues by avoiding it FOR FAVORITE SITES (emphasizing that for the moron who downmddded me earlier on this same post since HE's ILLITERATE-> http://it.slashdot.org/comment... & LATER HERE AGAIN http://it.slashdot.org/comment... w/ BOTH POSTS pointing that out to him)...

ALL operating locally from RAM + your IP stack (hosts file) & diskcaching kernelmode subsystems (less messagepassing overheads & GREATER EFFICIENCY by far being ALL in ring 0/kernelmode native parts you already have that are proven + refined - For going faster, safer, & more reliably online).

* Enjoy...

---

I.E./E.G.-> I do for 24 of my fav. sites I spend 95++% of my time online, placing them @ the TOP of my hosts file to avoid DNS redirect poisoning (kaminsky bug of which 99.999% of ISP DNS are *NOT PATCHED* against mind you) & downed DNS too (or exploited ones per this article), & it ends up resolving sites FASTER locally from RAM once cached.

Equating to approximately 2-3 MILLION indexed REMOTE DNS lookups worth saved (wasting time querying remote DNS which is exploitable as hell & insecure mostly) & works for me locally faster & more reliably by far vs. such exploits this article notes + more 95++% of the time (per my router logs analyzed on where I spend my time online MOSTLY).

---

Now - Sub 4% of the time when I DO use remote DNS, I use OpenDNS (secured, filtered vs. threats, patched vs. the Kaminsky flaw & DNSSEC secured to its upstream updaters) BOTH in my router/firewall + OS IP Stack settings.

APK

P.S.=> It's 100% free, & works doing MORE with LESS, no less (especially vs. other "so-called 'solutions'", it's "Stronger than steel & a 3rd the weight" ala Howard Stark) & my program is recommended + hosted by MalwareBytes' hpHosts (reputable + reliable as it gets) -> http://hosts-file.net/?s=Downl...

... apk