Who's the nitwit trying to ferment fuel, when syngas/Fischer-Tropsch is twice as efficient, energetically, and can just as easily make racing grade gasoline, as it can diesel, or kerosene, or what have you. Google is your friend.
Actually, that kinda seems reasonable, somehow. Smaller angles between wall planes might give the impression of 'roominess', though IANAPsychologist. And a honeycomb structure just might be a tad more, efficient, if my intuition is correct, though all this needs to be tested.
What's with the incest phobia, anyway? The odds of birth defects for a child between two first cousins is on the order of 2%. Not to mention modern screening techniques. Maybe for many there will always be an ick factor, but seriously, it seems... old fashioned, this moral panic.
Who gives a fuck about legal - I just hope some gray-hat vigilante hijacks a botnet or two and leaves a steaming ash covered crater where PayPal/Amazon/MasterCard/Visa/Sony/Disney/Time Warner/Government servers were. Think about it - say you only get 10k nodes × 10Mbps = 100Gbps. That's backbone grade bandwidth, and Anonymous would welcome anyone to their ranks. Well, a man can dream...
I'm not entirely sure that I'm following your proposal; are you saying that we should implement some Internet-wide hierarchy of traffic-control trust up to 'DNS root server' level, and allow the 'blackholing' of networks that don't adhere to it?
No. The certificate for routing requests is hosted on the domain local DNS. Verifying DNS requests is DNSSECs job.
What if your ISP doesn't adhere to it (I can't get mine to add reverse lookup from the static IP block I've had for nearly 3 years to my own domain...), or their implementation is buggy? Or 30 users in your subnet get infected (or 'volunteer')? If your ISP doesn't catch it in time is it okay for their upstream(s) to revoke them?
Yes. That's practically hosting botnets, though distributed filtering should mitigate compliancy issues.
How about if you have a/22 and private cable all across your town - who signs your key if you want to negotiate peering with the local telcos, who won't deal with you without it?
You sign it and host it on your own DNS, or set up your router to support it (probably will be mandated by peering contracts).
When does this information get looked up? By any (every?) edge or core router before a packet is allowed through? Just TCP SYN? Drop it or reject it?
Periodical poling by, or explicit notification of, the relevant nodes, generally opportunistic.
Assuming this is an edge-router solution, what if the look up is done by a host that doesn't use their direct "superior"'s DNS servers? Or if there is no clear 'upstream' at the time the packet hits an edge router? Are you suggesting reverse-DNS lookup to get the source network name, then forward DNS lookup for the domain 'DDoS status' authority server, then a second forward request for this DDoS-participant status, any or all of which may have to fall all the way back to the root servers?
The host does not perform the look-up - the edge routers do. Get the [IP(s)][port(s)] (one reverse look-up), and check on the general (rather large, though - probably cached along the way) routing status based on DNS - one look-up. Hmmm... I guess so, you're right, but would the be a real issue?
Or is this based on traversed routers; so we can start with a reflected 'trace route' and verify everything on the hops back to the source?
No, though I guess it could be adapted... I think...
Revoking certificates via DNS is another time sink, since I understand that you're suggesting a server host their own 'DDoS safe' certificate and the public key they use to sign data (signed by their parent...?)
Correct, the data in question is just routing requests/distributed filtering protocol transmitions, the certificate key is distributed by DNS, I see no point of signing them, DNSSEC would do a fine job of verifying them.
To revoke trust from a signature, it would have to be regularly (within 'response time for DDoS attack') validated by re-requesting the possibly available revocation certificate from the network's 'parent'. Since the parent may be the one that is compromised (and bogusly revoking certificates, for example, also thusly denying service to and from any 'subservient' networks), this would have to force an un-cached validation up to 'root' to be secure.
The network itself revokes certs based on a combination of policy and behavior. Privilege levels would be handy for different external hosts.
Revoking a signature means nothing if there is any way the un-revoked signature could be accessed for a meaningful amount of time in the context that it's used in. Since DNS is made for (and scales by) delegating responsibility to the lowest-possible authority, and aggressively caching without revalidation, I think you're looking in the wrong place
The Man doesn't own all of DNS - ccTLDs anyone? Nor do they have jurisdiction over anything not on their territory. They may as well revert to guerrilla warfare, if, say WikiLeaks relocates to Iceland, or better - private island. Oh, and all those soldiers marching to the base - napalm them, live on the web, with audio. Or an anti-nuclear bunker...
Ad hominem attacks on the freedom fighters of the new generation, based on ancient and irrelevant to the matter stereotypes. I bow at at your discussion skills/
Sorry for self-replying. The certs verifying The DNS records, and the certs distributed via DNS are signed by the hosting provider cert, which is in turn signed by upstream ISPs. If a hosting provider allows abusing the trust the hosting space brings, the hosting provider cert is revoked, leaving him without DDoS protection. So he has to choose - host DDoS attacks, and get hit by them (rendering the aforementioned hosting pointless (oh the irony, a DDoS server host gets DDoSed by a botnet)), or keep it clean making sure that DDoS attacks don't go in or out. If he tries to make a business model out of DDoSing, assuming there is no one able/willing to attack, the hosting provider just gets blackholed.
Throttle down the chain - access will be slow, but certain. The service can blacklist invalid sessions and inform the network about it, cutting off the nodes creating problems.
Slashdot Mirror
Nitromethane is rarely the major component - too expensive. Monster trucks also usually run on alcohol.
Who's the nitwit trying to ferment fuel, when syngas/Fischer-Tropsch is twice as efficient, energetically, and can just as easily make racing grade gasoline, as it can diesel, or kerosene, or what have you. Google is your friend.
A long haul train is the perfect use case for battery power.
A properly designed cubicle ought to suffice - soundproof, tall, heavy drapes instead of a door - and not all that expensive - what do you think?
Tiling window manager + IRC/Wave.
Actually, that kinda seems reasonable, somehow. Smaller angles between wall planes might give the impression of 'roominess', though IANAPsychologist. And a honeycomb structure just might be a tad more, efficient, if my intuition is correct, though all this needs to be tested.
Dewey: I didn't expect anything, and yet I am disappointed.
Craig: That's the spirit!
Ever heard of a Faraday cage?
Stepping on white hot nails ain't healthy, but who am I to tell the elite what to do... *arms thermonuclear bomb*
Sorta makes sense. Well, not really, but who am I to complain.
What's with the incest phobia, anyway? The odds of birth defects for a child between two first cousins is on the order of 2%. Not to mention modern screening techniques. Maybe for many there will always be an ick factor, but seriously, it seems... old fashioned, this moral panic.
You could have hacked it or sold it. And what's wrong with Google? You just have to take precautions.
Who gives a fuck about legal - I just hope some gray-hat vigilante hijacks a botnet or two and leaves a steaming ash covered crater where PayPal/Amazon/MasterCard/Visa/Sony/Disney/Time Warner/Government servers were. Think about it - say you only get 10k nodes × 10Mbps = 100Gbps. That's backbone grade bandwidth, and Anonymous would welcome anyone to their ranks. Well, a man can dream...
What ads? BTW, why doesn't infoworld have a Autopager setting?
It's cool, mind sharing a... very nice cigarette on that lawn of yours :P.
I'm not entirely sure that I'm following your proposal; are you saying that we should implement some Internet-wide hierarchy of traffic-control trust up to 'DNS root server' level, and allow the 'blackholing' of networks that don't adhere to it?
No. The certificate for routing requests is hosted on the domain local DNS. Verifying DNS requests is DNSSECs job.
What if your ISP doesn't adhere to it (I can't get mine to add reverse lookup from the static IP block I've had for nearly 3 years to my own domain...), or their implementation is buggy? Or 30 users in your subnet get infected (or 'volunteer')? If your ISP doesn't catch it in time is it okay for their upstream(s) to revoke them?
Yes. That's practically hosting botnets, though distributed filtering should mitigate compliancy issues.
How about if you have a /22 and private cable all across your town - who signs your key if you want to negotiate peering with the local telcos, who won't deal with you without it?
You sign it and host it on your own DNS, or set up your router to support it (probably will be mandated by peering contracts).
When does this information get looked up? By any (every?) edge or core router before a packet is allowed through? Just TCP SYN? Drop it or reject it?
Periodical poling by, or explicit notification of, the relevant nodes, generally opportunistic.
Assuming this is an edge-router solution, what if the look up is done by a host that doesn't use their direct "superior"'s DNS servers? Or if there is no clear 'upstream' at the time the packet hits an edge router? Are you suggesting reverse-DNS lookup to get the source network name, then forward DNS lookup for the domain 'DDoS status' authority server, then a second forward request for this DDoS-participant status, any or all of which may have to fall all the way back to the root servers?
The host does not perform the look-up - the edge routers do. Get the [IP(s)][port(s)] (one reverse look-up), and check on the general (rather large, though - probably cached along the way) routing status based on DNS - one look-up. Hmmm... I guess so, you're right, but would the be a real issue?
Or is this based on traversed routers; so we can start with a reflected 'trace route' and verify everything on the hops back to the source?
No, though I guess it could be adapted... I think...
Revoking certificates via DNS is another time sink, since I understand that you're suggesting a server host their own 'DDoS safe' certificate and the public key they use to sign data (signed by their parent...?)
Correct, the data in question is just routing requests/distributed filtering protocol transmitions, the certificate key is distributed by DNS, I see no point of signing them, DNSSEC would do a fine job of verifying them.
To revoke trust from a signature, it would have to be regularly (within 'response time for DDoS attack') validated by re-requesting the possibly available revocation certificate from the network's 'parent'. Since the parent may be the one that is compromised (and bogusly revoking certificates, for example, also thusly denying service to and from any 'subservient' networks), this would have to force an un-cached validation up to 'root' to be secure.
The network itself revokes certs based on a combination of policy and behavior. Privilege levels would be handy for different external hosts.
Revoking a signature means nothing if there is any way the un-revoked signature could be accessed for a meaningful amount of time in the context that it's used in. Since DNS is made for (and scales by) delegating responsibility to the lowest-possible authority, and aggressively caching without revalidation, I think you're looking in the wrong place
So what, just escort me out (drop my packets), and it's all good. Now, on how exactly to drop them, well, that's not my problem.
Roadblocks, OTOH, AFAIK are legal, so just screw up a few major routers in stead, and you are in the clear, ethically.
The Man doesn't own all of DNS - ccTLDs anyone? Nor do they have jurisdiction over anything not on their territory. They may as well revert to guerrilla warfare, if, say WikiLeaks relocates to Iceland, or better - private island. Oh, and all those soldiers marching to the base - napalm them, live on the web, with audio. Or an anti-nuclear bunker...
Ad hominem attacks on the freedom fighters of the new generation, based on ancient and irrelevant to the matter stereotypes. I bow at at your discussion skills/
War's object is more perfect peace.
PS I think slashdot ate my previous attempt at posting this, but I'm not certain, so please excuse me for dupes.
Sorry for self-replying. The certs verifying The DNS records, and the certs distributed via DNS are signed by the hosting provider cert, which is in turn signed by upstream ISPs. If a hosting provider allows abusing the trust the hosting space brings, the hosting provider cert is revoked, leaving him without DDoS protection. So he has to choose - host DDoS attacks, and get hit by them (rendering the aforementioned hosting pointless (oh the irony, a DDoS server host gets DDoSed by a botnet)), or keep it clean making sure that DDoS attacks don't go in or out. If he tries to make a business model out of DDoSing, assuming there is no one able/willing to attack, the hosting provider just gets blackholed.
Verify and encrypt, PKs in DNS records, the network control protocol for anti-DDoS.
Wars object is more perfect peace.
Throttle down the chain - access will be slow, but certain. The service can blacklist invalid sessions and inform the network about it, cutting off the nodes creating problems.