Most of the time, these limits are by source IP-address. This new attack self-limits the rate of connections from a single IP address, and instead hits the same destination from multiple sources. Rate limiting globally will work here, but will mean that legitimate SSH connections will be slowed down.
Because I have users to think of, and most users can't be bothered to keep and carry around SSH keys. Hell, I can't either, so if I need to log in from an unfamiliar computer, I tend to use password-based authentication.
Pretty good idea on the user black list. You could probably even do some interesting things to detect common misspellings of your usernames and blacklist anyone using anything else after a single attempt.
I have always had a select few hosts which are allowed unconditional access to the server, so if I need to, I'll get access.
Another option is to set up a second SSH daemon on a different port, and which only allows logins using public key (and possibly only by a specific user.) If you get blocked out on port 22, you can just use this side door to get in, as long as you've got your key.
I'll look into that. Honestly, for the most part, it's been apathy that's prevented me from delving into the advanced options. I probably fire up rtorrent twice a year. I'll seed for a day or two, then kill it. If I was a heavy user, I'm sure I'd find more time to streamline the process.
I've noticed a significantly increased number of brute-force attacks in the last week or so. They're also spacing the number of attempts per IP address out, however I'll get several attempts in a row for the same invalid username from several different IP addresses within seconds of each other. Then all of the addresses will back off for a couple of minutes, and then they'll retry with a new username.
It's gotten to the point where I have finally installed Denyhosts. Prior to this week, I got away with limiting the number of new connections to port 22 per IP address per minute, but with the backoff that they're doing now, that no longer works.
Denyhosts is fantastic, though. Since I last evaluated it, they've added the ability to sync with a centralized server, meaning that I can potentially block attackers before they even hit me. I wish that everyone would use it, now.
Most BitTorrent clients will prefer peers that they get a better transfer rate from, which is understandable. If you have better connectivity inside your ISP's network than to the outside, it even works as a rudimentary way of prioritising by location.
And for the stated purpose of the request, it works out better. Unless you've got political concerns, you shouldn't care where your packets are going, or where they're coming from. You should only care that you can send and receive as fast as possible. If that is accomplished, the goal of transferring the whole of the data as quickly as possible is almost certainly going to be accomplished.
There are other things to be concerned with, though. If only a single peer has a chunk of the data, it's important to get that chunk and replicate it a bit. This prevents the entire torrent from being worthless if that peer drops off before someone else gets it. But assuming a well-distributed torrent, just prioritizing based on speed should be enough.
I didn't realize that using Bittorrent was so complicated. Usually I just type "rtorrent *.torrent" in my terminal and go for lunch. When I get back, my files are there.
Seems like for the bandwidth that ISPs care about (that which they have to send across the backbone), it'd be about the same. But they'd be providing better service, assuming they can fix the DoS issue.
But it's obviously never going to happen because the implementation details are a pain in the butt.
ISPs actually like P4P. It gives the customers what they want (fast P2P) and it gives the ISPs what they want (less data sent to the tubes that they don't own, and thus reduced costs and overhead.)
I'm sure that such problems can be solved, but: 1) Retransmission/order may still be important if BT chunk size is greater than max packet size. 2) The advantages you cite mean that DoS of trackers and clients becomes easier.
Are you behind a NAT box or other firewall? Are you forwarding the appropriate ports, or are they open through the firewall? Are you stingy with your uploads? Do you traffic-shape appropriately so that your computer is capable of sending ACKs in a timely manner? Are you going after well-seeded torrents, or old things with one or two peers and seeders?
I've had great luck with Bittorrent. Every time a new Ubuntu version is released, I grab it using Bittorrent. I come close to saturating my connection (both directions.) But then, I've taken the time to tweak things so that it works well, and I'm using popular torrents.
This is fine for some things, and terrible for others. Video conferencing? Nope. Youtube videos? Yup.
But it also requires vitally different infrastructure than just a bunch of computers connected to wireless. It requires that each computer on the public network allocate storage and act as a server. It requires protocols which can search out information on this network quickly, and my bandwidth is decreased when someone's getting data out of my cache. It has problems with tampering, to boot.
Commercials yes i realize they make money from the commercials, why don't they just make their own torrents which include commercials? Personally i wouldn't mind a bit, it's not the commercial-freeness of the shows i see online that i like, it's that i can get an entire series all at once and not have to worry about missing an episode.
Because they'd get nowhere near the exposure. Advertisers want specific people to view their ads. It's not generally the people who would download the ads for entertainment.
No TV/Radio/Internet without advertizing? I agree on the TV and the Radio, but i pay for my internet with cold hard cash, without advertising, there may be less content, but advertising has nothing to do with my internet connection, or are you saying that they subsidize the internet with advertising dollars that they make from cable?
Most websites make revenue from advertising. No advertising, no revenue, no website.
Higher Prices
They're effectively doing that with bandwidth caps and penalties. And people are complaining to high heaven.
Beating Microsoft may not be the goal, but market share is a metric by which we can measure the success of building a good (for various definitions) operating environment. If Linux can pull people away from Microsoft, then either they're doing something really wrong, we're doing something really right, or both.
The only time that it becomes problematic is when bad design decisions are made in an effort to make Windows users feel more comfortable on Linux. Copying Microsoft's good designs isn't necessarily bad. Copying their bad designs is.
Person 1: When I buy a book, I print it out. Person 2: You know that's illegal, right? Person 3: Format shifting for personal use is legal. Person 4 (you): OMGZORZ THATZ ILLEGALS CUZ YOU NO OWN PERSONAL COPY Person 5 (me): He owns a copy--he said so in his post.
I don't specifically remember anything about general performance being better. I do remember reading about routing throughput being somewhat higher on AMD than on Intel at high PPS.
All my FreeBSD machines are AMD at the moment, except my notebook. For most tasks they are very responsive (more responsive than Windows or any flavor of Linux I've used except maybe Gentoo). However the AMD machines in my case seem to have one annoying flaw - namely if I hit caps lock, they freeze up for half a second to a second, then resume as if nothing happened.
That's an interesting issue, and one I can't reproduce (I have a number of AMD FreeBSD machines of various versions.)
The problem is that then you have no leads if you really do need to track down the person associated with an IP address for some reason. "Someone hacked into your gradebook? Sorry, no clue who it may have been."
Fair points, all. The question now becomes whether or not an expected settlement is cause enough to spread your resources this thin. When I first heard about the lawsuits, my first thought was that it would be a long time before anyone fought it out, since that would be so costly. Now it turned out that people started fighting them earlier than I expected. That's pretty cool. It may have caught the RIAA off guard, too.
I suspect that you're right. I suspect that the RIAA is intentionally abusing the system. I think that their intent is probably not to go through with any lawsuits (they expect everyone to settle, after all), but that's different from a willingness to go through with it. So far, they've mostly gone through with lawsuits for people who fought. In the cases where they've dropped it, there's usually a good amount of evidence that the defendant has a case (at least, in the cases which we've heard about.)
So is intent enough to get them? I don't think that it should be, but in our system, it probably is.
Of course, we may find out. If they're found guilty of racketeering, they'll have to either go through with lawsuits or stop suing. I don't see the latter happening.
Slashdot Mirror
Most of the time, these limits are by source IP-address. This new attack self-limits the rate of connections from a single IP address, and instead hits the same destination from multiple sources. Rate limiting globally will work here, but will mean that legitimate SSH connections will be slowed down.
Because I have users to think of, and most users can't be bothered to keep and carry around SSH keys. Hell, I can't either, so if I need to log in from an unfamiliar computer, I tend to use password-based authentication.
Pretty good idea on the user black list. You could probably even do some interesting things to detect common misspellings of your usernames and blacklist anyone using anything else after a single attempt.
I have always had a select few hosts which are allowed unconditional access to the server, so if I need to, I'll get access.
Another option is to set up a second SSH daemon on a different port, and which only allows logins using public key (and possibly only by a specific user.) If you get blocked out on port 22, you can just use this side door to get in, as long as you've got your key.
I'll look into that. Honestly, for the most part, it's been apathy that's prevented me from delving into the advanced options. I probably fire up rtorrent twice a year. I'll seed for a day or two, then kill it. If I was a heavy user, I'm sure I'd find more time to streamline the process.
I've noticed a significantly increased number of brute-force attacks in the last week or so. They're also spacing the number of attempts per IP address out, however I'll get several attempts in a row for the same invalid username from several different IP addresses within seconds of each other. Then all of the addresses will back off for a couple of minutes, and then they'll retry with a new username.
It's gotten to the point where I have finally installed Denyhosts. Prior to this week, I got away with limiting the number of new connections to port 22 per IP address per minute, but with the backoff that they're doing now, that no longer works.
Denyhosts is fantastic, though. Since I last evaluated it, they've added the ability to sync with a centralized server, meaning that I can potentially block attackers before they even hit me. I wish that everyone would use it, now.
Most BitTorrent clients will prefer peers that they get a better transfer rate from, which is understandable. If you have better connectivity inside your ISP's network than to the outside, it even works as a rudimentary way of prioritising by location.
And for the stated purpose of the request, it works out better. Unless you've got political concerns, you shouldn't care where your packets are going, or where they're coming from. You should only care that you can send and receive as fast as possible. If that is accomplished, the goal of transferring the whole of the data as quickly as possible is almost certainly going to be accomplished.
There are other things to be concerned with, though. If only a single peer has a chunk of the data, it's important to get that chunk and replicate it a bit. This prevents the entire torrent from being worthless if that peer drops off before someone else gets it. But assuming a well-distributed torrent, just prioritizing based on speed should be enough.
I didn't realize that using Bittorrent was so complicated. Usually I just type "rtorrent *.torrent" in my terminal and go for lunch. When I get back, my files are there.
Seems like for the bandwidth that ISPs care about (that which they have to send across the backbone), it'd be about the same. But they'd be providing better service, assuming they can fix the DoS issue.
But it's obviously never going to happen because the implementation details are a pain in the butt.
ISPs actually like P4P. It gives the customers what they want (fast P2P) and it gives the ISPs what they want (less data sent to the tubes that they don't own, and thus reduced costs and overhead.)
I'm sure that such problems can be solved, but:
1) Retransmission/order may still be important if BT chunk size is greater than max packet size.
2) The advantages you cite mean that DoS of trackers and clients becomes easier.
Are you behind a NAT box or other firewall? Are you forwarding the appropriate ports, or are they open through the firewall? Are you stingy with your uploads? Do you traffic-shape appropriately so that your computer is capable of sending ACKs in a timely manner? Are you going after well-seeded torrents, or old things with one or two peers and seeders?
I've had great luck with Bittorrent. Every time a new Ubuntu version is released, I grab it using Bittorrent. I come close to saturating my connection (both directions.) But then, I've taken the time to tweak things so that it works well, and I'm using popular torrents.
This is fine for some things, and terrible for others. Video conferencing? Nope. Youtube videos? Yup.
But it also requires vitally different infrastructure than just a bunch of computers connected to wireless. It requires that each computer on the public network allocate storage and act as a server. It requires protocols which can search out information on this network quickly, and my bandwidth is decreased when someone's getting data out of my cache. It has problems with tampering, to boot.
Commercials yes i realize they make money from the commercials, why don't they just make their own torrents which include commercials? Personally i wouldn't mind a bit, it's not the commercial-freeness of the shows i see online that i like, it's that i can get an entire series all at once and not have to worry about missing an episode.
Because they'd get nowhere near the exposure. Advertisers want specific people to view their ads. It's not generally the people who would download the ads for entertainment.
No TV/Radio/Internet without advertizing? I agree on the TV and the Radio, but i pay for my internet with cold hard cash, without advertising, there may be less content, but advertising has nothing to do with my internet connection, or are you saying that they subsidize the internet with advertising dollars that they make from cable?
Most websites make revenue from advertising. No advertising, no revenue, no website.
Higher Prices
They're effectively doing that with bandwidth caps and penalties. And people are complaining to high heaven.
Beating Microsoft may not be the goal, but market share is a metric by which we can measure the success of building a good (for various definitions) operating environment. If Linux can pull people away from Microsoft, then either they're doing something really wrong, we're doing something really right, or both.
The only time that it becomes problematic is when bad design decisions are made in an effort to make Windows users feel more comfortable on Linux. Copying Microsoft's good designs isn't necessarily bad. Copying their bad designs is.
Indeed. Thanks for talking sense into me :) I now realize that he's either a complete idiot or a troll, and will ignore him either way.
Says who?
The poster asserts that he bought an e-book. I have no reason to believe that he didn't.
Next time, try reading the posts.
Person 1: When I buy a book, I print it out.
Person 2: You know that's illegal, right?
Person 3: Format shifting for personal use is legal.
Person 4 (you): OMGZORZ THATZ ILLEGALS CUZ YOU NO OWN PERSONAL COPY
Person 5 (me): He owns a copy--he said so in his post.
Thread starts here:
http://yro.slashdot.org/comments.pl?sid=1045741&cid=25929271
the windows boot loader will not recognize a linux install
My notebook, which has Windows XP and Ubuntu Linux, and which uses the Windows bootloader to boot the Linux partition, disagrees with you.
I regularly read that list.
I don't specifically remember anything about general performance being better. I do remember reading about routing throughput being somewhat higher on AMD than on Intel at high PPS.
All my FreeBSD machines are AMD at the moment, except my notebook. For most tasks they are very responsive (more responsive than Windows or any flavor of Linux I've used except maybe Gentoo). However the AMD machines in my case seem to have one annoying flaw - namely if I hit caps lock, they freeze up for half a second to a second, then resume as if nothing happened.
That's an interesting issue, and one I can't reproduce (I have a number of AMD FreeBSD machines of various versions.)
http://www.worldwidewords.org/qa/qa-ico1.htm
The feature list says "anti-phishing technology." It says nothing about how the technology is implemented or that it sends data to a third party.
Well, gosh, when you spin it that way, who'd let themselves be used?!
Besides, it's not about gathering evidence. The RIAA and their investigative agencies do that. Universities just provide a name.
The problem is that then you have no leads if you really do need to track down the person associated with an IP address for some reason. "Someone hacked into your gradebook? Sorry, no clue who it may have been."
Fair points, all. The question now becomes whether or not an expected settlement is cause enough to spread your resources this thin. When I first heard about the lawsuits, my first thought was that it would be a long time before anyone fought it out, since that would be so costly. Now it turned out that people started fighting them earlier than I expected. That's pretty cool. It may have caught the RIAA off guard, too.
I suspect that you're right. I suspect that the RIAA is intentionally abusing the system. I think that their intent is probably not to go through with any lawsuits (they expect everyone to settle, after all), but that's different from a willingness to go through with it. So far, they've mostly gone through with lawsuits for people who fought. In the cases where they've dropped it, there's usually a good amount of evidence that the defendant has a case (at least, in the cases which we've heard about.)
So is intent enough to get them? I don't think that it should be, but in our system, it probably is.
Of course, we may find out. If they're found guilty of racketeering, they'll have to either go through with lawsuits or stop suing. I don't see the latter happening.