20,000 1.5mbit ADSL's is 30Gbps dude - which is basically roughly what I said...
I also posted a follow up apologising for the 30Gbps being a "world" estimate when it's actually a "large city" estimate. If you're going to be pedantic, the line crosses 100Tbps in 2005 not 1Pbps which doesn't happen until about 2007.
Leaves me wondering, though, how accurate this graph is? 100Tbps for a "large city"? Or for "The world"? Either way - . My first connection was on a 300baud modem the size of a small filing cabinet I still have trouble getting my head round Gbps never mind Pbps...:-)
In any case, I hadn't intended to start any arguments about how much capacity the "Internet" has - the main point was the relatively high amount of bandwidth half a mil streams would consume... which doesn't seem so high any more if we're heading for a total capacity of Pbps!
Ummm... no, I understand the technology well enough. I think you just repeated what I said - that the "MS" end of the equation is vulnerable only if it's forwarding to a poisoned bind4/8 server.
A quick Google (I'm not wasting more than 30 seconds on this) shows bind8 vulnerabilities as far back as 2002, and bind 9 being released 4 months ago (having been in beta for several months before that). If "quite a few" isp's are still running bind8, there are "quite a few" negligent DNS admins!
Isn't the bigger issue, that the MS server is not inherently vulnerable unless it's forwarding to a poorly maintained *nix server?
Furthermore, it doesn't "forward" out of the box. It uses root hints to ask the authoritative server for answers. An admin would have to deliberately configure it as a forwarding server - and if he does so not knowing how secure the server he's forwarding to is, again he deserves what he gets.
"On Windows 2000 SP3 and above, the DNS server DOES protect against DNS cache pollution by default. The registry key to protect against the poisoning is not necessary: the value is TRUE if the registry key does not exist"
In other words, many or most 2000 installations should be secure against pollution if their admins posess the slightest clue.
"Windows DNS --> forwarding to BIND4 or BIND8. Windows DNS server assumes that BIND scrubs out the poisoning attempt. BIND4 and BIND8 do NOT appear to scrub the attack. Windows DNS trusts the data and the Windows DNS cache will become poisoned."
So much for "only affects MS servers" although the article does mention, and plays down ("ancient versions") the bind4/8 vulnerabilities. I'm left wondering how many admins have their dns servers in forwarding mode, and how many of those are forwarding to bind4/8 servers? Very few, I'd think.
It's important to note, from what I've understood of it so far, that this exploit only affects the "MS server forwarding it's requests to a bind4/8 server" scenario which I would think, would be a pretty negligible number of DNS servers?!
Another interesting thing that caught my eye, was "On Windows 2000, you should manage the DNS cache protection security setting through the DNS Management Console. On Windows 2000 below SP3, the "Secure cache against pollution" is not the default so you should enable it using the DNS Management Console. An admin who didn't already do this is dumb beyond belief, hardly a MS problem! Blaming it on MS is akin to blaming Ford if you forget to lock the door on your car. If you're a DNS admin and didn't think to check your configuration for this very old vulnerability it's time you hung up your admin hat!
For the record, I'm no more a fan of Windows than I am of *nix - but how much you wanna bet this post'll raise 80% MS bashing comments, 10% "funny" comments, and maybe 10% useful DNS Admin comments?
Very true, I simply meant to highlight the overall bandwidth such a load would demand.
Since you mention it, I'd be surprised to find that NASA isn't already akamai'd
Reluctantly replying to my own message, before anybody else points out the faux-pas I should apologise for the misleading statistics - the web page I linked was for a "large city" not the 'net in general. Now, I'm having trouble finding stats pages for the 'net in general - been a few years since I needed to look them up (or was interested)! Sorry!
Half a million streaming video clients? More than a little ambitious, I'd say.
Even at a modest 64kbps stream this would consume 32Gbps of bandwidth - that's THREE OC192's or, although the figures vary quite widely (Here's one), approximately the entire capacity of the "Internet" as it currently stands.
There are technologies that can handle this using a mere 64kbps in total (e.g. multicast) but they're not widely adopted/available (side note - why??)
You'd think an agency that can put someone on the Moon and vehicles on Mars would have the tech savvy to know off the top of their heads that they're dreaming!
MAPS are not at fault here, your colo hosts are.
If your colo house signs up a new customer, and their logs suddenly show a spike in smtp traffic - it's not MAPS's fault if they don't sit up and take notice.
I'll bet there are a ton of people reading this list, who know pretty much instinctively when there's something amis on their LAN/WAN. Spam is not difficult to spot if you're hosting it, let's face it. As a former ISP I speak from experience - we knew within hours if any of our clients hooked up an open relay mailserver (never encountered a spammer but encountered plenty of company admins who didn't know their mailservers were open for relay and needed beating with a clue-by-four). In the end, we blocked outbound smtp altogether and opened it only for people who asked for it AND demonstrated some clue that their mailserver was secured.
Your provider (a) did not notice it (and/or ignored it) and worse, (b) apparently ignored the problem until it was too late even after they were advised of it. I'd class them as spam friendly, whether they intended to be or not.
Imho, you are righteously annoyed, but with the wrong people.
Perhaps I haven't thought this through... But doesn't this seem odd to anyone?
Let me get this straight - the local authorities want to use tax dollars to cover an entire city with their "ISP". Meanwhile, the local ISPs and (presumably already) WISPs do what, exactly? Why would I want to pay an ISP for service, when my tax dollars are already subsidising the local authorities to provide the same service?
Imho, if they want to provide Internet access, they should get out of politics and go find their own funding, and set up and honest to God ISP business - compete like everybody else has to.
What's next? State-wide Internet? Country-wide?
As an expat working in Africa, it's next to impossible to watch any decent tv. I've watched many series - like Farscape, Stargate, etc *entirely* off the Internet. Whenever I travel, I bring my dvd collection up to date of the series that are available, and trash the divx's.
The point is, I'd do this even if I was still living in the UK! I want to watch stuff when it's convenient for *me* not for the tv company or to fit into a prime time advertising slot. What's more I'd be happy to pay for it. "Piracy" isn't as simple as "theft" any more. It's about filling a consumer demand, and it's about time the distributors recognised this.
Wish I'd patented it...
Multi platter drives have been around almost as long as hard drives. I've always wondered (since the early 80's) how much faster a drive would be, if the data was written in "parallel" instead of "serial" (i.e. striped across 8 platters)
I'm wondering, how on earth this "new" idea leads to claims that the data storage will be any denser.. a bit will still take up the same amount of physical space whether a byte's stored vertically ("3d") of horizontally so a platter would in theory not yield any more density than now??
Having said all that, I'm the proud owner of 20 IBM Deathstar drives^M^M^M^M^M^Mdoorstops, which are without a doubt the least reliable drives I've ever encountered. The very thought of putting any data on anything hitachi-IBM gives me the heebiejeebies...
Slashdot Mirror
I've seen it tried with a stopwatch... You are feeling sleepy... you are feeling sleepy...
Errr...
20,000 1.5mbit ADSL's is 30Gbps dude - which is basically roughly what I said...
I also posted a follow up apologising for the 30Gbps being a "world" estimate when it's actually a "large city" estimate. If you're going to be pedantic, the line crosses 100Tbps in 2005 not 1Pbps which doesn't happen until about 2007.
Leaves me wondering, though, how accurate this graph is? 100Tbps for a "large city"? Or for "The world"? Either way - . My first connection was on a 300baud modem the size of a small filing cabinet I still have trouble getting my head round Gbps never mind Pbps... :-)
In any case, I hadn't intended to start any arguments about how much capacity the "Internet" has - the main point was the relatively high amount of bandwidth half a mil streams would consume... which doesn't seem so high any more if we're heading for a total capacity of Pbps!
Ummm... no, I understand the technology well enough. I think you just repeated what I said - that the "MS" end of the equation is vulnerable only if it's forwarding to a poisoned bind4/8 server.
A quick Google (I'm not wasting more than 30 seconds on this) shows bind8 vulnerabilities as far back as 2002, and bind 9 being released 4 months ago (having been in beta for several months before that). If "quite a few" isp's are still running bind8, there are "quite a few" negligent DNS admins!
Isn't the bigger issue, that the MS server is not inherently vulnerable unless it's forwarding to a poorly maintained *nix server?
Furthermore, it doesn't "forward" out of the box. It uses root hints to ask the authoritative server for answers. An admin would have to deliberately configure it as a forwarding server - and if he does so not knowing how secure the server he's forwarding to is, again he deserves what he gets.
From the article:
"On Windows 2000 SP3 and above, the DNS server DOES protect against DNS cache pollution by default. The registry key to protect against the poisoning is not necessary: the value is TRUE if the registry key does not exist"
In other words, many or most 2000 installations should be secure against pollution if their admins posess the slightest clue.
"Windows DNS --> forwarding to BIND4 or BIND8. Windows DNS server assumes that BIND scrubs out the poisoning attempt. BIND4 and BIND8 do NOT appear to scrub the attack. Windows DNS trusts the data and the Windows DNS cache will become poisoned."
So much for "only affects MS servers" although the article does mention, and plays down ("ancient versions") the bind4/8 vulnerabilities.
I'm left wondering how many admins have their dns servers in forwarding mode, and how many of those are forwarding to bind4/8 servers? Very few, I'd think.
It's important to note, from what I've understood of it so far, that this exploit only affects the "MS server forwarding it's requests to a bind4/8 server" scenario which I would think, would be a pretty negligible number of DNS servers?!
Another interesting thing that caught my eye, was "On Windows 2000, you should manage the DNS cache protection security setting through the DNS Management Console. On Windows 2000 below SP3, the "Secure cache against pollution" is not the default so you should enable it using the DNS Management Console.
An admin who didn't already do this is dumb beyond belief, hardly a MS problem! Blaming it on MS is akin to blaming Ford if you forget to lock the door on your car. If you're a DNS admin and didn't think to check your configuration for this very old vulnerability it's time you hung up your admin hat!
For the record, I'm no more a fan of Windows than I am of *nix - but how much you wanna bet this post'll raise 80% MS bashing comments, 10% "funny" comments, and maybe 10% useful DNS Admin comments?
Very true, I simply meant to highlight the overall bandwidth such a load would demand. Since you mention it, I'd be surprised to find that NASA isn't already akamai'd
Reluctantly replying to my own message, before anybody else points out the faux-pas I should apologise for the misleading statistics - the web page I linked was for a "large city" not the 'net in general. Now, I'm having trouble finding stats pages for the 'net in general - been a few years since I needed to look them up (or was interested)! Sorry!
Even at a modest 64kbps stream this would consume 32Gbps of bandwidth - that's THREE OC192's or, although the figures vary quite widely (Here's one), approximately the entire capacity of the "Internet" as it currently stands.
There are technologies that can handle this using a mere 64kbps in total (e.g. multicast) but they're not widely adopted/available (side note - why??)
You'd think an agency that can put someone on the Moon and vehicles on Mars would have the tech savvy to know off the top of their heads that they're dreaming!
MAPS are not at fault here, your colo hosts are. If your colo house signs up a new customer, and their logs suddenly show a spike in smtp traffic - it's not MAPS's fault if they don't sit up and take notice. I'll bet there are a ton of people reading this list, who know pretty much instinctively when there's something amis on their LAN/WAN. Spam is not difficult to spot if you're hosting it, let's face it. As a former ISP I speak from experience - we knew within hours if any of our clients hooked up an open relay mailserver (never encountered a spammer but encountered plenty of company admins who didn't know their mailservers were open for relay and needed beating with a clue-by-four). In the end, we blocked outbound smtp altogether and opened it only for people who asked for it AND demonstrated some clue that their mailserver was secured. Your provider (a) did not notice it (and/or ignored it) and worse, (b) apparently ignored the problem until it was too late even after they were advised of it. I'd class them as spam friendly, whether they intended to be or not. Imho, you are righteously annoyed, but with the wrong people.
Perhaps I haven't thought this through... But doesn't this seem odd to anyone? Let me get this straight - the local authorities want to use tax dollars to cover an entire city with their "ISP". Meanwhile, the local ISPs and (presumably already) WISPs do what, exactly? Why would I want to pay an ISP for service, when my tax dollars are already subsidising the local authorities to provide the same service? Imho, if they want to provide Internet access, they should get out of politics and go find their own funding, and set up and honest to God ISP business - compete like everybody else has to. What's next? State-wide Internet? Country-wide?
As an expat working in Africa, it's next to impossible to watch any decent tv. I've watched many series - like Farscape, Stargate, etc *entirely* off the Internet. Whenever I travel, I bring my dvd collection up to date of the series that are available, and trash the divx's. The point is, I'd do this even if I was still living in the UK! I want to watch stuff when it's convenient for *me* not for the tv company or to fit into a prime time advertising slot. What's more I'd be happy to pay for it. "Piracy" isn't as simple as "theft" any more. It's about filling a consumer demand, and it's about time the distributors recognised this.
Where do you think income tax goes?
Wish I'd patented it... Multi platter drives have been around almost as long as hard drives. I've always wondered (since the early 80's) how much faster a drive would be, if the data was written in "parallel" instead of "serial" (i.e. striped across 8 platters) I'm wondering, how on earth this "new" idea leads to claims that the data storage will be any denser.. a bit will still take up the same amount of physical space whether a byte's stored vertically ("3d") of horizontally so a platter would in theory not yield any more density than now?? Having said all that, I'm the proud owner of 20 IBM Deathstar drives^M^M^M^M^M^Mdoorstops, which are without a doubt the least reliable drives I've ever encountered. The very thought of putting any data on anything hitachi-IBM gives me the heebiejeebies...