On Monday, April 19, 2004, 11:27:24 AM, Justin Mason wrote:
I'm running one of the proxies for openrbl.org. It's dead easy to set this up -- a copy of Pound, a dedicated IP address, and 5 minutes to write a 20 line config file. Pound helps "clean" the requests, and hides the real back-end server.
The portion of openrbl.org I proxy uses under 10kbps on average, with a spike every few days for up to a few hours when someone tries to smack it. I run the IP through a 64kbps pipe with ipfw (gateway box runs FreeBSD) for extra warmfuzzies, and packet filter all but port-80 to the IP I've assigned.
[...] fancy posting to discuss@lists.surbl.org with tips?
I'm at my quota for mailing lists -- if I subscribe to another, my nose will bleed. Pound is dead easy. I would venture to guess that someone who can't get it running probably shouldn't.
Pound is at http://www.apsis.ch/pound/, or in ports/www/pound if you're FreeBSDing it.
Thanks for checking around for us, Justin. Looks like pound is a reverse proxy for distributing web traffic to multiple behind-the-scenes web servers. It sounds like a generally useful program. We certainly could to something like that, and I could see how it would be important to an operation like openrbl which depends on web service to provide it's info out to folks.
My solution is a little cruder but hopefully effective: limit MaxClients to some low enough number that the bad guys can't DOS us through web requests. Currently I have our Apache MaxClients set to 100, but I may lower it to say a fairly low 50. May also bring up web service on another server and use simple round-robin DNS for load balancing. Key though is that web is of lesser importance to us than DNS service, so if we lose web, it's not as much of a big deal as it would be to folks like openrbl.
Another tip from the SBL folks:
I'm not even sure where the root SBL zone server is. All the public zone servers and AXFR feeds are seperate. Query load is rather large, so sub-zones are being broken out to two levels, allowing for more nameservers to spread out the load. (Admins are encouraged to use close-by servers when possible.) Check "NS" records for "sbl.spamhaus.org".
Yes, if we can get some more secondaries signed on board, I may take the source servers out of the registration and delegation entirely (to hide them a little) and let the secondaries do all the DNS. Heck we could probably do that now. Maybe we'll combine it with some other changes mentioned below.
Probably goes without saying, but selecting a zone name that can be "end of lifed" when needed should be considered.
Also, someone else mentioned that the top-level zone, "surbl.org" for example, may become the target. So that also needs 2ndaries.
Yep, we now have secondaries for the top level zone surbl.org. All the secondaries of the SURBL subdomains are also secondarying the parent domain. It becomes much harder to DOS the parent domain because of that. Thanks secondaries!! :-)
Also I have some other strategies for some redundancy and DOS resistance that I will share with (at least) the secondaries once I get another server or two set up.
Cheers,
Jeff C.