Closed ignoramous closed 2 months ago
jonaharagon
commented
2 months ago Could certainly ask them, but I'm not sure why you'd need historical data logs to block abusive IP ranges. Presumably if you're ControlD, and you're noticing lower performance or higher bandwidth usage from your servers, you can see where the traffic is coming from at that moment and block accordingly.
ignoramous
commented
2 months ago you can see where the traffic is coming from at that moment and block accordingly
Usually such abuse systems are automated and not manual, and the sophisticated ones are multi-region. Someone hints at the automation in that subreddit thread: "our anti-abuse system is trigger happy".
historical data logs to block abusive IP ranges
That's not the point of this issue, which is specifically about PG claim that ControlD Free doesn't store anything at all.
if you're ControlD, and you're noticing lower performance or higher bandwidth usage from your servers
It isn't clear if ControlD runs its own DDoS protection layer (they could be).
jonaharagon
commented
2 months ago doesn't store anything at all.
It is the point of this issue. I'm saying you haven't explained why this means they do store anything. The fact that they are automated does not necessarily change the process I outlined: The process could kick in based on # of requests made within a fixed window, for example.
Unless you are saying the fact that they stored an IP range to block as an iptables rule (or whatever) counts as them storing data for this purpose? The page does not literally mean ControlD does not possess any conceivable form of data. I could rattle off all sorts of data they possess, their webservers possess the HTML data that makes up their homepage, their social media accounts possess the contents of their posts, etc. - It is not relevant to us.
In that case this issue would be a duplicate of #2484 (i.e. that the definition of logging on the page is imprecise) and that will be fixed anyways.
jonaharagon
commented
2 months ago Or should we say that "store" implies "to disk"?
ignoramous
commented
2 months ago I'm saying you haven't explained why this means they do store anything.
The burden to prove whatever it is they do can't be on me, surely? To put it bluntly, most other large public resolvers elaborate exactly what they store and why, incl for DDoS. The "no logs" resolvers recommended by PrivacyGuides however seem to be lacking in transparency in that regard?
The process could kick in based on # of requests made within a fixed window, for example.
That's load shedding / admission control? DDoS prevention isn't limited to some single integer counter like some believe (for example, some may meter ingress and egress bandwidth, number of queries as opposed to number of connections, handshake / connection failures, connection stalls, query type, query name, query frequency, time-to-live abuse, non-compliant stub clients, using IP hopping services and so on). I am not privy to what ControlD does, or how it defines DDoS, for that matter.
duplicate of #2484 that the definition of logging on the page is imprecise
This issue depends on just what definition of "no logs" the community settles on, yeah. Not necessarily a dupe? In fact, following up with ControlD might help decide what "no logs" should look like. Yegor, the founder, in my interactions with him, has always been pretty nice, accommodating, and approachable.
jonaharagon
commented
2 months ago The burden to prove whatever it is they do can't be on me, surely?
ControlD does share what information they store though, you're the one refuting it, so it feels like something beyond speculation should be required...
ignoramous
commented
2 months ago ControlD does share what information they store though, you're the one refuting it, so it feels like something beyond speculation should be required...
The policy (last updated 4 months ago) says the same thing as the PG page, that ControlD Free doesn't store IP addresses or timestamps or queries. Apparently these DDoS protections were put in place only recently according to the reddit thread. The only way to know for sure what they do is to ask them? If you think or strongly believe a counter or iptables is what they use and the fact that they haven't updated their privacy policy is proof of that, that also sounds reasonable.
jonaharagon
commented
2 months ago I wonder if I can ping @yegors here to ask how they've implemented their DDoS protection with ControlD 👀
Otherwise I'll email them :)
yegors
commented
2 months ago Operating open DNS resolvers is hard, as they're subject to heavy abuse including but not limited to DoS, reflection attacks, etc.
I cannot share all the details of of the anti-abuse system publicly for obvious reasons however it's built on top of eBPF, and runs entirely on each edge server, with no external data sources that are read from/written to. The hosts themselves operate from RAM disk servers (using a similar system to Windscribe), and the data that is referenced solely exists in the Linux kernel space. We have limits set on packet flows to what is "reasonable" for a single IP, which triggers throttling when exceeded. If the abuse persists and increases in volume, this escalates to 2nd tier systems that refuses queries and eventually results in a nullroute of offending IPs network wide.
Affected page
https://www.privacyguides.org/en/dns/
Description
PrivacyGuides today points out:
But from this recent r/controld thread [^f], it looks like they do block "abusive IPs". Clarification is required on how they achieve this across all their servers,[^u] if they do not log any form of information on incoming requests? May be there's
[hash(IP, salt), integer-counter]in their datastore somewhere, but that isn't "do not store this or any other data..." like posited on PrivacyGuides.[^f]: IP bans are for X hours, and are per-IP. This usually means someone on your network sent a LOT of DNS queries, perhaps without realizing, or maliciously. As we've been under DDOS attack recently, the anti-abuse system is very trigger happy, especially with free resolvers. [^u]: Disclaimer: I run rethinkdns, a public DNS-over-HTTPS / DNS-over-TLS resolver that is "similar" to Free ControlD.
Sources
https://archive.is/XH2sm#fn:3
https://archive.is/9EYHH / https://www.reddit.com/r/ControlD/comments/1bnoriq/my_ip_range_isp_is_banned_for_good_after_using/
Before submitting