Comments (9)
Operating open DNS resolvers is hard, as they're subject to heavy abuse including but not limited to DoS, reflection attacks, etc.
I cannot share all the details of of the anti-abuse system publicly for obvious reasons however it's built on top of eBPF, and runs entirely on each edge server, with no external data sources that are read from/written to. The hosts themselves operate from RAM disk servers (using a similar system to Windscribe), and the data that is referenced solely exists in the Linux kernel space. We have limits set on packet flows to what is "reasonable" for a single IP, which triggers throttling when exceeded. If the abuse persists and increases in volume, this escalates to 2nd tier systems that refuses queries and eventually results in a nullroute of offending IPs network wide.
from privacyguides.org.
Could certainly ask them, but I'm not sure why you'd need historical data logs to block abusive IP ranges. Presumably if you're ControlD, and you're noticing lower performance or higher bandwidth usage from your servers, you can see where the traffic is coming from at that moment and block accordingly.
from privacyguides.org.
you can see where the traffic is coming from at that moment and block accordingly
Usually such abuse systems are automated and not manual, and the sophisticated ones are multi-region. Someone hints at the automation in that subreddit thread: "our anti-abuse system is trigger happy".
historical data logs to block abusive IP ranges
That's not the point of this issue, which is specifically about PG claim that ControlD Free doesn't store anything at all.
if you're ControlD, and you're noticing lower performance or higher bandwidth usage from your servers
It isn't clear if ControlD runs its own DDoS protection layer (they could be).
from privacyguides.org.
doesn't store anything at all.
It is the point of this issue. I'm saying you haven't explained why this means they do store anything. The fact that they are automated does not necessarily change the process I outlined: The process could kick in based on # of requests made within a fixed window, for example.
Unless you are saying the fact that they stored an IP range to block as an iptables rule (or whatever) counts as them storing data for this purpose? The page does not literally mean ControlD does not possess any conceivable form of data. I could rattle off all sorts of data they possess, their webservers possess the HTML data that makes up their homepage, their social media accounts possess the contents of their posts, etc. - It is not relevant to us.
In that case this issue would be a duplicate of #2484 (i.e. that the definition of logging on the page is imprecise) and that will be fixed anyways.
from privacyguides.org.
Or should we say that "store" implies "to disk"?
from privacyguides.org.
I'm saying you haven't explained why this means they do store anything.
The burden to prove whatever it is they do can't be on me, surely? To put it bluntly, most other large public resolvers elaborate exactly what they store and why, incl for DDoS. The "no logs" resolvers recommended by PrivacyGuides however seem to be lacking in transparency in that regard?
The process could kick in based on # of requests made within a fixed window, for example.
That's load shedding / admission control? DDoS prevention isn't limited to some single integer counter like some believe (for example, some may meter ingress and egress bandwidth, number of queries as opposed to number of connections, handshake / connection failures, connection stalls, query type, query name, query frequency, time-to-live abuse, non-compliant stub clients, using IP hopping services and so on). I am not privy to what ControlD does, or how it defines DDoS, for that matter.
duplicate of #2484 that the definition of logging on the page is imprecise
This issue depends on just what definition of "no logs" the community settles on, yeah. Not necessarily a dupe? In fact, following up with ControlD might help decide what "no logs" should look like. Yegor, the founder, in my interactions with him, has always been pretty nice, accommodating, and approachable.
from privacyguides.org.
The burden to prove whatever it is they do can't be on me, surely?
ControlD does share what information they store though, you're the one refuting it, so it feels like something beyond speculation should be required...
from privacyguides.org.
ControlD does share what information they store though, you're the one refuting it, so it feels like something beyond speculation should be required...
The policy (last updated 4 months ago) says the same thing as the PG page, that ControlD Free doesn't store IP addresses or timestamps or queries. Apparently these DDoS protections were put in place only recently according to the reddit thread. The only way to know for sure what they do is to ask them? If you think or strongly believe a counter or iptables is what they use and the fact that they haven't updated their privacy policy is proof of that, that also sounds reasonable.
from privacyguides.org.
I wonder if I can ping @yegors here to ask how they've implemented their DDoS protection with ControlD 👀
Otherwise I'll email them :)
from privacyguides.org.
Related Issues (20)
- Add yourself to the contributors list HOT 35
- Different font size for "Contributors" label on mobile UI HOT 2
- Contributors table doesn't scale well on mobile devices HOT 1
- Broken LanguageTool logo after 2024.04.16 update HOT 4
- Cannot load infomation in "Multi-Factor Authenticators" popup. HOT 5
- Remove the outdated information regarding Notesnook's encryption
- Invidious video embeds are broken HOT 2
- Website still lists Local Monero HOT 1
- Onion site is broken again
- Slight rewording of a minimum requirement for Search Engines
- Tuta Logo Change
- Linux is now making an effort to incorporate rust into the Kernel and userspace HOT 1
- ente Auth repo link HOT 3
- Split up Productivity Tools page HOT 2
- Regarding the last criterion on the MFA tools page HOT 2
- Find My privacy policy changed to increase iOS version required for E2EE location sharing
- Split up Android recommendations page and use mkdocs index page
- Add more space to bottom of side navigation list on desktop HOT 1
- Missing deploy previews HOT 3
- Safari and Webkit isn't the only option anymore HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from privacyguides.org.