Robert, Replying to an old mail, but I suppose that's okay. :-P On Tue, 10 Jun 2014 22:11:54 +0200 Robert Kisteleki <robert@ripe.net> wrote:
=== 1. No changes to what the service offers now; ie. graphs will show results with minimum delay
Development effort: none
Pro: simplest solution
Con: this is perceived by some to be "helping potential attackers" by making it easy to observe the effects of an attack on the DNS infrastructure
Yes please. As far as using DNSMON as a tool to measure the effectiveness of attack, anyone able to create a DDoS can use their attack hosts to measure the success of their attack as well, in real time, so that doesn't make much sense to me. (I admit that other types of DoS might benefit from this telemetry - for example someone probing the effectiveness of a newly-minted 0-day exploit.) Operationally any kind of sign-on requirement is a hassle. It means that half the people that get an internal e-mail with a link to a DNSMON graph aren't going to be able to see it, and many of the others are going to have to dig around in wiki's and old e-mail to find credentials. It means I can't paste a link into a chat with someone who doesn't have DNSMON access but could help me with the problem. Bah, humbug. Cheers, -- Shane