Hacker's ramblings

I'm a fan of Trac wiki / issue tracker. It has the correct price (free) combined with all the features I need in software development. Since all my Linux-development is done in RHEL / CentOS -environment, getting a Trac to run requires tweaking. Also after our production server hit the 10k-connection limit and we had to change to Nginx, I don't have any Apache daemons running. Given that constraint, I definitely need some tweaking of my own.

Software needed:

• Nginx, get my RPM from http://opensource.hqcodeshop.com/CentOS/6%20x86_64/Nginx/
  
• uWSGI, get my RPM from http://opensource.hqcodeshop.com/CentOS/6%20x86_64/uWSGI/
• Trac, get my RPM from http://opensource.hqcodeshop.com/Trac/
  

Setup:

Traci is built with Python, but it is typically installed anyway. uWSGI is the glue between Nginx and a Python app. My uWSGI should run out of the box. It defaults to seeing Python apps in directory /var/www/uwsgi/, so make sure to create the Trac parent file trac_env_parent.py into it:

# -*- coding: utf-8 -*-

# file: trac_env_parent.wsgi

import sys
sys.stdout = sys.stderr

import os
os.environ['TRAC_ENV_PARENT_DIR'] = '/var/www/uwsgi/trac'
os.environ['PYTHON_EGG_CACHE'] = '/var/www/uwsgi/.egg-cache'

import trac.web.main
application = trac.web.main.dispatch_request

Also it is a good idea to make sure, that uwsgi-user can write into the .egg-cache-directory. Permissions should be:

drwxr-xr-x.  2 uwsgi uwsgi  4096 Jan  8  2012 .egg-cache

Then bind Nginx into uWSGI-app. In my case I defined a virtual host for that. Fragment of nginx.conf:

server {
    listen [::]:80;
    server_name my.trac.own.com;

    location / {
        include        uwsgi_params;
        uwsgi_pass     127.0.0.1:9001;
    }
}

The file /etc/nginx/uwsgi_params is something out of a default Nginx source. I didn't change anything in it.

After that it's only getting the Trac properly configured with your DB-backend and filesystem.

What others are doing:

• http://projects.unbit.it/uwsgi/wiki/Example
• http://mediacorecommunity.org/docs/install/nginx-uwsgi.html

Dojo JavaScript framework has a nice system of packaging the library for your own app. During packaging you may minify the library, reduce the number of files being loaded and leave unnecessary parts out from it. However, ever since Dojo 1.7 the build system is pretty complex and documentation is almost non-existent. There is zero beginner documentation, the existing documentation is aimed towards those, who already know their way around.

The prerequisites for doing a Dojo build is Node.js and Java runtime. The rumour is that build would work with either one of those, but I most definitely cannot confirm that. My production and development boxes have CentOS 6.4, so initially I did not have either one of those installed. To comply with requirements, I installed my own build of Node.js 0.10.4 and for Java OpenJDK 1.7.0 (the package is called java-1.7.0-openjdk in CentOS).

My CentOS 6 RPMs of Node.js are available at http://opensource.hqcodeshop.com/Node.js/ if you need them.

Then to the Dojo-build. There is the IMHO crappy docs at http://dojotoolkit.org/reference-guide/1.8/build/. Most of the stuff I needed to figure out, I had to Google or look from the source. When you unpack the source-package you'll end up having an util/buildscripts/profiles/ directory, which does not exist in the release (minified) package.

A build profile is kind of a makefile. It instructs the build what to package and how. To my great surprise they changed the profile style and you'll find two different styles:

1. Old style:
   • dependencies = { / A JavaScript object definition here / }
2. New Style:
   • var profile = (function(){ / A JavaScript object definition here / });

A standard Dojo release build is done with profile named standard (no surprises there, huh?). The command for doing that would be, for example:

./util/buildscripts/build.sh profile=standard version=1.3.2-dev \
 releaseName=dojo-release-1.3.2-dev cssOptimize=comments.keepLines \
 optimize=shrinksafe.keepLines cssImportIgnore=../dijit.css action=release

I tried to emulate that with a new-style profile file of my own. The profile-file has most of the command-line parameter in it, so running it will be much simpler, copy the profile into profiles-directory and something like this will do:

./util/buildscripts/build.sh profile=Dojo-JaTu cssOptimize=comments.keepLines \
 cssImportIgnore=../dijit.css action=release

There are number of choices you may do with the profile, for example you may choose not to minimize it, by changing following:

mini: false,
optimize: false,
layerOptimize: false,

This produces a built, but debuggable file which is much nearer to release than the source-package. You see, the build will replace number of options with structures like
if (1) { / then something / }, which initially look strange, but in reality just reflect the hard-coded changes you made during build. The release version will have those anyway, no matter which release version you'll use. Doing your own custom build, you'll have a control over which parts of the code are in and which are out.

I still haven't grasped the "layer"-concept fully. A layer is a single file containing a number of Dojo-modules. Anyway, that definitely is something worth studying. It will yield much faster loading web pages.

Trying to wrangle Dojo and struggling with its build system took me a nice working week. That was time well spent. Now I can make my own tailored Dojo-packages for a production site which loads really fast.

Earlier I've studied Chinese domain name scams (part 1 and part 2).

A while ago I read about a study made by Mr. Giovane César Moreira Moura. Actually, the study is his PhD thesis and it is available from his page at University of Twente, Netherlands. Anyway, he claims that roughly 50% of the crap in the Internet is originating from 20 rogue networks. He researched 42.000+ ISPs and found out that e-mail spam, scam attempts, etc. are originated pretty much from the same places. He does not do much finger-pointing, but provides the idea how to produce the results.

His study inspired me to investigate the origin networks of all the crap my honey pot was receiving and do some finger-pointing (I don't have any restrictions about that ). My "honey pot" is a 20+ year old e-mail address. It is in every imaginable spammer/scammer/crap magnet -list. My results are badly skewed: when it receives junk, I'll manually tag it and report it to SpamCop (a spam-protecting service owned by Cisco Systems, Inc.), and eventually blocking the IP-address as a spammer. Since the mail server uses SpamCop blocking-list I won't receive any more junk from the IP, which for studying spammers is not good.

There is lot of evidence that most crap originates from hijacked computers, but not all. Some of spam arriving to me originates from VPS-boxes. I dunno if they are rented with real or stolen credit cards. Anyway, most spam I receive have some sort of forging attempt in the mail headers. So I'm utilizing  tracing of non-forged e-mail origin with SpamCop's reporting tool. In his thesis Mr. Moura writes that the ultimate origin is almost always not discoverable. Hiding one's real location is way too easy in the Internet. Closing the sending IP typically helps, but leaves the criminal unidentified.

Anyway, here's my list:

1. 30, IRINN-BROADCAST-ADDRESSES, India
2. 9, GOOGLE, USA
3. 8, PAET-FSS-IMPLI-1, USA
4. 5, FR-OVH, France
5. 3, 66-132-128-0-NET, USA
6. 3, EGIHOSTING-4, USA
7. 2, 1AN1-NETWORK, USA
8. 2, DROPBOX, USA
9. 2, NLYR-ARIN-BLK5, USA

The number is number of e-mails originating from that network followed by the network name. The list was gathered during 90 day period. In the list there were additional 80 networks with only single e-mail originating from them.

Most of the crap I receive originates from India. 2nd biggest seems to be Google. Also a huge virtual server renting company OVH-net is in the 4th place. Others I cannot explain. Another conclusion I can draw from these is that the 20 worst networks are not the ones bothering me.

My gaming-PC is couple years old and one day it didn't want to sleep anymore. Which is pretty weird. It has been working ok since I built it, but now something really weird happened. I Googled a couple of articles with keywords "windows 7 random wake from sleep" to confirm that it's not just my breaking down hardware, but a real issue.

Normally I don't shut down my PC, I just let it sleep when not being used. It is pretty modern piece of hardware and does not consume very much electricity during sleep. It also "boots" from the sleep pretty fast on a mouse or keyboard click. My initial fix was to reboot it and shut it down, and even turn off the power supply power to make sure it stays down. No matter what I tried, it just keeps popping up after random period of time. It could be 15 minutes or couple or hours.

Mr. Jack Ukleja found the actual reason for this behaviour. He has an execellent article in his blog. It appears that network adapter's Wake on pattern caused this. He also describes a way to see why Windows was woken last time. In my case Windows power configuration somehow gets it wrong. When I do a:

 powercfg -lastwake

from command line, it gives me:

Wake History Count - 1
Wake History [0]
  Wake Source Count - 1
  Wake Source [0]
    Type: Device
    Instance Path: PCI\VEN_8086&DEV_1503&SUBSYS_849C1043&REV_05\3&11583659&0&C8
    Friendly Name:
    Description: Intel(R) 82579V Gigabit Network Connection
    Manufacturer: Intel

... which most certainly is not the case here. I tapped a mouse button to wake this up.

Anyway, in his case he had a Realtek Gigabit Ethernet NIC and fixed the issue by disabling Wake on pattern from NIC's advanced settings. Even though I have an Intel Gigabit NIC, I had to try the same. It helped. I don't know if it is a factor, that in my PC there are two NICs and the another one is a Realtek Gigabit NIC. Anyway, now my PC is back in order. It stays sleep when I put it to sleep the way it is supposed to do.

My cloud storage choice has been LaCie's (the hard drive company) Wuala. The main reason why I did choose Wuala is in their Privacy Policy:

2. Stored Content

Wuala encrypts all your files before they leave your computer. They are encrypted such that only you and those you have authorized can decrypt them. Even LaCie cannot decrypt them unless you have made them public or share them by secret weblink and access them with your web browser. In the latter case, the encryption key is temporarily sent to our web server as part of the URL for the purpose of serving the requested data.

They do exactly like Kim's MEGA. They encrypt everything so that even they can not access it (or at least that's what they claim to do, nobody has yet proven that wrong, though). That is: unless you choose not to encrypt the data, or publish the decryption key, but then it is an another story.

The sad thing is that they use Java on client-side to do the access. Java Runtime has been described as a disease in an article in the Forbes magazine. They're right. It is a disease. In Wuala's own discussion forum there are a number of happy customers pleading to stop using Java.

What really pisses me off is that on my 64-bit Windows 7, the only reason to have a 32-bit JRE is Wuala. All my other software utilizes the 64-bit version I also have installed. Whenever a new JRE version comes out, I need to update both versions. Also I simply cannot use Wuala on all of my computers. For security reasons, I refuse to install Java Runtime into them.

Wuala: Stop using Java now! Please.

Earlier I wrote about Hyper-V crashing with BSOD. The entire project was doomed from the beginning. After I managed get the Windows not to crash, all I managed to do is get the Linux installer to hang whenever it attempted to anything major on the hard drive. I configured Hyper-V to provide the hard drive from a .vhdx-file, so I initially suspected that old .vhd-file might help, but no, nothing helped. Any minor operations succeeded, but any sort of normal usage made the Linux to hang.

Symptoms include:

• Console message: "INFO: task jbd2/sda blocked for more than 120 seconds" and instruction to deactivate the warning with:
  echo 0 > /proc/sys/kernel/hung_task_timeout_secs
  Example:
  • http://helpinlinux.com/tag/echo-0-proc-sys-kernel-hung_task_timeout_secs/
• Repeated "Sense Key" -messages in dmesg, example:
  • http://forums.gentoo.org/viewtopic-t-734696-view-next.html?sid=64f39476a9b96703e2a2c998023729b9
• No change in /sys/block/sda/stat:
  • Kernel documentation about block-device stat says that columns 3 and 6 contain the number of sectors read and written.
  • In my hung box, the values don't increase.

I was puzzled about this for a very long time. It took me several hours to bump into Linux-SCSI mailing list's discussion about the issue. There Mr. Olaf Hering describes an issue "storvsc loops with No Sense messages".

Luckily Mr. Hering realized what's going on and made a patch to fix the problem. Unfortunately the fix is not yet pushed into mainstream Linux kernel.

Since I was about to install ArchLinux, I took the trouble of compiling the necessary kernel module of hv_storvsc.ko into following kernel versions:

• 3.8.4, used in installation ISO-image:
  • SHA-1 sum: 74d2a5de73a4c7d963b649eb34b171eba86a268c
• 3.8.6, the version that got installed when I got my install done:
  • SHA-1 sum: 57a4216fc6749085820703d47cd87dcce47b1739
• 3.8.7, the version that it upgraded into when I did a system update:
  • SHA-1 sum: 3f8757ab69c97a6389c7c83a8ef57f16e9caa85d

All of the packages are available for you to download at http://opensource.hqcodeshop.com/ArchLinux/2013.04.01/. Your only trick is to get them replaced into initial RAM-disk -image. I just replaced the original file at /usr/lib/modules and re-ran the mkinitrd-command.

There was an update to my Fedora 17 Linux and among others, I got a new kernel. I didn't notice it at the time, but the reboot ate one of my Ethernet interfaces. There are two NICs on the motherboard, but on top of those, I have an Intel multi-port NIC. So in the end, there are more than your usual dose of ports.

Traffic to one particular LAN didn't function and I started to investigate:

# ifconfig -a
...
rename5: flags=4098<BROADCAST,MULTICAST>  mtu 1500
        ether 90:e2:ba:1d:33:f1  txqueuelen 1000  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
        device memory 0xfe7e0000-fe800000

Well... I don't remember which one of my Ethernet-ports was rename5 after installation. Typically they are something like eth0, eth1 and so forth. Modern Linuxes tend to add more complexity with names like p2p2 or so, but I've never seen rename5-type naming.

From that I concluded that udev goofed up something. Fedora 17 does not create the /etc/udev/rules.d/70-persistent-net.rules-file which would solve my problem. Lot of Googling later, I found this page, it contains very useful Perl-script to dig enough system information and report it in udev-compatible format, in my case it yields:

# perl /root/bin/write_udev
...
# Added by 'write_udev' for detected device 'rename5'.
SUBSYSTEM=="net", ACTION=="add", DRIVERS=="?*", ATTR{address}=="90:e2:ba:1d:33:f1", NAME="rename5"

I created the persistent rule -file and added above into it. I just edited the NAME-part and renamed the interface properly.

Getting the rules to take effect was bit tricky. None of these worked:

udevadm trigger
udevadm control --reload-rules
udevadm trigger --attr-match=address='90:e2:ba:1d:33:f1'
udevadm trigger --sysname rename5

The trick was to get the full path with udevadm trigger --verbose --sysname rename5 -command and use the test-command with the full path:

udevadm test --action=add /sys/devices/pci0000:00/0000:00:06.0/0000:02:00.1/net/rename5

Then I got my new rule to take effect immediately and my interface up and working.

"Project Honey Pot is the first and only distributed system for identifying spammers and the spambots they use to scrape addresses from your website." (Direct quote from their website.)

Utilizing the results from the project is pretty straightforward, just get an existing library and start using it to check incoming IP-addresses. One of the PHP-libraries is AbyssGuard. It is distributed under GPLv3 for personal use. Being an open-source fan I naturally like to exercise my GPLv3-given right to modify and distribute modified copies of the original work.

However, in this case the author chose not to distribute the source code. WTF?! It appears that the only format he chose to distribute the project is in obfuscated code. I don't much care about PHP's eval()-function and like to configure my PHP with disable_functions=eval whenever possible, so this piece won't even run on my box.

I did the only reasonable thing an open-source loving PHP-coder would do. I de-obfuscated the code and distributed it on my site with appropriate GPLv3-required notification about it. So feel free, it is at http://opensource.hqcodeshop.com/AbyssGuard/ for you to get it.

Since most modern Intel CPUs have VT-x in them and Windows 8 Pro has Hyper-V in it, I had to make use of the combo on my old laptop. It has a i5 mobile CPU which makes it on the less powerful end of CPUs. But the simple existence of a possibility of running a Linux on top of a Windows laptop makes me want to try it.

I added the Hyper-V feature into my Windows. I started the Hyper-V Management Console, added a virtual network switch and created a new virtual machine. It booted into Linux installer and the entire Windows crashed with a blue-screen-of-death. WTF?!

After a number of attempts with tweaking the Hyper-V settings, no avail. Every attempt to actually do anything reasonable in the guest system yielded a BSOD. Couple more futile attempts on command-line indicated that it had to have something to do with networking.

Next day I managed to Google into one discussion thread on Microsoft's social forums. There another unfortunate user is experiencing the same symptoms than me. Unlike his Windows 7, on my Windows 8 BSOD there isn't much of a stack trace or any usable information. But I had to try something, so I took an Ethernet-cable and plugged it into my laptop and reconfigured the Hyper-V virtual switch not to use the Intel Centrino 6200 WLAN, but a 1 Gbit/s Realtek port. That did the trick! Apparently some network drivers are not Hyper-V compatible. I don't know how to tell the difference between functioning or not functioning driver, but it is there.

There seems to be some sort of issue with hard drive, but that's an another story ...

Update 30th Dec 2013:
Anything I say below is subject to debate. This issue is not clear, see the new article about Mac Mini HDMI Dolby Digital audio output.

My mini is mainly for entertainment purposes and I chose to use it at living room. That should be an easy setup, right? Just plug the HDMi-output of the mini into my Yamaha amp which is connected to my Sony TV and everything will work out just fine. No.

Video-signal passes through the amp and TV displays it as supposed in correct resolution and frame rate. No glitches there. But the audio-signal has issues, there were only disappointing two channels. I was expecting to see 5.1 channels as my Yamaha amp has been set up already.

First I confirmed that my Mac Mini supported multichannel output (2 channels as stereo is not multi). There is no adapter in my setup (About Mini DisplayPort to HDMI adapters @ Apple support), so initially I had to assume that HDMi-port supports multichannel audio since my model is newer than mid 2010 and newer than early 2009 with adapter. To my understanding 2009 is the point where multichannel audio was possible without 3rd party add-ons. Anyway, I'm way above that line and should have the support.

Apple support forums have vast number of discussion threads about getting 5.1 sound. It is apparent, that for some reason, this is a problematic issue. I'm saying that the reason is: it does not work out-of-the-box as most Apple fans are used to doing everything in the Apple-land.

After numerous failing attempts I finally managed to get my setup working. At one point I realized that my mini is displaying audio status based on my TV, which obviously can produce only stereo sound. There is the amp in the HDMi-chain, and mini should detect audio by that. When I enable multichannel output from OS X:

... my amp does not reflect the change. It still displays the input signal as stereo. This is not typical behaviour. My amp correctly detects the type of the audio signal on all of my other devices. The fact that I missed was, that I can force the amp to do 7-channel signal:

... then 5.1 sound works perfectly.

Testing that everything works ok is very simple: In the MIDI-sound app there is the test-button. When each channel produces sound correctly, I downloaded a couple of movie trailes from http://trailers.apple.com/ and verified that all was as it was supposed to be.

Hope this helps somebody struggling with multi-channel issues.

This is a follow up on Windows Backups -article I wrote earlier.

I've been running Acronis on daily basis on a couple of Windows-machines to take a backup into a NAS-box. I have been mostly happy with the software, but ... Here is my grievance list:

• Consolidation: Completely worthless! A number of users according to Acronis' forums are having problems with it. The recommended approach is not to use it. See: 36241: Consolidation Process Hanging. There was an occasion when I waited for 30+ hours for the consolidation to complete. It did, but come on! 30 hours to copy 80 GiB of data! On a best case-scenario it does really weird things, aborting with no obvious reason and leaving temp files lying around.
  
• Laptop backup: Works ok when destination NAS-box is reachable, completely worthless when not. There is NO way to cancel the job besides holding down the power button (my laptop does not have a reset). I spent roughly an hour trying to cancel / kill / nuke / stop a backup job which is failing to write a backup for obvious reason that the destination drive was not there to be written into. I shouldn't be too hard to automatically abort a backup job when the network connection is not there. This is the worst issue I've been experiencing.
  
• NAS-drive not found: This happens occasionally on a laptop, but not on a desktop PC. The problem is a weird one. Every possible test I do from TrueImage or Windows Explorer indicate that everything is there and accessible, but the job does not see that for some unknown reason. This can be circumvented with a cancel job / start job -pair. Sometimes a previous, already existing backup needs to be pointed manually to ATI. I don't know why it lost connection with the file which has existed after ATI wrote it.
  
• Support period: Pretty short for new user. Couple of weeks or so. I got my product installed and running, but when there were real issues (see above), the support was already gone.
  

I've been looking for any suitable competing products, but apparently there are none available. The lack of better backup solution leaves me running Acronis TI. This is pretty close to a good product, but apparently the developers cannot be bothered with this type of easily fixable minor issues.

The short version is: it does not work.

Having a SSD is feasible in the long run only if there is possibility of operating system informing the drive that an entire drive block (typically 16 KiB) can be erased. openSUSE wiki has following quote in it: "There are three terms often used to interchangeably describe this same basic functionality: Discard, UNMAP, and TRIM." This discard is possible only when there are no operating system sectors (typically 512 bytes) in the drive block.

Here is what I tried to do: I installed two Intel® Solid-State Drive 520 Series drives into my server and tried to see if RedHat-based CentOS 6.4 has enough backported bits & pieces to support RAID-1 /w TRIM.

The drives are fine and kernel TRIM-support is there:

hdparm -I /dev/sda | fgrep -i trim
           *    Data Set Management TRIM supported
           *    Deterministic read after TRIM

My initial attempt had GPT-partition table with a single RAID-partition on it. The command I used is:

mdadm --create /dev/md0 --level=1 --raid-devices=2 /dev/sda1 /dev/sdb1

I created EXT-4 on top of md0:

mkfs.ext4 /dev/md0

and mounted it:

mount /dev/md0 /mnt/tmp/ -o discard,noatime,nodiratime

The discard-support is in the kernel ok:

mount | fgrep md0
/dev/md0 on /mnt/tmp type ext4 (rw,noatime,nodiratime,discard)

The next thing I tried to do is confirm if TRIM does work either automatically or as a batch job. I followed instructions from this blog entry and tried to run hdparm --fibmap on a newly created file. It failed with a segfault. Apparently that is a known issue, so I ended up packaging the latest version myself. My own RPM-package is available at http://opensource.hqcodeshop.com/CentOS/6%20x86_64/hdparm-9.43-1.el6.x86_64.rpm.

With latest hdparm 9.43 I could verify that FIEMAP (file extent map)  ioctl() does not return correct results on a soft-RAID-1 device. The LBA-sector given by hdparm does not seem to contain the file's data.

My next attempt was to tear down the existing md0 and re-build it using entire drive as RAID-device.

mdadm --stop /dev/md0
mdadm --zero-superblock /dev/sda1
mdadm --zero-superblock /dev/sdb1
mdadm --create /dev/md0 --level=1 --raid-devices=2 /dev/sda /dev/sdb
mkfs.ext4 /dev/md0
mount /dev/md0 /mnt/tmp/ -o discard,noatime,nodiratime

I ran the same test, but this time hdparm --fibmap informed it failed to determine the drive geometry correctly. A short peek into the source code revealed that current version of hdparm works only with partitions. It tries to load the RAID-partition start LBA even if it is not located on a partition. I made a quick fix for that, it turned out that /sys/block/md0/md/rd0/block has DEVTYPE=disk or DEVTYPE=partition to indicate the base drive type.

Nevertheless, it did not help. fibmap does not return the correct LBA-sector. I loaded a Bash-script to do the manual TRIMming of a SSD-RAID-1, but it only confirmed what I already knew. The LBA-mapping does not work enough to see if discard works or not.

Currently I don't have anything on my RAID-1, I'll have to see if it is possible to get the discard working somehow. A newer Linux might do the trick.

There was bit of a duel (or a full-scale war) between Spamhaus and Cyberbunker. Spamhaus has published some information about their side here. All this dates back to 2011 when they first collided. The latest skirmish started with Spamhaus on the losing side, as allegedly Cyberbunker had some help with a botnet creating tons of DNS-requests to Spamnaus' servers. Cyberbunker naturally denies all this, but in reality they are simply coward liars! Who else would have the motivation to knock Spamhaus off the net. No need to think that any longer.

Since the enemy had some help, what happened next was Spamhaus joining forces with Cloudflare, a company specializing in mitigating the effects of a DDoS-attack. What happened at the end of March 2013 has been described as "The DDoS That Almost Broke the Internet" by Cloudflare blog.

The spam-blocking service Spamhaus is providing technically works on top of DNS. Anybody running a receiving mail-server can configure it to confirm the connecting client's IP-address with a simple DNS-query returning funny-but-pre-determined names as an answer to determine the "spamminess" level of connecting client. The judgement who is a spammer and who is not is made solely by the Spamhaus. That's what the dispute between them and Cyberbunker is all about.

As described by Cloudflare, technically Cyberbunker's (alleged) DDoS works by amplifying incoming 36 UDP-bytes containing a valid query for RIPE.net's zone into 100-fold. There are at least 30.000 open DNS-servers responding to recursive queries. All they have to do is spoof the original UDP-packet's sender's IP into Spamhaus and they have harnessed a huge Internet traffic amplification machine targeting a single IP-address.

Since I myself am running a couple of DNS-boxes, I wanted to re-verify my servers, that they cannot be used into such activity. I googled some and found The Measurement Factory's Open resolver test. That appears to be a piece of crap. You punch in an IP-address and get open/closed status as a response. You can enter any invented IP-address to get the closed-verdict. WTF?!

The second thing I found is much convincing: Open DNS Resolver Project. The problem with that one is, that they just browse The Net and try to find open DNS-servers. For example my boxes were not listed. Not as open, closed or existing. They don't publish information about properly configured DNS-servers. It still leaves the original question unanswered: Can my DNS-server be used for attacking innocent or not.

Here is my answer to the problem: http://opensource.hqcodeshop.com/DNStest/dnstest-cgi.pl

It caches the result of any query for 24 hours, and cannot be used for bullying somebody. That feature I simply stole copied from The Measurement Factory. Its fully written in Perl and even the source code is available for you to get.

Initial feedback after putting the thing on-line was to support FQDNs. The answer is NO. My thing won't do any unnecessary DNS-requests, if possible. But if you have any other suggestions, please drop a comment.