May Weather

It’s time for the annual proof that god favors left over right, but this time it’s not that easy for him.

Some background: traditionally, the social democrats (which used to be called socialists) hold a rally on May 1st on the Vienna Ringstrasse. Over the last years, that has been more and more a relic of old times: various delegations of workers, unions, retirees clubs and whatnot else affiliated with the SPÖ marching and showing flags. Of course there are speeches, the (traditionally red) major and (if they are lucky) their own federal chancellor rally their people. After the official part, there is a big party in the Prater, with music for all tastes (incl. western&country (complete with line/square-dancing)). That’s usually very nice: the chestnut trees are in full bloom and …

… the sun shines. Always.

The major right-wing party also organizes annual festivities some other days in May: they hold in the the center of the city, complete with music and other attraction. But ..

… the weather sucks. Always.

So this year they are going for something new: They scheduled their Stadtfest for May 2nd – 4th. I see this as a challenge for Petrus: can he turn around the weather in just one night?

Oh, and there is another data-point regarding god’s political stance: The communist’s “Volksstimmenfest” also gets doused in rain every year.

[UPDATE, May 1st]

The ÖVP’s jinx worked, we didn’t have the usual bright day, there even were a few drops of rain. Let’s see what tomorrow will be like.

[UPDATE, May 3rd]

Well, well, well. It looks like the ÖVP got the better wetter this year. Will pigs fly next year?

Fun with conditional probabilities

Yes, mathematics is sometimes hard to understand. Probability theory is a prime candidate where “common sense” might mislead you. And once you venture into conditional probabilities (“given A is true, what’s the probability of B being true as well?”) things get tricky.

A good example is the following statement: “The orbit of our earth so incredibly fine tuned to the requirements of intelligent life, that this is a strong indication that a higher being was involved.”

This may sound reasonable at first glance, but it’s completely wrong. Let me rephrase the statement to make this clear:

“What is the probability that the environment here on earth is suitable for the development of life, given the fact that this question is asked by a person whose species evolved here on this planet?”

The answer is 1 (100% probable).

Or in other words, if the environment here on earth were hostile to us, we wouldn’t be here to ask this question. And indeed, there are billions of planets, where nobody is asking this question.

So no, these considerations do not provide an argument regarding the existence of god.

(Btw, the same reasoning applies to arguments concerning the fundamental constants of this universe. In that case, you just need to assume an infinite number of universes with varying parameters, as a number of physicists postulate.)

DNS: What to do if the sky is falling?

Having been treated to another iteration of “we need to deploy DNSSEC, otherwise DNS will fall apart due to rampant forgeries” talk recently, I started to think what other options resolvers have to protect themselves. See also bert’s draft.

First of all, is it possible to implement a successful forgery attack without the client noticing that anything is wrong? IMHO not. Most scenarios assume that the attacker sends a burst of forged replies to the recursor in the hope of hitting the right query-ID before the real answer arrives. So, even with a successful attack a lot of answers with mis-matched ID will arrive (and be rejected) before the forgery actually succeeds.

This spike in ID mismatches towards a query should tell the recursor that something fishy is going on. TODO: Instrument bind/powerdns/… to actually log such ID mismatches.

If this works, then the 99.9999% percent of normal DNS lookups which are not targetted by a forgery attack can continue without modification. The only question now is: what can a resolver do if he has a clear suspicion that he is the target of a DNS forgery attack?

There is a trivial solution: Redo the query a few times, preferably utilizing all authoritative servers.

Let’s do some simple math: assume that the forger has a 1% chance of a successful spoofing attack. What are his chances if the recursor only accepts the answer if he got the same data from n queries?

n = 2: 0.01 % chance
n = 3: 0.0001 % chance

That doesn’t sound so bad, does it? The downsides sound rather minimal: no impact on queries which are not target of an attack, a few more requests during an attack and a slight delay (sequentially querying! You can’t do that in parallel.) before answering back to the client.

A few optimizations come to mind: Bert’s draft mentions a few other options, e.g. source port (or even IP address) variability. These come with some added cost, so perhaps they could be utilized just for these cases.

What did I miss?

[Update: 2008/04/22]

After a chat with Klaus and Alex, two new thoughts on this:

  • There might be legitimate cases where multiple queries might give varying results. E.g. global load-balancing like Akamai or This might break the “ask multiple times and check for consistency” idea.
  • Another option is the following: if a forgery attack is detected, simply switch to TCP for this query / target nameserver.

SPIT: Where do we stand?

SPAM over Internet Telephony (SPIT) is a strange beast: Everybody knows it is a threat, but in real life SIP installations, it has hardly been observed. In other networks it is not uncommon, Skype needs to police its users to get a grip on abuse, and all Instant Messaging networks have to deal with IM spam, and once they offer voice capability, SPIT as well.

So, SPIT over SIP hasn’t been a problem so far. After all, there are millions of SIP devices out there replacing PSTN phone service. Why?

  • In many end-user installations, SIP is just a replacement for the old analog last-mile technology. There may be SIP accounts provisioned into these devices (ATAs, hardphones), but the user does not see them. Nor do they know their own SIP AoR. None of the people calling them knows their SIP AoR. It wouldn’t help them anyway, as these networks are usually not reachable via SIP from the Internet
  • The same is true for IP enabled PBXs: They talk SIP on the inside, and maybe to other
    PBXs in other offices of the same company (usually via some QoS-enabled VPN). In rare cases, people build SIP trunks to upstream carriers or even establish manual cross-links to the PBXs of other companies.
  • Fully-featured SIP installations which implement inter-domain SIP routing as standardized by the IETF in RFC 3263 are the exceptions. They are the enthusiast’s Asterisk installations, some enterprising VoIP operators (perhaps even using User-ENUM) and that’s it.

Summary: the vast majority of SIP devices out there is not reachable over the public Internet.

Corrolary: There is no SPIT problem, as the target audience is too small to make SPIT profitable.

This is some sort of vicious circle: Operators don’t want to open up their SIP ingress elements, because they fear SPIT. On the other hand, it is hard to build defenses against SPIT, whose characteristics and weak points you don’t really know. And it is completely impossible to prove that certain clever anti-SPIT measures work if you can’t test them in practice.

There has been no shortage on clever ideas concerning SPIT defenses. Academic papers galore, internet drafts, and even products claiming to solve the problem.

We are still in the same vicious circle.

Will RUCUS help?