µBlock, a lean and fast blocker

Discussion in 'other software & services' started by gorhill, Jun 23, 2014.

  1. Stefan Froberg

    Stefan Froberg Registered Member

    Joined:
    Jul 30, 2014
    Posts:
    717
    I now uploaded small Linux command-line helper utility to scan CNAMEs from given list of subdomains
    .
    Code:
    https://www.orwell1984.today/cname/dnsdiag-1.0.tar.xz
    And the usage instructions:

    Code:
    https://www.orwell1984.today/cname/README_dnsdiag.txt
     
  2. Geoffrey Frogeye

    Geoffrey Frogeye Registered Member

    Joined:
    Dec 12, 2019
    Posts:
    4
    Location:
    France
    Hi, I'm the maintainer of the list at https://hostfiles.frogeye.fr.
    I've been watching this thread for some time, but I was unable to register for some reason, it's all fixed now.

    @Yuki2718 I'll be adding trck.a8.net and ebis.ne.jp to my list too if you don't mind.
    Thanks for the finding!
    I'm also collecting metadata about the trackers, do you have some example of websites using them in production?
    I've been unable to get a website supposedly embedding those trackers to make a request to the CNAME'd domain.
    Maybe you need to do a specific action or it just doesn't load from Europe?

    Yes, that's something I've also noticed, and took into account for my list.
    That was the hard part (especially since unlike you I don't have the disk space to fit the whole Rapid7 dataset on my server ;))

    They're already very creative believe me.

    Some skip the CNAME step completly and make `xyz.example.com` point directly to an IP address.
    Fortunately most of the companies doing that curretly run their own AS so I just had to block IP ranges from A records.
    Some don't but betrayed their IPs by their PTR (or reverse DNS) records.
    I took that into account too but honestly I don't expect this to work very long since those records are mostly aesthetics.

    Aaaand some trackers hide themselves within "legitimate" services, such as cloud providers.
    Like TraceDock, whose `xyz.example.com` points directly to a AWS load balancer.
    In this case it's possible to identify all of them since the two load balancers are only used for tracking, but this is the least stable blocking technique so far.

    I didn't investigate into that since no dataset is available, but I expect NS delegation to be a thing too.
    Combined with fast changes of the `xyz` part, that could be the end of Stefan and I lists.
    uBlock would be fine though, with some changes.
     
  3. Yuki2718

    Yuki2718 Registered Member

    Joined:
    Aug 15, 2014
    Posts:
    1,892
    @Geoffrey Frogeye
    Welcome to Wilders! I don't mind and don't claim any kind of copyright, but maybe you need permission of Stefan too. So far I haven't found any actual hit, but ofc I'm not watching all the requests on daily browsing nor browse w/ uBO logger opened. Besides,

    1) ebis.ne.jp is relatively minor tracker that it's not easy to find even when non-CNAME, usually they're on affiliated links so not automatically loaded (require a click).

    2) a8.net is major, but mostly on mobile sites. I confirmed at least their ads (not tracker, and non-CNAME) will be loaded when accessed from France. Here's an example link that you'll see a8.net only on mobiles tho in some cases they appear on PC sites too.
    https://chatlady-work.jp/279/

    [EDIT] As they should be 1st-party tracker, I'll visit some of the domains on the lists later.

    Thanks for excellent explanation, it seems I have many things to learn. I've also been seeing ads & trackers in Amazon AWS, Cloudfront, etc. but didn't know this is now combined w/ CNAME.
     
    Last edited: Jan 6, 2020
  4. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    3,794
    Location:
    Under a bushel ...
    This stuff is beyond me, but I do have the list added to uBO (+Stefan's list, still showing 57 / 789).

    Welcome @Geoffrey Frogeye - always good to have devs, originators, etc. here.
     
    Last edited: Jan 6, 2020
  5. Bertazzone

    Bertazzone Registered Member

    Joined:
    Apr 13, 2018
    Posts:
    259
    Location:
    Wonderland
    It's a never-ending game between trackers and users.

    Absolutely!
     
  6. Stefan Froberg

    Stefan Froberg Registered Member

    Joined:
    Jul 30, 2014
    Posts:
    717
    Welcome to Wilders Geoffrey!

    Well, to tell the truth...my poor little server is very stuffed now.
    Had to compress that cname dataset on my work machine and upload it. I wish that I could upload more stuff there ...

    If they start to use reverse proxies then all hell is loose. :eek:
     
  7. Stefan Froberg

    Stefan Froberg Registered Member

    Joined:
    Jul 30, 2014
    Posts:
    717
    No worries Yuki. :)
    No permission needed for any of those tracker lists from my part.
    After all, they are just extracted from rapid7 dataset that is public domain.
     
  8. Stefan Froberg

    Stefan Froberg Registered Member

    Joined:
    Jul 30, 2014
    Posts:
    717
    Updated version 1.1 of dnsdiag
    Code:
    https://www.orwell1984.today/cname/dnsdiag-1.1.tar.xz
    Next stop: Handling multi-chain CNAMEs, DNS-over-TLS and some other stuff
     
  9. Geoffrey Frogeye

    Geoffrey Frogeye Registered Member

    Joined:
    Dec 12, 2019
    Posts:
    4
    Location:
    France
    Thanks for the warm welcome everyone!

    I did credit you in the README though.

    I'm not using Stefan list (well, not anymore, I did temporarily in the past for comparison, as he noticed :) ) to generate mine, so it should be fine.

    I could not get my web browser to act closely enough as a mobile device to trigger any request. I'm not good with this, that might be why :isay:. I'll try on a proper mobile device when I fix my smartphone one day.

    What are those numbers by the way? When I add Stefan's `eulerian.net.txt` I get "789 used out of 789" in the "Filter lists" tab of µBO, is this related? If so, why is yours so low?

    I'm curious, are you using this to generate your list? Since you're storing the whole Rapid7 dataset why don't you lookup the entry in the file since it's sorted? By the way, did you know about massdns?


    Remember when I said reverse DNS was the least stable method of first-party tracker identification? Today an user reported a false positive on mitsubishicars.com. Turns out the IP serving the website has a reverse DNS report.mitsubishicars.com, report.mitsubishicars.com itself being an omtrdc.net tracker, although served from another IP. I can only picture the poor network administrator tasked to add a CNAME redirection cluelessly filling the reverse DNS input field instead :D (I've thus removed all the hostnames found by reverse DNS, which isn't a lot).
     
    Last edited: Jan 7, 2020
  10. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    3,381
    Location:
    .
    FWIW ~ added 'eulerian.net.txt' in Firefox ... as test.
    png_3690.png
    after Purge and Update
    png_3691.png
    .
    Edit: added 'eulerian.net.txt' in Chrome ... as test.
    before n' after Purge and Update
    png_3696.png
     
    Last edited: Jan 7, 2020
  11. NiteRanger

    NiteRanger Registered Member

    Joined:
    Nov 15, 2016
    Posts:
    592
    Location:
    Far East
    Hi

    For Stefan's `eulerian.net.txt`

    In Firefox for android I'm getting 789 out of 789

    But in Kiwi browser (a chromium fork) I'm only getting 19 out of 789

    Both have been purged and updated
     
  12. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    7,366
    Location:
    Among the gum trees
    I can't download the list from
    Code:
    https://www.orwell1984.today/cname/eulerian.net.txt
    uBO gives me a network error.

    I have subscribed to Mr Fogeye's list, do I need the other too?
     
  13. n8chavez

    n8chavez Registered Member

    Joined:
    Jul 19, 2003
    Posts:
    2,646
    Location:
    Location Unknown
    That depends on the other lists you have added. Not all the filter entries will be used if they are repetitive; used in other lists.
     
  14. Bertazzone

    Bertazzone Registered Member

    Joined:
    Apr 13, 2018
    Posts:
    259
    Location:
    Wonderland
    @Geoffrey Frogeye @Stefan Froberg @n8chavez

    I get a similar variance between Firefox and EdgeChromium/Brave. The variance is the same for all Stefan's lists vs Geoffrey's. Same filters all browsers. The "why" is above my pay grade. :)
     
  15. Stefan Froberg

    Stefan Froberg Registered Member

    Joined:
    Jul 30, 2014
    Posts:
    717
    No, it was meant as a general helper utility. Independent of rapid7 dataset.
    So if you have bunch of subdomains (other than that rapid7 dataset which I filtered & sorted)
    you could use it to check the cnames.
    Thanks for the tip, I try the massdns.
     
  16. Stefan Froberg

    Stefan Froberg Registered Member

    Joined:
    Jul 30, 2014
    Posts:
    717
    It could be because my firewall.....I get insane amounts of masscan attempts lately.
    So somebody must have quite a big tube and resources because that tool is not something that
    normal VPS or even dedicated server data center hosters look nicely.....
    Also, I kinda blocked the whole Australia too after they passed the insane anti-encryption law ....

    I think Frogeyes list have all the stuff now
     
  17. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    7,366
    Location:
    Among the gum trees
    Ah, well that could be it then.
    Okay, no worries.

    Thanks! :thumb:
     
  18. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    3,794
    Location:
    Under a bushel ...
    I subsequently got 789 out of 789.
     
  19. Stefan Froberg

    Stefan Froberg Registered Member

    Joined:
    Jul 30, 2014
    Posts:
    717
    Okay, I tried the massdns now.
    First, the 350 000 names per second seems insane but on closer inspection
    I found out the following:

    - It uses several DNS servers at once. dnsdiag uses only one
    - Its default concurrent lookups is 10 000. dnsdiag uses only one per list it's feed to.
    - It uses custom stack-based DNS implementation (?). Im not exactly
    sure what the author means by that. If it's just doing the DNS handling in userspace
    wihout getaddrinfo(), then massdns and dnsdiag same. But if author means massdns uses completely
    own TCP/UDP stack implementation then different. dnsdiag uses standard Linux TCP/UDP stack.

    And now for benchmarks:
    To make the things fair, use only one DNS server and one concurrent lookup for both programs.
    Test material is the xaa file from dnsdiag-1.1.tar.xz package. Both massdns and dnsdiag were each run three times
    over laggy 4G.

    First massdns:

    echo "1.1.1.1" > resolvers.txt
    time ./bin/massdns -r resolvers.txt -q -o S -s 1 -t CNAME xaa

    .....
    .....
    smetrics.keysight.co.kr. CNAME keysight.co.kr.ssl.sc.omtrdc.net.
    smetrics.keysight.com. CNAME keysight.com.ssl.d1.sc.omtrdc.net.
    smetrics.keysight.com.br. CNAME keysight.com.br.ssl.sc.omtrdc.net.
    smetrics.keysight.com.cn. CNAME keysight.com.cn.ssl.sc.omtrdc.net.

    real 1m20,219s
    user 0m0,602s
    sys 0m1,490s


    then dnsdiag:

    time ./dnsdiag -q xaa
    ....
    ....
    smetrics.keysight.co.jp keysight.co.jp.ssl.sc.omtrdc.net
    smetrics.keysight.co.kr keysight.co.kr.ssl.sc.omtrdc.net
    smetrics.keysight.com keysight.com.ssl.d1.sc.omtrdc.net
    smetrics.keysight.com.br keysight.com.br.ssl.sc.omtrdc.net
    smetrics.keysight.com.cn keysight.com.cn.ssl.sc.omtrdc.net

    real 1m47,170s
    user 0m0,069s
    sys 0m0,252s


    massdns is about 27 seconds faster


    Then the same test with 2 concurrent lookups:

    massdns:

    cat xaa xab > list
    time ./bin/massdns -r resolvers.txt -q -o S -s 2 -t CNAME list


    ....
    .....
    www90.intel.com. CNAME intel.com.sc.omtrdc.net.
    www91.intel.com. CNAME intel.com.ssl.sc.omtrdc.net.
    y.ksl.com. CNAME ksl.com.ssl.d1.sc.omtrdc.net.
    www1.flagshop.jp. CNAME flagshop.jp.ssl.sc.omtrdc.net.

    real 1m43,743s
    user 0m0,804s
    sys 0m2,084s


    dnsdiag:

    time ./dnsdiag -q xaa xab

    ....
    .....
    www4.barclays.de barclays.de.ssl.d3.sc.omtrdc.net
    www90.intel.com intel.com.sc.omtrdc.net
    www91.intel.com intel.com.ssl.sc.omtrdc.net
    www1.flagshop.jp flagshop.jp.ssl.sc.omtrdc.net
    y.ksl.com ksl.com.ssl.d1.sc.omtrdc.net

    real 1m47,614s
    user 0m0,110s
    sys 0m0,548s


    massdns is about 4 seconds faster


    So all in all, all parameters being equal, there is not much performance difference between the two.


    Of course, if you go all crazy and use 10 000 concurrent lookups the massdns will be faster
    time ./bin/massdns -r resolvers.txt -q -o S -t CNAME list


    www3.gfa.org. CNAME gfa.org.ssl.sc.omtrdc.net.
    www4.barclays.de. CNAME barclays.de.ssl.d3.sc.omtrdc.net.
    www1.flagshop.jp. CNAME flagshop.jp.ssl.sc.omtrdc.net.
    tracker-aa.paf.es. CNAME paf.es.ssl.sc.omtrdc.net.
    webanalyticsssl.websense.com. CNAME websense.com.ssl.sc.omtrdc.net.

    real 0m6,613s
    user 0m2,502s
    sys 0m3,589s

    but if dnsdiag would support that many concurrent lookups I believe the speed would be pretty same

    EDIT:

    Is there timeout switch for massdns? Or does it wait for some fixed timeout for answer?
    In dnsdiag timeout is currently hardcoded to 10 seconds

    EDIT2:

    Actually, it does not make sense to use 10 000 concurrent lookups if the
    test material is way less than that.

    This would be equally fast (and more sane), 3948 being the number of subdomains in the list file (and so, concurrent lookups):

    time ./bin/massdns -r resolvers.txt -q -o S -s 3948 -t CNAME list
    ....
    .....
    stat-ssl.kakakumag.com. CNAME kakakumag.com.ssl.sc.omtrdc.net.
    stat-ssl.shift-one.jp. CNAME shift-one.jp.ssl.sc.omtrdc.net.
    stracking.myomee.com. CNAME myomee.com.ssl.sc.omtrdc.net.
    stracking.kyobo.co.kr. CNAME kyobo.co.kr.ssl.sc.omtrdc.net.
    w88.m.espn.go.com. CNAME go.com.d1.sc.omtrdc.net.
    sswmetrics.airniugini.com.pg. CNAME airniugini.com.pg.ssl.sc.omtrdc.net.
    stat-ssl.smfg.co.jp. CNAME smfg.co.jp.ssl.sc.omtrdc.net.

    real 0m7,315s
    user 0m0,125s
    sys 0m0,537s


    EDIT3

    Squuezing max performance from dnsdiag by using the all the cores in my machine

    split -n l/8 -d list
    time ./dnsdiag -q x00 x01 x02 x03 x04 x05 x06 x07

    ...
    ...
    www3s.ing.be ing.be.ssl.d3.sc.omtrdc.net
    www4.barclaycard.de barclaycard.de.ssl.ldc.d3.sc.omtrdc.net
    www4.barclays.de barclays.de.ssl.d3.sc.omtrdc.net
    www90.intel.com intel.com.sc.omtrdc.net
    www91.intel.com intel.com.ssl.sc.omtrdc.net
    www1.flagshop.jp flagshop.jp.ssl.sc.omtrdc.net
    y.ksl.com ksl.com.ssl.d1.sc.omtrdc.net

    real 0m32,782s
    user 0m0,129s
    sys 0m0,423s

    So with just 8 concurrent lookups, dnsdiag performance improved extremenly well

    Code:
                      # concurrent
                      lookups            time
    ---------------------------------------------------
    massdns    3948                7 seconds
    dnsdiag      8                      32 seconds
    
     
    Last edited: Jan 8, 2020
  20. Yuki2718

    Yuki2718 Registered Member

    Joined:
    Aug 15, 2014
    Posts:
    1,892
    @Geoffrey Frogeye
    I've visited several sites on a8.net.txt but haven't found any hit except for non-CNAME. I guess it may mean that they provide CNAME for all advertisers but many of them haven't applied CNAME tracker. Press release of the system suggests it's necessary advertisers manually configure DNS setting.

    This is what I do to disguise Firefox on PC as mobile. First, probably you know, set user agent to mobile. Then open developer tools (F12) and click a smartphone icon on.
    devtool.png
    Now it entered responsive mode. You can choose from a set of predefined screen size if you want, or turn touch emulation on/off. Also you can close the dev tool while keeping responsive mode.
    responsive.png
    Not perfect, but it meets most of my needs while much more convenient than using an emulator.
     
    Last edited: Jan 8, 2020
  21. Yuki2718

    Yuki2718 Registered Member

    Joined:
    Aug 15, 2014
    Posts:
    1,892
    If you want to see how many rules on a filter are actually used, remove the filter first and purge and update all other filters, then add the filter in question again. IDK the exact priority uBO puts on counting these numbers.

    BTW some of the eulerian CNAME domains (not all) are already covered by EasyPrivacy w/ regexp rules tho they won't be counted as duplicate.
     
  22. Stefan Froberg

    Stefan Froberg Registered Member

    Joined:
    Jul 30, 2014
    Posts:
    717
    Maybe the best thing would be just start block advertiser network IP ranges at outgoing firewall rules?

    For example, if you take yst4.muchoviaje.com from the eulerian.net.txt
    and check what it's IP address is you see this:

    ping -c3 yst4.muchoviaje.com
    PING dsa.eulerian.net (109.232.197.49) 56(84) bytes of data.
    64 bytes from dsa.eulerian.net (109.232.197.49): icmp_seq=1 ttl=51 time=309 ms
    64 bytes from dsa.eulerian.net (109.232.197.49): icmp_seq=2 ttl=51 time=87.7 ms
    64 bytes from dsa.eulerian.net (109.232.197.49): icmp_seq=3 ttl=51 time=84.6 ms

    So the side effect of using this dirty CNAME cloaking trickery is that
    they (usually) have IP address belonging to *.eulerian.net network.
    (always double check the IP address!)

    And for each IP address belonging to advertiser, you can find out it's actual IP range with whois command:

    whois -b 109.232.197.49
    % This is the RIPE Database query service.
    % The objects are in RPSL format.
    %
    % The RIPE Database is subject to Terms and Conditions.
    % See http://www.ripe.net/db/support/db-terms-conditions.pdf

    inetnum: 109.232.197.0 - 109.232.197.255
    abuse-mailbox: guillaume@eulerian.com

    % This query was served by the RIPE Database Query Service version 1.96 (HEREFORD)

    After you know the IP range(s) (they can own several separate IP-range blocks)
    just block them for good with iptables

    iptables -A OUTPUT -m iprange --dst-range 109.232.197.0-109.232.197.255 -j DROP

    iptables -vL
    Chain INPUT (policy ACCEPT 32 packets, 1664 bytes)
    pkts bytes target prot opt in out source destination

    Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
    pkts bytes target prot opt in out source destination

    Chain OUTPUT (policy ACCEPT 32 packets, 1664 bytes)
    pkts bytes target prot opt in out source destination
    0 0 DROP all -- any any anywhere anywhere source IP range 109.232.197.0-109.232.197.255

    Beauty of this is that:

    A) It's browser agnostic. It doesn't matter what browser or tool or software you use. If it needs to talk to outside and if it tries to connect some of the IP addresses in the range it gets blocked.

    B) If you do that on your router/gateway then your whole LAN will be protected.

    C) No matter how many new CNAMEs are added they get blocked. Only by buying new IP address block they could get around the block and all the free IPv4 addresses are handled already. So it will cost them money.



    Here are the eulerian.net network blocks that I could find:

    109.232.192.0 - 109.232.194.255
    109.232.195.0 - 109.232.195.255
    109.232.196.0 - 109.232.196.255
    109.232.197.0 - 109.232.197.255

    Also available from here:
    Code:
    https://www.orwell1984.today/cname/eulerian.net_ip_range.txt
     
    Last edited by a moderator: Jan 8, 2020
  23. Geoffrey Frogeye

    Geoffrey Frogeye Registered Member

    Joined:
    Dec 12, 2019
    Posts:
    4
    Location:
    France
    Usually in this application your bottleneck will be the network. Using thread or process-based concurrency will only make matters worse (it doesn't in your case since it's still better than no concurrency at all), as you're only adding synchronization overhead, since the network packets are received sequentially. Unless you have a 1 Gbps link and a crappy CPU, the latter will always be able to parse a DNS packet before the next one arrive.

    If I understood correctly massdns is able to achieve such performance by sending the multiple DNS requests without waiting for the response, then parsing the responses as they come, matching them to the original request with a hashmap.

    I couldn't get to 350Kreq/s without my host accusing me of DoS or my home router failing o_O. I had to reduce the hashmap to make about 2Kreq/sec, which is good enough for me: it allows me to resolve the ~6M most used recently subdomains daily for my lists without disturbing the other processes on the server too much.

    I believe we've drifted a bit off-topic. If you want to continue this conversation, maybe we should in private messages, unless somebody else finds it interesting too?


    This is not surprising. Most of the other tracking hostnames we found are dormant, only a few are used in production. That's not a problem though, it's not growing the lists by much and there don't seem to be any false positive. Thanks for the investiagation anyway!

    Thanks for the detailed explanation! That's more practical than resizing the whole window :isay:.


    According to their wiki (emphasis mine):
    So yeah, with that considered and the fact that, besides a few now invalid domains, Stefan's lists are a subset of mine, this would explain the variety in numbers found!

    This would indeed be a better solution... theoretically. In practice, considering that most users don't know how or cannot setup a firewall in their environment (e.g. company computer/network) this is not a viable solution for everyone. You'll also need to maintain a fast moving list of ~60 network ranges, and ~30K IP addresses since most of the trackers don't have their own ranges because of shared hosting.

    You could also be using a custom DNS resolver then, such as dnscrypt (which now support DNS cloaking) or Pi-hole (for which my list was initially thought). Add a firewall with the only network ranges and you get the C) bonus without too much of an hassle.

    You can find all of them by looking up the ranges associated to their AS (there should be a v6 tab if only they did the effort to support IPv6. Ok, I can talk :isay:). Here's a list of AS numbers for trackers I know of, and a list of ranges currently associated to those AS.
     
    Last edited: Jan 9, 2020
  24. Stefan Froberg

    Stefan Froberg Registered Member

    Joined:
    Jul 30, 2014
    Posts:
    717
    Sure, no problem, we can PM. But I just want to say few words before that about the internal design of my application so if you (or others) see some design mistakes:

    As I said previously, during startup, dnsdiag creates new thread for each separate file that it's feed to.

    The creating of thread is costly process (but much less costly than forking whole new process) but luckily
    only need to be done once during startup.

    It will then pin each thread to each CPU core the user machine has to prevent unecessary messing by OS.

    Each thread has separate socket for sending/reading and that socket is also pinned to specific CPU core (I was surpriced
    that it was not done automatically by pinning the thread that contains the corresponding socket).
    So all the thread/socket pairs are spread as evenly among CPU cores as possible.

    Inside each thread, a memory mapped file is opened once to corresponding file.
    After that each thread just loop that memory map, line by line (no read() syscalls needed here) in a simple loop.
    Constructing the whole DNS request packet is all done in userspace (to minimize context switch, no need to call getaddrinfo())
    and feed to non-blocking send() syscall and after that theres immediately blocking recv() syscall to read the response.
    And then the response is just printed out. That's the only place there
    is any synchronization between threads (pthread_mutex_lock(&lock);puts(result);pthread_mutex_unlock(&lock)) so
    that console output is not messed. (And Im not even sure if the pthread_mutex_lock/unlock is necessary or if puts()
    does the locking itself already)

    So even thought I tried to minimize syscalls and context switches theres still send()/recv() pair left in each thread
    and im not sure if putting non-blocking send() and also non-blocking recv() into yet another separate threads would speed it much...It would make it more complex.

    BTW, Why massdns use hashmap? Wouldn't just using the unique 16-bit identifier in the DNS request/response be enough to
    identify that some DNS server already gave the answer to corresponding request?
    In my own app I have it all zero because it only uses one DNS server and it doesn't matter in what order the responses come
    because the results can be sorted manually later with sort command.



    Well the list size managment is not that much different of what is done currently. After all, I think all those manually updated tracker lists that everyone are using out there (EasyList, hostlist, etc..) are already quite large (30K? 40K? more?). And growing.
    So some point there is so much **** out there and lists so big that starting to block IP ranges makes sense.
    Or just instead of blacklists and default-allow, we start to keep track of whitelists and default-deny instead (I hope it does not come to that) .....

    Thanks for the valuable data!
    :)

    EDIT: Ah, I forgot the math again....
    16-bit unsigned integer can only hold at max, 65536 unique values.
    And if massdns does 350 000/second in best case scenario.....
    yea, hashmap makes sense now
     
    Last edited: Jan 9, 2020
  25. ArchiveX

    ArchiveX Registered Member

    Joined:
    Apr 7, 2014
    Posts:
    1,437
    Location:
    Land of the Light
Loading...
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.