DNS reply larger than 4096 bytes

I thought I would never be able to generate a DNS query with reply size larger than 4096 bytes. I was wrong ! Just look at this.

[warren@dnssec ~]# dig any doc.gov | grep SIZE
;; MSG SIZE rcvd: 9735

Of course, the reply has to fallback to TCP instead of UDP. Thanks to US Department of Commerce for letting me to play around with this.

Hackers, don't use this for amplification attacks.  You will fail.


Q1 2014 DDoS Attack Report

Thanks to Prolexic (part of Akamai) for sending me this Q1 2014 DDoS Attack Report. I love this more than Akamai's State of the Internet Quarterly Report.

Fuck you, China and USA for generating 40 % of world's attack traffic.


Historical heartbleed vulnerability

I need to make myself more competent on Openssl and TLS after the discovery of this historical Heartbleed Bug. I hate to learn and practise again but there is no shortcut.


heartbleed bug

Announcement : If network administrators have difficulty to check whether their SSL private keys are affected by the heartbleed vulnerability, they can send me an email attaching the keys and let me know the websites. I will check for them, free of charge, of course.


VPN for my mobile phone

不要再懶,起番個VPN 比自己手機在大陸番牆上 facebook, 雖然手提電腦可以用SSH + Proxy Server, 始终都覺得不夠用.


home routers as open resolvers

A friendly note to home users with broadband routers : Quite a large number of home routers in use for years have open resolver fault. Please go to 


check your router status and upgrade the firmware to plug the hole.
By having your router as an open resolver, you are helping cybercriminals to launch DDoS attacks.

This is evidence of ASUS RT-N66U routers able to do DNS amplification attacks.


Open resolvers again

I repeat my statement again: Don’t compare open resolvers with Google Public DNS ( and and OpenDNS, they are not the same.  Google and OpenDNS have all sorts of security features that are beyond imaginations. 


No more Amplification Attack

For God's sake, please disable "monitor" if you operate publicly accessible NTP servers.

By the way, if monitor can be removed from the latest patches of NTP daemon, I see hope of disallowing "ANY" query in resolvers in coming patches.  All name query should be specific.   If you want to do mail exchange, ask for MX followed by A record.  If you want to know the authoritative name server of a domain name, ask for NS.  These days, "ANY" would not serve any purpose except network attacks.



Another interesting stuff. An IT guy try to ping in an attempt to troubleshoot connectivity problem. He should be fired immediately.


MAC address intrusion

A complainant said his home PC was accessing by other people over the Internet through MAC address intrusion.  The complainant sought help from his serving ISP.  What should the ISP do?  Just laugh and do nothing. 


Boosting WiFi signal strength by a Coke can

In today's Apple Daily News, there was a story about boosting WiFi receiving signal strength by means of placing a Coke can close to an antenna.  A picture is given below.

The distance between the aluminium foil and the whip antenna should be carefully calculated in order to maximize the directivity which as a norm is λ/2. For this TP-LINK 2.4 GHz router, the distance is (3x10^8/(2.4x10^9x2) = 0.0625 meter or 2.5 inches.


IPv4 turn-off day in 2014

In order to show the technical maturity of IPv6, some intelligent people have suggested to set aside one day in 2014 as the IPv4 turn-off day.  I just want to ask if this idea really makes sense.  If turning off IPv4 results in a large number of users have difficulty  in accessing major websites, people will have a very bad idea about the quality of IPv6. I certainly agree there needs to be an IPv4 turn-off day to test where we are during the transition process and whether there will be broken applications if relying on IPv6 alone. The timing is not this year. It might be in the next 10 years.  For the time being, just enable dual-stack and stay with dual-stack as much as possible. 




原定於今日下午12 點進行網上搶購,但由於有幾萬用戶同時登入,引致伺服器故障,工程師花了一段時間搶修,於中午 12 點 30 分才恢復搶購活動。搶修其間,這幾萬用戶放下手頭上的工作,靜待從新登入,各行各業的生產力損失慘重。



US leads the world in IPv6 deployment

US leads the world again in IPv6 deployment : Verizon - 45 %, Comcast - 28 %, Time Cable Warner - 5.3 %. Finally, the winner is Google Fibre achieving 76 %. These network operators are fantastic !



IPv6 adoption reaches 10 % in 2014

Leslie Daigle mentioned in her blog that IPv6 traffic will be boosted to over 10 % by year end.   True. This is what I believe from my continuous observation from Google measurement.


I note from Google's traffic measurement that there is a traffic increase of 25 % in every 2 months. Based on this exponential projection, by end 2014, the growth will be 1.25^6 equals to 3.81. Now that we have 2.75 % IPv6 traffic, by year end, the 2.75 % will be boosted to 2.75 x 3.81 equals to 10.49 %. IPv6 traffic reaching 10 % is an important milestone. I am eagerly waiting to witness this important moment.


About NULL

NULL represents an unknown value, and strictly speaking NULL is never equal to NULL.  To say NULL means “does not exist” might not be lexically correct.  Confusing about what I said about, then put me to “/dev/null”. 



給自己一個選擇 :既然家中的電視機只能播粗制濫造的TVB 節目,我已準備好用智能電話和平扳電腦收看其它台。



This site has the worst web server configuration in the world.


It listens on an IP address instead of a fully qualified domain name. Digital certificate and https can not be applied. Lack of "robots.txt", no 404 Error page and I believe there are many other apparent flaws.


Digital Certificates

I want to develop an e-certificate for my own use in the coming 50 years. No way, stuck in the Year2038 epoch issue. What shalI I do then? I am still alive after 2038 !!!