Slashdot Mirror
The Root of All E-Mail
wiredog writes "A Washington Post story about the DNS, the VeriSign NOC, and some of the security therein." Especially interesting in light of the recent security lockdowns throughout much of the Western world. The havoc of losing the A root server would be bad, like Staypuft Marshmallow Man bad.
Obscurity is the first line of defense. The building is unmarked, its address unspecified in company literature and its managers tight-lipped about disclosing driving directions or identifying markings to strangers.
They are apparently okay with featuring the place in an article in the Washington Post, though. Sheesh.
I watched C-beams glitter in the dark near the Tannhauser gate.
Reading about the physical security is interesting. I'm wondering why they wouldn't just contract out with the Government and move the operation to a secure military installation somewhere in the DC area. There are plenty of them around there. Granted, it seems that they have taken care of their current security needs, but it might be cheaper/easier to locate it in a protected area that is already guarded. I get the feeling that "Security through Obfuscation" (the actual building) might not be the best policy.
Still fascinating though.
Jason
He's totally creeping out the Great One, eh...
Venkman - "I'm a little fuzzy on the whole good/bad thing. What do you mean, bad?"
Egon - "Try to imagine all life as you know it stopping instantaneously and every molecule in your body exploding at the speed of light."
Ray - "Total protonic reversal..."
Venkman - "Alright, important safety tip. Thanks, Egon."
Ah, one of the great comedies of the 80's...
---
"how can the same street intersect with itself? i must be at the nexus of the universe!" - cosmo kramer
Hemos said...
Especially interesting in light of the recent security lockdowns throughout much of the Western world. The havoc of losing the A root server would be bad, like Staypuft Marshmallow Man bad.
Absolute proof that the Slashdot editors don't even bother to read the articles, and just depend on their wrong understanding of things.
From the article...
"The DNS is built so that eight or more of the world's 13 master root servers would have to fail before ordinary Internet users started to see slowdowns, according to John Crain, manager of technical operations for the Internet Corporation for Assigned Names and Numbers (ICANN).
ICANN manages the DNS and sets policies for registry operators and domain name retailers.
"Theoretically, if 'A' were to disappear, we could pick it up from one of the other servers," Crain said. "Moving the place where the zone is picked up is very simple."
In other words, don't panic. The A server is just the highest profile target.
Sometimes it's best to just let stupid people be stupid.
The article seemed to be a little scare-mongery, considering how they go on to describe that the other root servers can easily take over.
A bigger question is: how well protected are the public peering points, like MAE East and MAE West? Since even international traffic is often routed through them, we would see an instant slowdown if one of those two nerve centers were destroyed. Big businesses might have private peering arrangements that would survive, but you can bet that a ton of smaller sites would be affected by a loss of a MAE.
Your right to not believe: Americans United for Separation of Church and
The slashdot post is misleadingly sensationalist (I know, shocking!)
The article states that 8 of the 13 root servers (which are located throughout the US) would have to fail simultaneously before internet users would even notice something was wrong. I think that qualifies as "a little redundancy"...
Liberal (adj.): Free from bigotry; open to progress; tolerant of others.
Security through obscurity will never solve anything when used as the first line of defense.
Dude, it's the first line of defense, not the ONLY line of defense. Read the article.
There is nothing wrong with security through obscurity as one facet of security. It's when it's the only security that it's a problem.
Sometimes it's best to just let stupid people be stupid.
IN AD 2002 WAR WAS BEGINNING
(Scene: Verisign Data Center inside Washington DC. Huge explosion on top floor of red brick office building, sending flaming servers flying through the night sky)
(Cut to home of Verisign CEO, he is in bed with his fat wife, snoring loudly. The phone rings, and he wakes up, wiping the slobber from his chin while answering)
Verisign CEO: "What you want!"
Voice on the phone: "Somebody set us up the bomb!"
CEO: "What you say!"
Phone voice: "We get signal!"
(static on phone, all of a sudden a voice breaks in)
Arabian voice: "How are you gentlemen? By the Grace of Allah, All your A Root Servers are belonging to us! You have no chance to survive, make your time!"
CEO: "It's YOU! Restore backup! Implement Emergency Response Plan A! Move every server! For great justice!"
Arabian voice: "HA HA HA HA HA HA HA!"
mje0w!!!1!
The DNS system is probably one of the least problematic systems. The zone files that are spread out to the root servers are also "publicly" availiable. No, you can't get them (would be a problem because of spam, etc.) but ie. large ISPs can get them to run their own root level hiearchy. This is good for large ISPs as it will cut down on bandwidth usage. This might also be a great solution for the future. If ISPs hosted the root level zones themselves, the DNS system would be virtually unbreakable and the bandwidth usage due to DNS requests would dissapear.
"Obscurity is the first line of defense. The building is unmarked, its address unspecified in company literature and its managers tight-lipped about disclosing driving directions or identifying markings to strangers.
While the location of the building is not a true secret -- dozens if not hundreds of Internet addressing insiders know where it is -- it would be difficult for a casual vandal or criminal to stumble across it, Rippe said.
And the casual vandal or criminal would be interested in it because?
For crying out loud, a 1 second Google search on "Verisign NOC" reveals the COMPLETE ADDRESS in a PARTY INVITATION!?!? in the very first result!
Yeah, I feel safe.
I have a world map with root-servers pointed on it, looks like the area in which the A server is (Virginia, Maryland) hosts not one but six (A, C, D, G, H and J) servers, some of which (like H, run by US Army) are probably veeery well defended...
I found a link to the same pic on the net:
cs.ucla.edu
...or maybe just nuke the whole area and you take down 6 of them
Vacuum cleaners suck. Kings rule.
Oh, I don't know about that. Sure, it's bad when it's the only line of defence, but as a mere "first" line I think it's perfectly reasonable. (Just as it's a reasonable defence to, say, have your web server misidentify itself, or to have an unlisted phone number, or what have you.) As long as the layers of security behind this first one are robust, obscurity is perfectly reasonable as a front line defense.
No offence, but thank god you're not, buddy... :)
Oh baloney, they work all the time. Maybe you should consider putting down the standard /. party line and try putting some of this hyperbole into perspective. If secrets have never worked then why is the story of the Trojan Horse so famous? If secrets have never mattered then why is the element of surprise considered to be so tactically valuable? If secrets didn't matter to security then why did Nixon have those 18 minutes of blank tape, and why did Cheney turn in thousands of blank documents, and why do all governments bother classifying things as top secret?
If you're in a position of just stupendously overwhelming strength -- like say if the US were to invade Bermuda tomorrow -- then no I don't suppose you need to be all that secretive about things. For everyone else, in every other situation, secrets can have an important role to play. Even if trolls would suggest otherwise.
DO NOT LEAVE IT IS NOT REAL
DNS is already distributed. You're friendly neighborhood ISP caches the most often used DNS info, and 80% of internet traffic is resolved there. Only a small portion of traffic has to be escalated to a root server. That's why, as the article said, 8 of the 13 root servers would have to be taken out simultaneously for users to notice any slowdown. An attack on the A root server would be more symbolic than actually damaging. Even if it was done by the Stay-Puffed Marshmellow Man.
Don't forget that Friday is Hawaiian shirt day.
As briefly noted in the Post article, the DNS infrastructure, like most essential net technology, pretty much doesn't have any single points of failure. It's immune to local physical attacks or natural disasters. The article is just a sensationalist trip into a modern high security datacenter full of Ooh-ing and Aah-ing, and doesn't have much relevance at all to the security or stability of the 'net.
11*43+456^2
Ummm... on the highway in front of the NSA HQ the exit sign says NSA. After you make the exit, there is a big giant NSA sign with the seal and everything. Just past the Shell station.
Also, before every enterence to the CIA there is a sign that says "CIA Next Left" or "CIA Next Right (just pas the Shell station)." Dolly Madison Parkway I think, or is that Chain bridge Rd? Forgot since I don't drive by there any more.
NRO enterance is on a small road off Rt. 28 in Chantilly, VA (I can see it from my office cube). There are not any signs on 28 announcing it, but on the entrence side there is a big giant NRO sign and another NRO sign that marks the Contractor's entrence.
The Mapping and Imaging HQ has a big giant sign in front of it, on Sunrise Valley Rd. in Reston, VA, corner at Fairfax County Parkway with Dulles Tollroad on the other side. No signs on the tollroad for it though. Sprint runs AOL's backbone from right down Sunrise Valley with no sign (other than the address) out front. Right next to the INRI building. No Shell station nearby.
At "Station C" in Remington, VA (see "numbers stations") there is a big historical marker inside the fence, right by zads of antennas. Just a couple of miles past the Shell station.
Yes, all of the Shell station refrences are real and an odd "coincidence", since there is not a Shell station right by the NRO, nor is there one right by the Herndon NOC for VeriSign.
Hummm... watch out for the Shell stations of you want to find something kinda secret I gues
Eve Fairbanks says I drive a hybrid!LOL
Just FYI:
:-)
The root-servers know where to find everything which is below the root (like com, edu, net, nl, au, cn, tw, us).
The gtld-servers (global top level domain, i.e. the non-country codes) know where to find everything which is like philips.com, freebsd.org and berkely.edu.
The country-code-servers know where to find xs4all.nl, org.au and co.uk.
In the past I've made a small tool called dnstracer (shameless plug) which shows you what queries your DNS server is doing to get the answer for a hostname.
If you play a little bit around with it you'll see how easy it is to live without connectivity to the root-servers.net machines, thanks to caching etc. Well, for the first two days that is
bash$
The havoc of losing the A root server would be bad, like Staypuft Marshmallow Man bad.
Psh! I don't care if all DNS servers collapsed! I've got 64.28.67.150 tattoed on the back of my hand.
Pinky: "What are we going to do tomorrow night Brain?"
Brain: "I would tell you Pinky but this 120 char limi