Slashdot Mirror
Internet Backbone DDOS "Largest Ever"
wontonenigma writes "It seems that yesterday the root servers of the internet were attacked in a massive Distributed DoS manner. I mean jeeze, only 4 or 5 out of 13 survived according to the WashPost. Check out the orignal Washington Post Article here."
I couldn't load ESPN.com yesterday at school, now I know why!
it's supposed to withstand a nuclear war?
.. Promote them to management!!!
I only look human.
My mother is a halfling and my dad is an ogre, so that makes me an Ogreling
...when someone calls up and says "Is the internet down?" you can finally say, "It was." not just to simplify it to the level that your callers can understand, but because its the truth.
Mod me down and I will become more powerful than you can possibly imagine!
I mean jeeze, only 4 or 5 out of 13 survived according to the WashPost.
I'd say this just goes to show how reliable the root name servers are. I didn't notice any dns problems yesterday. In fact, I don't remember any root name server problems since the infamous alternic takeover.
Attacks on marines in Kuwait.
DC sniper.
French tanker bombing.
Bali bombing.
Is this another terrorist attack?
Anything that is so important that it can't be disturbed during transmission is already taken off the Internet and on its own network cable.
You don't think the military puts any critical systems on the Internet, do you?
From the article: "UUNET is the service provider for two of the world's 13 root servers. A unit of WorldCom Inc., it also handles approximately half of the world's Internet traffic." Only two servers for half the world's internet traffic? That is scary. What are the specs on those babies?
FoundNews.com - get paid to blog.,
This just might be the work of a terroist group launching a cyber attack, maybe even china? I hope we don't see more of these
I thought the purpose of the NIPC was supposed to be in place to prevent these sort of attacks. Not only were they unable to prevent this attack they were unaware of it as well.
The US FBI at its best...
If the servers can withstand the attack without going compleatly down, I guess they know they did something right.
Article:
"Despite the scale of the attack, which lasted about an hour, Internet users worldwide were largely unaffected, experts said."
All I can say is that if you think of this as a test, I'm happy it passed.
(Insert joke about Beowulf cluster of DDOS attacks / the servers ability to withstand the slashdot effect.)
the servers themselves. I am not an expert but surely these servers connect to the net through some sort of router/hub whatever. The servers are made to handle a lot of traffic but what about the connecting hardware. If the routers were attacked directly wouldn't the DDOS attack still be succesful without touching or alerting the dns servers themselves.
Also I doubt that the routers are setup to recognize any kind of attack as they are just relays between the net and the server. Possibly the attack could go on for quite some time before any one realized what was going on.
As I said I am not an expert could some-one enlighten me?
"when uunet or at&t takes many customers out for many hours, it's not a problem
With something like the root nameservers, if it was an important attack, you would have noticed. I run an ISP and we had zero complaints, even from the Everquest whiners who complain at the drop of a hat about anything.when an attack happens that was generally not even perceived by the users, it's a major disaster
i love the press"
The blurb didn't really make this clear -- it was the root DNS servers that got DOS'ed. I wouldn't really go so far as to call them the /Internet backbone/.
So what was on /. yesterday, anyway? Nothing that interesting that I remember it, obviously...
<wanders off to check the "Yesterday's headlines" box...>
|>
Here be Dragons
largest ddos ever taking out roughly half of the root servers? i must've been browsing the web for a good 5 hours yesterday while doing some research. am i the only one that didn't notice?
....in an irc channel near you:
"Hehe, fuk that sniper. I ownz0r this country"
Now I know why my Tribes 2 experience lagged last night.
I'm going to beat the crap out of that 12-year-old as soon as I find him; he made me look like I had no skillzzz.
Does anyone know a good Chiropractor!?!
UUNET needs an adjustment as well!
I only look human.
My mother is a halfling and my dad is an ogre, so that makes me an Ogreling
Its not the truth. The Internet != DNS.
"The lesson to be learned is not to take the comments on slashdot too literally." --Vinnie Falco, BearShare
that explain why I've been so productive at work so lately, and why I have been able to enjoy the great outdoors a little more.
Some things can be blesses in disguise, and this probably is it.
SIG:Slashdot: indymedia for nerds.
The root DNS servers are required to go from the TLD to the actual TLD's nameservers, eg to go from ".com" to the .com root nameservers. As a result, although critical, their results are cached with very, VERY long cache timeouts (TLD DNS servers seldom change).
.su.
Thus the hour long attack was not enough to meaningfully disrupt things, as most lookups would not require querying the root, unless you were asking for some oddball TLD like
Change the attack to be several hours, or a few days, and then cache entries start to expire and people are unable to look up new domain names. But that attack would be harder to sustain, as infected/compromised machines could be removed.
It is an interesting question who or how this was achieved. THere seems to be a lot of scanning for open windows shares (Yet Another Worm? Who knows) also going on in the past couple of days, but there is no clue if it is related.
Test your net with Netalyzr
Why on earth are "about 10" of the root servers in a single country?
I'd love to see a breakdown of what networks the attacks came from and what the OS distribution was... pie charts optional.
-B
Ash and Hickory, straight-grained and true, make excellent bludgeons, dandy for the cudgeling of vegetarians.
you know, call me crazy, but this sort of thing really scares the heck out of me. I don't wanna start a blame M$ thread, but they're a company with NO actual interest in implementing security properly... and look what happens... Joe User's computer running win98se that he hasn't upgraded since he bought the thing is now a weapon... and there are millions of Joe Users...
aoeu
Well we can laugh about it now (What DOS? my instinct when I read about this was to flip the unsuccessful hax0rs the bird) but my concern is that this could be a test run for something more unpleasant.
Maybe to cause a false sense of security, maybe to analyse how those crucial networks cope with DOS attacks so as to be more successful next time.
Whether these people were Bin Laden's boys or garden variety hax0rs don't get too comfortable. The worst is yet to come.
-- INTX Grouch. http://www.midnightblue.net
That A isn't accessable to the outside world. I just tried pinging it, and it didn't respond, while b, c, e, and f (that I tried) did work. On the other hand, it could just be the DDos. But in any event, I would assume that even if A isn't accessable, the other root servers would always be able to touch it.
autopr0n is like, down and stuff.
I can't say that anyone on my network mentioned any issues yesterday or today. I think that as CPU horsepower and memory have become cheaper, ISP's and backbone providers have seriously increased the use of caching. Judging from my experience during this 'major' outage it seems to have paid off.
The people who did this are undoubtedly HUGE computer freaks(like the rest of us). If they had succeeded, they would have thought it was the coolest thing ever until they realized that they brought down the internet. Then they would undergo massive withdrawal, since they killed thier main source of entertainment. For a few days they would curl up into a corner and curse their existence. Maybe they would go outside and turn to ashes in the sun.
It's like a crack addict killing his dealer for fun.
Crystal Meth: Would you ingest somthing made from a poisonous gas and an explosive metal? You do it every day -- Salt!
I haven't had any trouble.
The heart of the Internet sustained its largest and most sophisticated attack ever
I've never considered DDOS all that sophisticated myself. It's seems to me that "wow a script kiddie got more systems under his control than usual" more than "a great cracker is on the loose". Though I suppose if it were a great cracker then they could have been proving themselves by predicting the attack.
I know I shouldn't have pressed this button...
---
Hello, Slashdot user. My name is Dr. Sbaitso. I am here to help you.
Which could happen if these guys tried again:
:)
We'll have to rely on IP addresses, obviously, so start changing your bookmarks now!
http://64.28.67.150/index.pl
instead of
http://slashdot.org/index.pl
Cogito ergo sum in Slashdot.
Despite the scale of the attack, which lasted about an hour, Internet users worldwide were largely unaffected, experts said.
Indeed, no traffic slowdown, no more than usual support calls. The system works as expected, even under attack.
Worth a read: Caida DNS analysis, and more specifically those graphs. It would be interesting to know which DNS sustained the attack, in regard to the graphs.
have you been defaced today?
for a hour or two yesterday, me and lots of other people couldnt even connect to google while I was at university!
I suppose the parent post is meant to be funny, but if you actually read the quote, it makes perfect sense: Apart from running two root servers, UUNET also handles half the world's internet traffic. The only way to misunderstand it, is to try really hard.
Internet addressing giant VeriSign Inc., which operates the most important server from an undisclosed Northern Virginia location, reported no outages.
;-)
Does Cheney play QIII on it?
Seriously, I know squat about what goes on outside the biege box, but should we be scared about this?
I mean, if I were a terrorist and read this, I'd immediately start salivating and try to find out as much about Verisign as possible -- everything from employee car rentals and hotel rentals to phone calls, merchandise, shopping... id do everything in my power to find the 'undisclosed location'. Is this another weakness that hasn't truly been protected yet?
https://www.accountkiller.com/removal-requested
Maybe they were attacking root servers but those server failing couldn't cause all the DNS records to get lost. Some people might have had temporary problems, some might have not.
If you really want to, build your own root server
So how often do YOU utilize the internet without using DNS? Not often, I bet.
"Can of worms? The can is open... the worms are everywhere."
Probably, the reason why the internet was not affected was because there are many other DNS servers not considered 'root'. For example, my school uses a DNS server to speed requests along without having to do a DNS search. It keeps track of known domain name/ip combos in a hosts file. It even caches these pages, letting users on the school load pages faster! I believe we called it a 'proxy server'?
I'm the Devil the Windows users warned you about.
Hi,
::
I'm at JpNIC & JPRS we manage the Japanese servers here. The attack progressed through our networks and effected 4 of our secondary mapped servers (these servers are used as a backup and in no way are real root servers). The servers were running a suite of Microsoft products (Windows NT 4.0) and security firewall by Network Associates.
Here is a quick log review:
Oct20: The attackers probed our system around 2100 hours on Oct 20 (Japan). We saw a surge in traffic onto the honeypot (yes these backups are honeypots) systems right around then.
2238: We saw several different types of attacks on the system, starting with mundane XP only attacks (these were NT boxes). We then saw tests for clocked IIS and various other things that didnt exist on our system.
2245: We saw the first bind attacks, these attacks were very comprehensive. We can say they tried every single bind exploit out there. But nothing was working.
Attacks ended right then.
Then on the 22nd they resumed (remember we are ahead)
22nd: A new type of attack resumed. The attack started with port 1 on the NT box, we have never seen this type of attack and the port itself responding was very weird. Trouble started and alarms went off, we were checking but couldnt figure out what happend, then we saw a new bind attack. The attack came in and removed some entries from bind database (we use oracle to store our bind data)..
The following entries were added under ENTRI_KEY_WORLD_DATA
HACZBY : FADABOI
CORPZ : MVDOMIZN HELLO TO KOTARI ON UNDERNET
Several other things were changed or removed.
Till now, we have no idea what the exact type of hack this was, we are still looking into this. The attack calls himself "Fadaboi", and has been seen attacking other systems in the past.
We are now working hard with network solutions.
Thank you.
Is there anyway we can find the machines used for DDoS. Yes, I am paranoid and dont wnat my machine to be used for any of this kinda thing.
That's must be why my internet connection was 0.25 mbps slower yesterday.
... *cough*
I didn't notice anything...
wheels=!cars
that's how stupid you sound.
take that not equals c syntax and shove it where the sun don't shine, mr. "i can't see the forest for the trees"
In other news, Slashdot posted a story about the internet yesterday. as a result, the internet had been completely obliterated within 5 minutes.
-- If you try to fail and succeed, which have you done? - Uli's moose
You know, the slashdot crowd has so many linux users that bash on MCSE's like its their job, yet I am sure that every MCSE understands that taking down every single DNS server for hours, even days, would have a minimal effect on the operation of the internet. Things would hum along just fine. Meanwhile, the zealots are astounded at the ability of the remaining servers to withstand the load, and see it as a testament to Unix reliability.
:)
I can see how that site would totally confuse Grandma.
Grandma: "I clicked the red button."
Grandson: "YOU DID WHAT?"
Grandma: "I clicked the red button and the screen
went dark."
Grandson: "NO....IT CAN'T BE! YOU NEVER CLICK THE
RED BUTTON.! DO YOU KNOW WHAT YOU DID?"
Grandma: "Huh?"
Grandson: "YOU KILLED THE INTERNET! YOU BASTARD!"
nbfn
seriously, cool site...
the only thing missing is the goat.cx guy
...megaultrahyperslashdot effect!
Open Source Java Web Forum with LDAP authentication
A certain mil/gov organization I consult with was jumping through their own asses worried about this. The funny thing is, ummm... NOTHING CHANGED! We experienced NOTHING. I think they wanted us to do something... ANYTHING.
You know... next time this happens, I'm setting up my own root servers... errr... wait...
3cx.org - A truly bad website.
Quite often, in fact. I only visit a few sites daily (Slashdot, El Reg, and the rest) and my box caches the domain names, therefore I never touch DNS. Couple that with leaving my computer on 24/7, and I have effectively eliminated egress DNS traffic.
"The lesson to be learned is not to take the comments on slashdot too literally." --Vinnie Falco, BearShare
joke (jk)
n.
Something said or done to evoke laughter or amusement, especially an amusing story with a punch line.
A mischievous trick; a prank.
An amusing or ludicrous incident or situation.
Informal.
Something not to be taken seriously; a triviality: The accident was no joke.
An object of amusement or laughter; a laughingstock: His loud tie was the joke of the office.
(dictionary.com:joke)
Have you ever heard of a JOKE ?
No need to shit your pants about it.
It was for the sake of HUMOR.
"VeriSign expects that these sort of attacks will happen and VeriSign was prepared," company spokesman Brian O'Shaughnessy said.
That guy HAS to be related to Bob Dole.
You know it had to be some ebay junkie who just had to win an auction, so he blocked out half the internet.
I think I can. The US Army-operated root server looks like it took the brunt of the attack, as opposed to the JPNIC servers, which seem to have had a much lower rate (perhaps because most of the attacking hosts were US-based?).
"The Domain Name System (DNS), which converts complex Internet protocol addressing codes..."
And I suppose the person who wrote this article would consider arithmetic a complex system of digits and symbols.
come on fhqwhgads
CSRs are taught to stretch the truth anyway. What's the harm in this? :)
Likewise the ISPs who carried these people should also be punished.
one possible punishment is to have your IP blacklisted for a month. Or maybe just have your Domain Name removed from the top level DNS for a month.
Sure that would suck, but punishment is supposed to suck.
Some drink at the fountain of knowledge. Others just gargle.
Trying to form a picture...
well my dad can beat up your dad.
Regardless, regarding syntax, the binary infix notation is not to be ashamed of. a != b is commonplace in imperative languages; I can't speak for Lisp which you seem to be intimiately familiar with, but its well-understood in Slashdot culture at least in my limited experience. In similar vein, a = !b is also accepted, its standard C++ semantics believe it or not. The alternative, a = b' used in Randall's Art of Assembly , is no more or less favorable. Prefix or postfix, its all the same.
As I'm sure you are aware, != is what it is due to our limited rendition of mathematical binary logical operators thanks to ASCIIization of the Internet (what ASCII bytes where sent to the backbones to DDoS them? ADM, perhaps?!), and although Unicode is now a standard, 3.0 being the largest and most complete compendium ever notwithstanding Unihan CJK languages, Slashdot choses to return the same identical Content-Disposition header ignoring actual content. This forces one to write != rather than the preferred "Equal Sign With Slash Overbar", approximated /= by some, not to be confused with auto-assignment division, but you have to compromise somewhere. I would have written = U+"COMBINING SLASH" or, in canonical form U+02AF2 "NOT EQUAL/LESS THAN OR GREATER THAN", but what do I look like, a Unicode-compatible typist?
Wheels can exist without cars, everyone agrees on that. Of course, cars cannot drive without wheels--you can't go anywhere, but your kids can still fiddle in the back with the radio and color DVD players, their own XBOX, and our 802.11b-linked Home Entertainment System. If you see SSID=NACHONETWORK, I have embedded a buffer overflow in our SSID which exploites NetStumbler and is able to create a connect-back rootshell on my MacOS server. I'll show you the forest in the trees, just wait for your magic Christmas tree packet!
Now can I go?
"The lesson to be learned is not to take the comments on slashdot too literally." --Vinnie Falco, BearShare
Root-servers.net
The legendary cymru.com data.
I haven't looked yet but LINX mrtg charts might show something interesting.
Of course, even if someone could knock all the root servers over, the net as we know it wouldn't stop working instantly. That's what the time to live value is for :)
"None are more hopelessly enslaved than those who falsely believe they are free." -- Goethe
To equate, in a round about
way, concern with terrorism with Genocide or
Mc Carthyism is silly. Your style of thinking
is perhaps more susceptible to some moral crime.
BTW, I live in DC. I actually do think we need
to suspend our concerns with "offending somebody"
or "behaving unpolitically correct" and crack down.
We must stand up to evil and if it means
outraging an ACLU lawyer, then so be it.
It's better to live in a free society that
must occassionaly be brutal and unfair than to lapse into
a tyranny. Witness the well meanging Russian,
French and Iranian revolutions. The war
against Terror has just begun.
The question stands: Is it a coordinated
terrorist attack?
piddly and unintelligent
Fine, so the attack was unintelligent. What will happen when someone attacks MAJORLY and INTELLIGENTLY?
This gets my panties in a knot. A piddly attack brought down 65% of the root name servers! A good attack would have brought them all down! That doesn't that worry you?
It's rare that you're presented with a knob whose only two positions are Make History and Flee Your Glorious Destiny.
The stats for the h.root servers are available for the time period of the attack. Seems as though the h servers were taking in close to 94Mbits/second for a while.
More links to server stats can be found at Root Servers.org and some background is available at ICANNWatch.
There's only one critical file? Hey, just email it to me, I'll keep it on my hard drive. If anyone needs it, just shoot me an email.
It's rare that you're presented with a knob whose only two positions are Make History and Flee Your Glorious Destiny.
>VeriSign Inc., which operates the most important server from an UNDISCLOSED Northern Virginia location,
UNDISCLOSED ???
>Vixie said he kept "pushing" the flood of data far enough away from his servers that legitimate traffic could flow around the obstruction.
can someone please explain what exactly he did ? what type of DDOS attack it was ??
Luckily I use Mozilla and this m$ IE only javascript that supposely turns off the internet doesn't work. Score one more for open source :) .. take that bill.
De Oppresso Liber
The attack only lasted an hour or so, didn't affect all the servers, and if most of the sites you were looking at were in your ISP's DNS caches, you wouldn't have hit the root servers anyway. If you're looking for google.com, your ISP's cache has it because somebody else looked at it 2 seconds ago - it's when you want really-obscure-domain.com that you need to hit the root servers.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
Why are these servers even REACHABLE from our home comps anyway? Most comps (99.999% I would imagine) wouldn't need to talk to the root servers, ever. Why not just allow 'trusted networks' access?
I hope for your sake that Slashdot doesn't change it's IP address any time soon then.
One would assume you still have to check periodically to see if the IP address from DNS is the same as your cached one. Either way, you are not the majority of Internet users, so for most everyone, DNS going dead == Internet going dead.
Determining whether or not kicking the majority of users off the Internet is a bad thing is left as an exercise to the reader.
Your router will be fine... it just won't work for the duration of teh ddos attack because it'll be overloaded. But most home routers don't have anything that will overheat.
Hubs don't get their own ip address... all they do is provide extra ports and repeat signals to increase signal strength.
Hmmm... Pie...
...if they'd looked up their favorite pr0n and warez sites first, so the names were in their DNS caches and their ISP's caches.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
I only noticed it because I use my own DNS server to resolve requests; and pay close attention whenever I see any problems resolving host names (there is the possibility of it being a bug with my software).
The person who orchastrated this attack is not very familiar with DNS. Attacking the root name servers is not very effective; all the root servers do is refer people to the .com, .org, or other TLD (top-level-domain) name servers. Most DNS servers remember the list of the name servers for a given TLD for a period of two days, and do not need to contact the root servers to resolve those names. While some lesser-used country codes may have had slower resolution times, an attack on the root servers which only lasts an hour can not even be felt by the average end user.
In the case of MaraDNS, if a DOS (denial of service) is happening against the root servers, MaraDNS will be able to resolve names (albeit more slowly for lesser-used TLDs) until every single root server is sucessfully DOS'd.
- Sam
The secret to enjoying Slashdot is to realize that it should not be taken too seriously.
Alright man, I got +! KARMA and +& REPLIES. Who'se !Smart now?
"The lesson to be learned is not to take the comments on slashdot too literally." --Vinnie Falco, BearShare
I really wish I knew that yesterday.
ok
:-)
you win.
your text over floweth, and was clever.
peace love and happiness.
Raises arm in the air and shouts "They'll Pay"
Why?
It's really easy to setup a system which dumps your SQL database out to a TinyDNS file. TinyDNS is provably secure software. I would expect that you would use it on the root servers, since it's designed to work at very high levels of output/uptime, and be attack resistant to the point of being attack proof.
Say what you will about D. J. Bernstein, he does have a very capable DNS solution available.
--
Internet Explorer (n): Another bug -- that is, a feature that can't be turned off -- in Windows.
if you consider 'all but 4-5' of the root nameservers going doing 'passing the test'.. i got a bridge to sell you..
according to the article (you did read it, right?) the dns system is built so that 'eight or more' of the 13 must go down before ordinary users start to see slowdowns..
someone was probably conducting a vulnerability probe to see in what order and for how long they could wreck each non-essential machine.. bounds checking, if you prefer
pick your conspiracy theory.. russian hacker mercenaries, bored preteens, us government disaster planners, e-fil terrorists, aliens, whatever
also of note.. quoted was a paul vixie, towards the end of the article he mentions how they coped with the problem, sort of..
'Vixie said he said he kept the server operating by "pushing" the flood of data far enough away from his servers that legitimate traffic could flow around the obstruction. Such clogs still affect some Internet users by gumming up internet communications somewhere else in the network.'
implications?
It's just change propagation that's a bitch.
What we call folk wisdom is often no more than a kind of expedient stupidity.-Edward Abbey
Obviously you are/have not [been] a UCR student otherwise you would know that Randall Hyde is a capital asshole :) His dishonor is so great that even linking to him is shamefull.
Religion is a gateway psychosis. -- Dave Foley
..memorising the slashdot servers IP address in case of total DNS meltdown? Seriously, if the DNS system was totally destroyed, would you be able to think of any IP addresses by memory to get you in contact with other net people?
Smaller isp's dont'cache info from larger ones... most dns servers simply use the root servers directly. There is no heirarchy beyond that with regards to caching.
It is heirarchial with regards to namespace, but not so much with regards to lookups.
You know...it was a supposed to be a joke...notice how everything links to verisign.com?
Maybe they all have an Ellen Feiss fetish.
He painted a unicorn in outer space. I'm askin' ya, what's it breathin'?
That be funnier if it didn't really happen...all the time. I work at a University and I get at least one call a day: "Is the server down?" There are many many servers on campus and it is (almost) never the server causing the problem. Users wank up their software configuration and then blame it on "the server" instead of their own ignorance (notice I didn't say stupidity, I said ignorance. many of these people are very intelligent...just in fields without a technical basis). Some basic user education on the technology that is an integral part of their jobs could go a long way.
FoundNews.com - get paid to blog.,
Comment removed based on user account deletion
For the most common 2LD names, any major ISP will have cached the addresses for them, and won't need to hit the .com server until the typical 1-week or 24-hour cache timeout periods. If your nameserver is ns.bigisp.net, somebody there will have looked up google.com in the last 2 seconds, even though nobody at your ISP has looked up really-obscure-domain.com this week - but even that one may be in the cache because some spammer was out harvesting addresses. An obvious scaling/redundancy play for the root servers and for the major ISPs would be to have them cache full copies of the root server domains to keep down the load and reduce dependency. It's not really that much data - 10 million domains averaging 30 characters for name and IP addresses is only half a CD-ROM. An interesting alternative trick would be for the Tier 1 ISPs to have some back-door access to root-level servers for recursive querying.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
4711 Mission Rd. - Westwood, KS (sub. of Kansas City), Tel: (913) 432-5678
Good enough for a lot of professional athletes, and they straightened me up after my car wreck.
But I don't think they can fix uunet.
[100% ISO 646 Compliant]
SVM, ERGO MONSTRO.
They slashdotted the backbone.
- Peter
Actually, there was no massive attack. MS paid MCI 1 billion to convert those BSD boxes to MS. Unfortunaly, they threw the switches and found that they could not handle the load. They then came up with something that is less of a black eye to MS. So, back to BSD they go. Now, I wonder if MS will insist that MCI go with MS or pay back the 1 billion.
Comment removed based on user account deletion
Hmmm, maybe someone else mentioned this, but I wonder why web browsers don't perhaps cache the IP address as part of a saved bookmark. It would seem to help if they played nice by using a bit less load on the DNS system, and avoid problems like this if (perhaps) DNS went down. You could add a button to "refresh bookmark IPs from DNS", or just have the browser automatically do it if the cached IP address was not found...
We know where leadership by an anti-intellectual "strongman" who scapegoats minorities and likes boisterous rallies goes
This would indicate why many of you may not have noticed any slowdowns in response time.
You really need to get laid more often
>Users wank up their software configuration and then blame it on "the server" instead of their own ignorance (notice I didn't say stupidity, I said ignorance.
You only get to use the ignorance excuse once. Not following instructions when you've been explicity given them is stupidity.
If you could be told what you can see or read, then it follows that you could be told what to say or think - BoC
Vixie said he kept the server at Internet Software Consortium operating by "pushing" the flood of data far enough away from his servers that legitimate traffic could flow around the obstruction. Such clogs still affect some Internet users by gumming up Internet communications somewhere else in the network. ... 2nd to last paragraph in the article. I can't even touch that. wow. I can make up shit like that too... can I have a job at the washington post please?
Skiers and Riders -- http://www.snowjournal.com
Excellent point. There are many people who are repeat offendors and are certainly stupid! Some of these people are even supposed to be technically inclined according to their job description at the University.
FoundNews.com - get paid to blog.,
Actually, it appears that they do. Check this out.
The fact that something exists in DNS dosn't actualy mean you can reach it :P
autopr0n is like, down and stuff.
Original Washington Post article was: "Attack On Internet Called Largest Ever"
/.
Followup article, after slashdot story, was: "Attack on Washington Post Called Largest Ever".
Ah.. behold the mighty power of
In the Portland, Ore area and like card games? Check out: http://groups.yahoo.com/group/portlandgames/
http://www.apple.com/macosx/jaguar/rendezvous.html
Would this have helped? An Internet that doesn't need DNS servers.
"The only way to stop such attacks is to fix the vulnerabilities on the machines that ultimately get taken over and used to launch them," Paller said. "There's no defense once the machines are under the attacker's control."
>> Thus Microsoft can be constuded as an assistant
in the attack, especially since they made spoofing
etc easier with XP/2k (no other motive to do so?).
It is a little worrying that we were down to 4 DNS's, but what about the fact that they're in the US.
As a non-american I feel left out. On a shallow level it actually gives a felling of aggressive capitalism.
However as a westerner I try to be aware that we do give off a bad impression, particually when it comes to money. If I'm in my local Supermarket and it gets bombed by a terrorist group who belive it stands as an icon of western capitalism, I can at least empathise with them, understanding why they do it.
If I don't empathise with them and understand why they did it how can I fight it?
It's easy to see why a citizen of a other countries with no part in the backbone be resentful; they're connecting to other countries and they've got to play by thier rules, often under democratic and the rule of money (capitalism). So you could feel quite helpless and left out of the internet. "I've voted for Communism,(i.e.) why can't I live by it?"
This is of course just DNS what I'm talking about, it's more compilcated than this - content etc...
A blog I run for the wealth
However at work, we use BIND. Why? Cause it's the "lowest common denominator". All the admins know at least the basics on how it works and could probably update the zone files if they had to, even if they don't deal with it on a daily basis like I do.
The simple truth is that interstellar distances will not fit into the human imagination
- Douglas Adams
Like many, I didn't notice: Speakeasy's DNS servers weren't involved. Besides, isn't DDOSing root DNS to take out the entire 'net a little like trying to chop down a sequoia with a piece of fried chicken to get lumber?
This sig no verb.
I really hate signatures, but go to my website.
Stories like these should make all of us involved in IT really make a push away from easily exploited systems like Microsoft operating systems and the applications/services that run on them. This is not an anti-Microsoft troll, but just the truth in these days and times: we all know the most common targets, we all know what is the most insecure. We should start vocally opposing Microsoft solutions by our management, both the well being of our networks, and the Internet in general.
Did they claim your spine was out of alignment?
They might as well wear grass skirts and a bone through their nose. They make scientologist seem sensible.
Suppose that the root nameservers were to only allow connections from certain hosts. In other words, if I run one of the root nameservers, everyone but certain DNS servers is blocked at the router level. This makes it more difficult to attack a root server, as you'd have to either take over a nameserver I allow connections from, or somehow exploit my router which blocks you.
This does have a potential problem -- say I charged $100,000/year to be able to use my root nameserver. Suddenly, only the largest ISPs can connect -- the whole DNS system could potentially become highly commercialized. (I suppose the wealthy ISPs could "resell" access, but...) But if it's carefully planned, I think this might be a rather effective method of preventing problems with the root nameservers. It seems strange to have a handful of "essential" servers just sitting out there on the web.
________________________________________________
suwain_2
It's actually slightly odd. I did recieve two calls yesterday about the internet being down...
I run a small intranet. We use BIND on Linux for our core DNS, and TinyDNS on the firewall as the external DNS server. TinyDNS is a great package, though it can take a little getting used to. However, I still see TinyDNS and BIND as being in different markets.
On my main server, I want to be able to manage chacheing, record serving, have multiple zones some of which are dynamically updated, etc. all on the same box, and TinyDNS doesn't provide this capability. Besides, Bind 9 actually has some security built into the architecture, though it is not as paranoid as TinyDNS.
LedgerSMB: Open source Accounting/ERP
An earlier poster mentioned alternate DNS servers
in an off-handed way; we had a look at the site:
for Grass Roots Domain Name Servers grs.ipal.net
and several sites ref'd to there.
The latter had either gone offline, were selling
their own domain name, no longer operating (only
their info was available, at best)
So, are there -any- working alternative TLD
DNS servers around today (& likely to be here
tomorrow)?
If so, URL's please...
TIA
"The details of the disaster recovery scheme are of course confidential"
Translation: We really don't have one that we've tested.
Most good routers are designed to have the ability (if you enable it) to look inside of the packets
Hmmm, last I looked at the Cisco feature set (or the like from Foundry and Nortel and what have you), it was a challenge to put in rules that
a) didn't take out significant "good" traffic, and
b) did take out significant "bad" traffic.
I agree that rate limiting ICMP traffic is an appropriate answer, especially in the light of this particular attack, but I'm appalled by the number of illitarate dorks who copy snippets titled "how to block all ICMP" from a textbook into their firewall without the slightest understanding of why ICMP was implemented in the first place.
I hate to think of what could happen if the 31334 hackers really start mixing attacks.
I positively _love_ wd40, but I will not apply it to reduce the squeeking of my cars brakes. Too many people use the Internet equivalent of WD40 on their network brakes.
Bert Driehuis -- All I asked was a friggin' rotatin' chair. Throw me a bone here, people.
Share the file on P2P networks!
C:\>
The behaviour he described is normal. As part of a DNS entry you specify the expire time, telling a client how long for which it's okay to a cache an entry.
-Bill
SlashSig Karma: Excellent (mostly affected by moderatio
In the world of Winblows users and Linux newbies, you don't have to have the most secure machine in the world, it just has to be more secure than 50% of the machines in the world.
It is like the joke about 2 people running from a bear. You don't have to outrun the bear, you only have to outrun your friend.
Why bother cracking an almost insecure machine, when you have thousands of completely insecure ones to do your bidding?
Saskboy's blog is good. 9 out of 10 dentists agree.
last time I looked, it's qmail that has the fucked up license; TinyDNS seemed quite GPL compatible to me.
I have found AoA to be extremely useful in my understanding of Boolean Algebra, Chapter 2 covered the basic postulates, theorems, functions very well. I printed the "16 Possible Boolean Functions of Two Variables" table he included and kept it in a handy location. I first came across minterms/maxterms and how they are used to find the canonical expression, as well as k-maps for optimization. I don't particularly like Hyde's assembly library however, for me the Intel Programmers Manual Volume 1-3 dead tree book was most clear and straight-forward, unlike assembly "tutorials".
I challenge you to provide a link to a better reference than Hyde's AoA that explains boolean algebra more clearly and more comprehensively. Go ahead.
"The lesson to be learned is not to take the comments on slashdot too literally." --Vinnie Falco, BearShare
Greedy Americans are only 5% of world population but they consume over HALF the world's available bandwidth!
I was thinking along the lines of North Korea, Iraq, Al Qeada or any other militant islamic terrorist types.
Any one else have ideas?
Rendezvous is a system for home and office networks to keep track of which systems have which capabilities. Thinking that it would allow the internet to work without a DNS server is naïve.
Or do you think a bunch of hostnames with "running HTTP server" would be as useful as a DNS system?
-Terralthra...
Lost Packet - 43 bytes - last seen in a saturated OC3 - Reward $$$
A warrant
--Joey
wait.. if the internet got slashdotted... but the slashdot effect takes place inside of the internet network, then how.. holy crap
You're right, you wouldn't want to block all queries, but you can do almost as good: you can block all queries except the queries for the domains that you're hosting. In fact, doing so is generally considered a very good idea, since it protects you against some forms of cache poisoning attacks.
Check out the allow-recursion command in the named.conf (5) man page, which does exactly what I describe.
aww, this honor among trolls makes me shed a tear of happiness (-;
Ah, that graph brings back some memories. I miss working in a NOC for a colo facility.
:) (After they got the game servers up, of course.)
We hosted WWII Online's web servers and game servers for a while. When it first was released many of their customers weren't happy because nothing worked right.
Apparently somebody got mad and had an OC3 available to try a DOS attack, but little did they know WWIIOL's servers had 200Mbps internet. The spike went up to 45mbit over normal for a short while, but I guess they quickly realized it didn't do any good and gave up.
I thought that was funny. But what was funnier is that one of their customers was clever enough to figure out how to get hold of the NOC and complained that the game servers were down! I couldn't tell him anything helpful except to contact the WWIIOL folks.
Of course it was also cool to play an online game with a ping of less than 10ms.
And then there was the time one of their techs was setting up a Linux server, stepped out for a few minutes and came back to find that it had been root kitted! He had just finished the base load and not patched it yet, thinking it would be okay long enough to get a bite to eat. He was pissed. But the script kiddie was stupid because he locked himself out by deleting the telnet and sshd servers and logging out before activating his trojan software.
For a "largest ever" attack, there wasn't a lot of perfomance loss.
This message typed with Dvorak.
ok, everyone keeps saying the bunkers these thigns are in were designed to withstand a nuclear blast, my question is, are the bunkers themseves, or the equiptment in the bunkers sheilded enough to survive the electromagnetic pulse given off by the detonation of a nuke? its not just sci-fi, an emp is another devastating effect of nukes, its just ussually there isn't anyone left around to complain about their radio not working
"Sic Semper Tyrannosaurus Rex."
I can't imagine how I could be possibly laid any more, you see, there's this girl you might have heard of...first name Mary, lastname Jane. She has cushion for the pushin' like you wouldn't believe. And don't even get me started on her DSLs, especially when she does it laying on her back...mmm...hell yeah.....(I added some extra periods because you forgot yours, your girlfriend probably did too.)
"The lesson to be learned is not to take the comments on slashdot too literally." --Vinnie Falco, BearShare
You know when lookerup.com goes down, something's serious wrong!
To provide caching, use DNScache. If your box is exposed to the internet, you likely don't want to be doing cache requests for the world. You can easily configure DNScache to broker for several internal (TinyDNS) systems. Note that only TinyDNS will set the authoritative flag; DNScache will not.
For dynamically updating zones, I use a small Perl DBI script which dumps zones from the DB into a directory. All files in the directory are sorted (via sort) into a main text file, which is hashed into data.cdb. I also have a big text file from the other DNS server scped over and included in the hash. The entire system is dynamic, with every important entry controllable from within an easily backed-up (and restorted) SQL server. Adding things like DynDNS to this setup would be trivial (all I'd need is another table for actual accounts, which allow people to modify their own zone files).
Best of all, because there is an order of magnitude less code running, TinyDNS is a lot easier to inspect for correctness. You can spend a couple of evenings reading over all the code for the package (even if it's not the best looking C code in the world), and really understand it.
--
Internet Explorer (n): Another bug -- that is, a feature that can't be turned off -- in Windows.
iirc, for ip addresses in email, foo@123.123.123.123 is not a valid email address, it should be foo@[123.123.123.123]
Did you mount a military-grade, variable-focus MASER on an unlicensed artificial intelligence?
Well, it's mostly the same... http://news.google.com/news?q=dns+ddos
What about Distributed Reflection Denial of Service? It would seem like a good tool to generate lots of flood.
You'd be surprised just how large my /etc/hosts file is.
python -c "x='python -c %sx=%s; print x%%(chr(34),repr(x),chr(34))%s'; print x%(chr(34),repr(x),chr(34))"
Re, "Mail was coming in slowly, servers were appearing to fade in and out of existence..."
Sounds like A Fire Upon the Deep (Vinge, about 1993).
Scary in real life.
Didn't notice anything in North Texas, but at 4:00 pm our time, not much was going on at work, no intense outside connectivity.
Provided you have set up the mail server to handel that email.
Lonely?
Find love on the internet
"At the top of the root server hierarchy is the "A" root server, which every 12 hours generates a critical file"
Come on people... I don't understand how a group of techno-nerds and geek scientists can come up with such a lame name for waht seems to be the most important computer to the internet! For goodness sakes, even slashdotters can come up with some Does clever naming schemes.
For this, UUNET or Verisign, or someone should be taken out back and beaten.
post!
http://story.news.yahoo.com/news?tmpl=story&u=/ap/ 20021022/ap_wo_en_po/us_internet_attack_1
www.godaddy.com site is not responding. They claim they took down the site to do an update. Update at 6pm PST??! Usually updates and maintenance occur after midnight. Something is going on and they won't admit to it.
Worst... DDOS... attack... ever!
I mean come on!! It is so overrated... i always use numbers instead of letters. It is more simple, there are less numbers than letters so how could it not be more easy? In fact I started just doing all my web browsing using binaries because there are only 2 numbers. Now if I can just get konqueror to respond to
http://1000000.11100.1000011.10010110
ZERO ZERO ONE ZERO ONE ZERO ONE ONE! Just brushing up for my next big invention: Ethernet over Voice (EoV)
See sig below.
Cover your eyes and click this link!
Ethernet is a physical transport, while TCP/IP is a protocol. In fact, TCP (transmission control protocol) sits on top of IP (internet protocl). There is also UDP on top of IP (but no one says UDP/IP that I've ever heard) and ICMP on IP. UDP are short messages that are sent without creating a link, and ICMP is for things like Ping, tracerout, etc. You can create your own protocol and use it on the internet.
You can use any physical layer: ethernet, a modem, a cell phone, wifi, bluetooth, firewire, USB, power lines, etc with IP, and similarly you can use may other protocols with Ethernet or any other link Such as IPX, NetBui, Apple talk, etc.
TCP, UDP, and ICMP are tied to IP and wont work with anything else.
Then there are higher level protocols that sit on top of TCP or UDP, for example DNS sits on UDP, FTP, telnet, gnutella and others sit on TCP. Interestingly HTTP should work on other protocols as long as you can establish a link between a server and a host on it. And you have software that implements it on these other links.
There's also Ipv6, which is a newer version of IP.
Lonely?
Find love on the internet
Slashdot's IP is 832.796.835.918 . Since it hasn't changed from this in the time that I've had the link to it in my sig ( about a month. ), we can safely conclude that IPs don't change because slashdot is a good cross-section of the internet, and poor logic like this is frequently rewarded wit' da K-! PointZz. ;)
+5 Insightful
Cover your eyes and click this link!
obviously this was talking about the machines h4x0red into doing the ddos, not the root servers being ddosed. Or, it was some attempt at sarcasm, ie the root servers obviously are not running an old unpatched NT
Did you mount a military-grade, variable-focus MASER on an unlicensed artificial intelligence?
(Simpsons Comic Book Store Guy Voice)... "Largest DDOS attack ever"
---- "Logoff! That cookie shit makes me nervous!" - A. Soprano
And that's just a little fragment of it. I'm really worried about these guys taking over the internet!!
who's the loon?
GREAT troll. Hats off.
Maybe the purpose of the backdoor in bugbear was to create a zombie army to launch this ddos attack. "Great, Smithers! Another recruit for my ever growing army of the undead."
How ya like dat?
Comment removed based on user account deletion
Security experts?
DDOSing 13 root servers all alone is possible? Aaaaw, I think I'm gonna start cracking.
All Hail Discordia. Hail Eris. Fnord.
That is, assuming that you have your local DNS server (if you have one) set to override the TTLs stored with the A records.
I remember reading somewhere about ingress and egress filtering on outer routers. If the ISPs ad big providers would do this as many ppl have suggested (even the damn gov) wouldn't that solve most of the problems like this and prevent DDoS from happening as often? Is that how VeriSign was able to stay up during the attack? Just curious....
"an eye for an eye only makes the whole world blind"
Donald Knuth, "The Art of Programming Vol. 1"
If someone could kindly point me to the person or persons who launched this latest DDOS attack, I would certainly appreciate it. I hold the patent on Distributed Denial-Of-Service Attacks By Electronic Means, and I will get my day in court, and royalties due to me.
But, yeah, some of the attacks aren't much different than using a loudspeaker to announce "Free Beer at Victim.com"
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
The Priceline Supercomputer would still be running.
http://www.cisco.com/warp/public/707/newsflash.htm l
Becuase I use an OpenNIC name server, which loads its own copy of the root zone, I never even noticed that there was a problem.
Another strong vote for distributed name systems.
-Chris
-- This sig is only a test. If this were a real sig it would say something witty. --
I won't post the addresses to avoid slashdotting them, but several of the root-servers have graphs for response-times as well as traffic-levels. On some of the servers, the response-time went up, but on a number of them it went to zero for an hour or so, which I assume means no response rather than infinitely-fast response. Somebody set them up the bomb.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
Secondly, Rob Thomas has made an excellent template for securing BIND against all sorts of "stupid user tricks" which can be found here:
http://www.cymru.com/Documents/secure-bind-templat e.html
Thirdly, quoting Louis Touton saying "We're not aware of any users that were in any way affected." was a serious mistake. ICANN haven't taken any notice of internet users up until now, so why should they start now?
The article went on to say "VeriSign expects that these sort of attacks will happen and VeriSign was prepared," company spokesman Brian O'Shaughnessy said. If you want a likely suspect, try this one - brought to you, of course, by Verisign:
http://www.arabtrust.com/training/courses/hacking/ index.html
What has happened is this: There are some people who got in to an argument with me in one of the journals; some of them didn't like the fact that I won the argument against them, so are now trolling me.
Note that they do not mention which test queries return incorrect IP addresses; and also notice that they way they make it as personal as possible.
Anyway, I have this testimony that MaraDNS is an excellent piece of code.
Note also that this troll does not have the courage to tell us who they are, since I would promptly put them on my foes list.
I probably should not feed the trolls by replying to this, but feel that I should clear things up for people who are reading this.
Most likely, the above troll was posted by com2kid; he is mentally ill and really needs psychological help.
- Sam (posting anonymously since something like this only needs to be seen by people posting the above link)
The caching nameserver pdnsd does something like this -- if it can't manage to get a new record, it uses the old (stale) copy. So you have a cached copy of Slashdot's NS for a long, long time.
If root DNS went down, you'd have to have Slashdot's DNS move as well.
May we never see th
So simple, the root servers were getting attacked! Yesterday my brother told me Counter Strike's ping was too high, 200ms. I am from Brazil, but for brazilian CS servers we get 30ms or 50ms. I told him I didn't had any idea why the ping was so high, and now I can't explain! How come will I make him understand that "Root DNS Servers for IP address" were getting attacked?
I will just say that our new dog ate a part of the phone's wire.
Buy a Nintendo DS Lite
The outbound queues on our mail server kept backing up as normally available clients couldn't be reached.
If you don't want to repeat the past, stop living in it.
It's probably not Earthlink/Mindspring/Netcom/Borg's best name server, but I memorized it years ago because I had to keep typing in the bloody thing any time I reconfigured Windoze, and when my internet connection wasn't working right the first step was to ping and traceroute the name server to make sure it was behaving.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
That being said, Randall Hyde's antics are legendary. He screams, throws tantrums, is belligerent to student, staff and faculty. He has flunked entire classes delaying their graduation, instead of teaching course materials he teaches languages *he* invented. Linking to him is kind of like saying, here's a link to the devils website, he's the devil, but he's got some good points.
But I didn't expect you to know any of that, was just making an observation :) If you'd like to discuss it privately you can shoot an email to my address above.
Religion is a gateway psychosis. -- Dave Foley
Also, some of the press about the attack said it was using ICMP rather than UDP, and it's much easier to go around squashing ICMP than trying to figure out which correctly-formed queries for foo.com are real and which are DDOS.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
Are you all nuts? An AC makes an obviously bogus post and it gets +5?
I should post AC that, oh, I don't know. That Stephen King is dead. People would probably buy into that as well.
You really think a legitimate employee would be handing out information on which systems are honeypots? And then bogus pseudo-hacker crap like "the attack calls himself 'Fadaboi'"? Where did that come from?
Christ.
May we never see th
If you wanted to be a bit more democratic about access, you could provide priority service (or push service) to the big ISPs' main servers, and volume-restricted service to the free-use crowd. It's most important that the ~20 Tier 1 ISPs have good copies, because most of the smaller ISPs get connectivity from one or more Tier 1s, so they could get DNS as well.
A fun side-effect of making direct DNS access expensive would be that it would encourage more people to use the alternate root providers, who used to have about 0.5% of the market, except I think some of the cable modem companies were using alternate roots to have more options for selling namespace to their customers.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
Yeehaw
;)
Check out this
And you can't create your own protocol and just use it on the internet
I meant at levels above IP. TCP, HTTP and SOAP are all considered 'protocols' despite the fact that they all work on top of each other. (although HTTP and SOAP can run on other protocols.
Lonely?
Find love on the internet
Try buying a handgun in canada, you can't.
Only the State obtains its revenue by coercion. - Murray Rothbard
the hierarchical structure of the dns has very poor resilience and needs a replacement:a pers/ddns.pdf
http://www.pdos.lcs.mit.edu/chord/p
Of course, the next attack won't be something dumb like ICMP - they'll try something new, either because they learned a lesson from the people who did this one, or because they suspect they'll get their butts kicked if they try this method. For instance, I'd really rather *not* see the next Outlook Email Virus mail stuff to the root servers, or to randomized non-existent 2LD.COM addresses... I'm sending you this DNS request in order to have your advice
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
Those of you who actually took the time to read my essay, "Cyberwar: How Terrorists Could Defeat the U.S., and Why They Won't," (requires Acrobat 5, not 4.) might get chill running up your backs when you read this. I'm still sticking to my original thesis, however: The Internet won't be brought down by terrorists because corporations and governments need it, and the terrorists serve the interests of corporations and governments. Regardless, I hope this DNS attack isn't a prelude to a bigger operation. Note how they say that it just ran for an hour and then stopped! Note this story, which detailed the creation of attack zombies with P2P capabilities, allowing them to be targetted at will. Also note that a top infrastructure protection analyst was just killed by the Maryland area sniper! And within a couple of days we see the largest DDOS attack on root DNS systems ever!? (Long Pause) Keep a sharp eye out for weirdness, folks, something BIG might be coming down:
Here's what I wrote back on September 14, 2002:
Maybe the terrorists start taking out some or all of the thirteen root domain name server systems (I think there are still 13) or interrupting communications to those root servers [today's DDOS incident]. (Thankfully, a couple of these systems are located in places that have people with guns guarding them.) These root servers are used by thousands of other lower level domain name systems and receive about 300 million requests per day.
Domain name systems are used to translate human readable URLs, like www.cryptogon.com into machine usable IP addresses like 209.115.132.59. There is much concern about the root DNS systems. Many articles on this topic are easily accessible. Much of the concern, however, is focused on hackers DOSsing the root servers. Again, this misses the point.
What is the physical security like at the non-military root DNS facilities?
I've driven by one of the buildings hundreds of times because I used to live near it. It looks just like any other small office building. How long would this place hold up against a few armed terrorists who were willing to die TO BRING DOWN A ROOT DNS NODE? Think about it. The same goes for the data centers mentioned previously. Surely these places should have armed security. But even if they did, are they prepared to stop terrorists who have no intention of ever getting out alive?
Here's what just happened:
The heart of the Internet sustained its largest and most sophisticated attack ever, starting late Monday, according to officials at key online backbone organizations.
Around 5:00 p.m. EDT on Monday, a "distributed denial of service" (DDOS) attack struck the 13 "root servers" that provide the primary roadmap for almost all Internet communications. Despite the scale of the attack, which lasted about an hour, Internet users worldwide were largely unaffected, experts said.
FBI officials would not speculate on who might have planned or carried out the attack.
David Wray, a spokesman for the FBI's National Infrastructure Protection Center (NIPC), said the bureau is "aware of the reports and looking into it."
DDOS attacks overwhelm networks with an onslaught of data until they cannot be used. According to security experts, the incident probably was the result of multiple attacks, in which attackers concentrate the power of many computers against a single network to prevent it from operating.
"This was the largest and most complex DDOS attack ever against the root server system," said a source at one of the organizations responsible for operating the root servers.
The more serious attacks using Windows would be easier to implement with a wetware-propagated Trojan Horse, such as a popular Kazaa-replacement client, or else with Yet Another Windows Outlook Email Virues. I'm sending you this DDOS client in order to have your advice.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
I was tearing my hair out trying to figure out why my local DNS was broken. I was in the middle of changing the configuration to not use forwarders anymore when this happened. I thought my setup was broken for quite some time!!! Lot's of timeouts, lot's of domain names unresolvable.
Today it's all better.
Just my luck.
What really sucks about this is the people that bitch about "not having their Internet" are the ones potentially causing the problem with unprotected computers. We know nothing this massive could be caused without some kind of trojan`ed DDoS network, and the way those get propogated is through ignorant users.
No sig for you. YOU GET NO SIG!
The people that did this are only hurting themselves in the long run, because I would bet a majority of thier lives are spent on the internet. If their main goal is to bring down the internet, what are these 13 year old boys going to do when they succeed?
There's no "I" in Linux.. err..
EMP-Bomb
I didn't know Mr. T had his own grapher!
Can someone tell me why the oh so mighty FBI had a comment in that article? I mean its the Internet, its not owned by the US (well... hmmm no its not... I think) If the FBI as anything do say in that case, so do the Mounties, and huh the Croatian Secret Service. Blah. me is rantin again. But still. I'd like to know why the FBI is a reference in that case. Shouldnt they come up with an Int'l 'net Police or something?
Well, I was an admin at UCR's CS department, and a student (graduate) at one point.
Mr Hyde IS a bit strident, to be sure, and he did personally tell me once (when I had to go fix something wrong with the web server that at the time hosted AoA) that system administrators were simply the janitors of the internet, and hardly real computer scientists, but for the most part, I found him reasonable to get along with, certainly on-par-with/better-than your average professor.
Of course, I do remember some of his "flunking large numbers of students" occurences. On the brighter side, he usually did (at the time at least) let students work over the summer to complete the course.
I took the undergraduate compiler class from him (since I never took a compiler class at UCLA) and I really do feel I learned a lot in that class.
Of course not, dodo -- it's AOL. Don't you read the ads?
So give them the correct answer the first time and bullshit thereafter. If they can't learn, they won't know the difference.
Cool, I was an admin for EE :)
Religion is a gateway psychosis. -- Dave Foley
which came first, the chicken or the egg?
Those that survived were running DJBDNS (ok, stupid troll)
{{.sig}}
Because of gross insecurities in Windows, the internet is now under a real threat. When the net finally crashes, it will doubtless be due to Microsoft leaving security holes you can drive mac trucks through.
This brings a whole new dimensions to linux and free software advocacy. "Use free software, or see the net we love disappear!" could be our new slogan.
The radical sect of Islam would either see you dead or "reverted" to Islam.
I don't know, this reminds me of an article I read about a group called Fluffy Bunny.
Obligatory link: Fluffy Bunny No Longer EnergizedI just sent an e-mail to my work e-mail account.
By the way - does anyone know, on what kind of Hardware and/or Software these DNS servers are running?
Could a single powerful server (a Sun Fire 15k or something similar) theoretically do the job?
Apparently I made a mistake in my named.conf file...
Code, Hardware, stuff like that.
1. every DNS zone (including the . root zone) has a TTL (time to live) - the amount of time you are allowed to keep the results of a query. The idea being that if you a server looks up a zone e.g. foobar.com it doesn't have to look again until the TTL runs out. This is typically about 24 hours for an average .com domain (but can be set to whatever the controller of the domain's DNS likes)
2. The TTL of the . root zone is* 6 months. This means an ISP's server only has to recheck a top level domain (.org, .com, .net) every 6 months. This means that if all the top level DNS servers were out for say a day, then 99% of the other servers out there wouldn't even notice, as they wouldn't need to query the roots for on average another 3 months. Sure, if the root servers were down for longer, the TTL would run out on more and more DNS servers, but in principle the root servers would have to be down for a sustained time to start to significantly affect the Internet's DNS.
* - the TTL of the root domains at the moment has been changed to 3 hours, presumably as they are changing the top level infrastructure and need to have the changed propogate quickly.
3. this is why all ISPs who have correctly setup DNS servers would not have noticed anything. If run your own DNS server on your home box, and don't run it all the time, you'll be checking the root servers the first time you do a DNS query when you switch your machine on; so would probably notice something. Lesson - use your ISPs DNS server to resolve domains!
" To steal ideas from one person is plagiarism; to steal from many is research. "
The alternative is to use a set of name-servers that isn't part of root-servers.net, then. Partly you gain in reliability through using them as forwarders for existing TLDs, but you also stand to gain your own TLDs as well.
:)
Can't say *I* noticed any DNS problems on the colo server or at home yesterday...
Whatever happened to TRNS and friends?
~Tim
--
Rushing on down to the circle of the turn
Good admins send out information to their users in a way that can be used by them. They pre-answer all the common questions--what, why, when, how long, and how will this make my life better ... and in _advance_ of downtime. Should an unexpected outage occur, they spend only a few minutes determining what went wrong before getting out a message (e-mail or not) saying they are aware of the problem and are working on it. Again, answering quickly the same set of questions ... especially what else can be expected to be down.
On the other hand, bad admins consider themselves more important than all others. They serve only themselves and don't understand that they are part of a support organization. Basically, they don't do anything the good admins do ... or only part of it and claim they did all they could. Their goal is to claim superiority.
By the way, since this will get modded down as off-topic, remember that the original post should be modded down as flamebait.
--- Jason Olshefsky
Karma: Poser (mostly affected by adding this line long after everyone else did)
/rant on
IT support is supposed to be a service wherebye the customer is provided with help so that they can use their computers productively.
Not an occupation which is closely modeled on the activities of Nazi doctors using their power and knowledge to torture and abuse people in the persuit of their own interests.
Notice the difference between the two occupations?
The user may be stupid but if you or the department you work for is unable to help that user then it is you and your department who has failed.
Making a joke of ignorance is fine between experts as part of the recognition that you and your collegues share the same burden - "blah blah blah hadnt switched the power on.. ha ha ha" But that doesnt mean that you are excused from having patience and being professional.
If you want to be taken seriously then start acting seriously. I dont notice medical doctors getting bored with their patients and for a joke amputating a leg instead of an ingrowing toenail because the patient was too stupid to cut their nails correctly and wear the right footware. Likewise your user may be stupid but you are never going to get paid diddly squat unless they think your service is worth more than the sh*t wages most so called IS departments think they can get away with.
rant off/
Facts are history now plebs have politics for religion on social media.
The DNS is built so that eight (8) or more of the world's 13 root servers must fail before ordinary Internet users start to see slowdowns.
Well, if '4 or 5' of the servers weren't effected doesn't that mean that 9 or 8 of the servers were effected; therefore, the attack, it could be argued, was a success.
I'll let the reader do their own math.
"In a related story, the Washington Post servers were hit by a huge number of requests for a specific page today. Obviously a DDOS attack from computers around the world."
I really don't know if its possible to do but wouldn't it make sense to have more than thireteen servers. I mean 13 for the whole net is not many. There should probably be 100. U could have 13 still and have the rest not active and hidden or something and they only ccome online when another goes down. I wouldn't have any idea how to even start to think about doing this but you know it makes sense.
-- Karma Karma Karma Karma, Karma Chameleon - Boy George
Thank god I memorized the slashdot IP
It was 500,000 people downloading patches for Planes of Power.
You're kidding me, right?
Everybody and their mother's ISP has their own DNS server anyway. Just because the root node servers take a wacking for a day doesn't mean shit. That is the beauty of the internet. Even the "centeralized" services really aren't that centeralized...
Yes Francis, the world has gone crazy.
May be redundant, but it's now on
Yahoo! News.
Mod Karma -1: I sed bad wurds. If I cep my mouf shut, I wud be at riyses.
In spite of the responses by UUNet and others that sounded like claims that they gained control internally and ended the attack, chances are the attackers stopped it intentionally after they themselves detected tracking attempts by their victims.
UUNet/MCI has known that its network has hidden vulnerabilities since July of this year when I contacted them about similar symptoms on their customers' networks, and that there was a fix. The US House and Senate Armed Services Committees were contacted over a month ago about this issue in light of the obvious national security implications. MCI's Legal Department knew, in their words, 'that their network had these problems' and that it was a matter of time before this happened but so far have refused to negotiate for my help to show them how to fix their net's probs claiming they were working on it 'internally.'
Moderation in All Things... Especially Moderation - gurutc
Westwood Chiropractic 4711 Mission Rd. - Westwood, KS (sub. of Kansas City), Tel: (913) 432-5678 Good enough for a lot of professional athletes, and they straightened me up after my car wreck.
But I don't think they can fix uunet.
Thanks for the address! Now, if we just get all of us /.ers to visit their offices, we can physically DoS them! (thinking of the legions of /. all trying to get through the doorway at once, Three Stooges-style)
-T
So, is there any writeup of a technical breakdown of this DDoS? I.E. If I want to monitor my outbound links to see if any of my customers are inadvertantly participating in this, what is the Snort signature I would use?
Dan
This was the first intelligent comment for this story. The root DNS servers are definately NOT the backbone of the internet.
I control the time!
I'd have to agree with you on that!
I have a number of friends working in the field of physical therapy and they consider chiropractors as a threat to public health. The PTs tell horror stories about people who've been going to chiropractors for years and being "adjusted" rather than talking to a Dr. who can refer them to a PT who will help them fix the problem (through exercise and stretching)
I had some knee problems and talked to a good friend of mine.. She spent 5 minutes diagnosing the problem (an imbalance in the strength of the muscles on each side of my thigh causing the kneecap to slide across the knee as well as along it).. She told me to buy a new pair of shoes because the soles on my current pair were worn unevenly and that was probably the cause of the problem. Then she recommended a few exercises and some stretching techniques.. After a few weeks, my knee felt great and I haven't felt any pain in 2-3 months..
There was an episode of Urkle where that happened to him. Pretty funny, that guy always was. Arthur Ketcham "Infinity is composed of infinite amounts of infinity."
Patent: from Latin patere, to be open
is responsible for this DDOS attack? :)
-- p
MOD PARENT UP
According to Headline News, 5 or 6 of the internet's World Wide Web servers were attacked...
Man, I never realized how important my apache server was...
--WooooHoooo--
>I dont notice medical doctors getting bored with their patients and for a joke amputating a leg instead of an ingrowing toenail because the patient was too stupid to cut their nails correctly and wear the right footware.
But you do notice that if you constantly harm yourself after being told something is bad for you that you end up in a psychiatric ward.
Let's put it this way: If you owned a car and didn't put oil in it, blew up the engine, and were told you need to put oil in the next car, but didn't and blew that one up too, the entire world would laugh at you. Especially the mechanic. And if it were a company mechanic, and not Midas mufflers, so he isn't getting paid by the job, don't expect the car to get fixed anytime soon. In fact, expect your boss to call you an idiot.
For some reason, in the world of computers, it doesn't work like this. If you consistently break your computer in the same way in an office, the boss isn't likely to call you a moron, and you're still going to get it fixed as fast as the first time. Maybe calling that person an idiot is what needs to happen to get these users to respect their computers. Whatever is happening now sure isn't working.
If you could be told what you can see or read, then it follows that you could be told what to say or think - BoC
You're assuming a few things that you don't acknowledge:
These are not always true. I always configure myself, and my customers, to use their own Linux box running dnscache to query and cache DNS requests because it is fast, secure, and uses a stable memory size. Relying on my ISP for DNS service is solely a backup plan (your OS does allow you to specify backup DNS servers, right?), regular resolution is done by each machine's copy of dnscache.
- Michael T. Babcock (Yes, I blog)
(+1, Insightful)
Mod this up!
no comments.
Cover your eyes and click this link!
1. blip: Recruit: But sir, What good is a knife fonna do you when we can just dope a couple of tactical nukes on em? Sgt. Zimm: Son stand over there... keep going... stop! *Thwap* Sgt. Zimm: What good is a nuke if your hand is broke. Medic!
Mabey I'm just being paranoid, but to me this seems like it's a probing attack. Now that the attack is done, they know exactly what they need to do to kill the servers:
Go a little bigger and have it last 12+ hours.
Now that would start some serious problems.
This just isn't true. IP is theoretically more tied to TCP/UDP/ICMP/IGMP than TCP is to IP. The fact that TCP traditionally uses IP is just precedent.
If you don't believe me, have a look at the protocol definitions, or if you're not into doing a pile of reading, just look at the headers. IP has a field in it's header which specifies the overlying transport protocol (TCP is 6, UDP is 17... and there's many more defined) where TCP doesn't even care what it's delivery (network layer, whatever you want to call it) is.
Realistically, you only get to communicate with other computers that use the same protocol at the same layer as the one you use, which means that we generally all run close to identical Network tacks, but there certainly isn't any requirement.
If I were to build my own network that ignored IP, used TCP, I'd be welcome to do it.
Anyone think that this may be related to the Linux.Slapper worm that was reported last month?
I suppose this could be a coincidence that slapper was so widely spread and had DDOS code in it, too.
Karma: Excellent (Mainly due to Bill & Ted's Karma Adventure)
Patience and professionalism is a must in IT support. You wouldn't last long without it. I am not sure how your analogy applies. Some users are too stupid to understand the problem they are having, and I am guilty of not trying to explain it them (just fixing it and then feeding them BS), but I don't take things (legs) away from them if they can't operate it properly. What frustrates me is that is the people that can't perform their job without calling IT support at least once a day, often about the same problem that has been carefully explained to them numerous times. These people shouldn't have jobs...but I suppose I wouldn't have a job if it wasn't for them.
FoundNews.com - get paid to blog.,
EBAY Will make a pile of money selling IP addresses that are easy to remember like this:
11.11.11.11
22.22.22.22
Or ARIN or RIPE...
I class this attack as very serious because an attacker proved that in 1 hour they could take out enough root servers for us to believe that they could do it again, probably for a longer period, and take out all the root servers. And from there there is no reason that they couldn't think about the next layer down. Kill enough and the internet effectively breaks for most people.
So I ask a question: What changes can we make to the infrastructure to:
a. Make DOS attacks very much more difficult?
b. DNS to make it much more robust to attack?
I thought I would make some suggestions in a separate comment.
a. DOS attacks
1. We could make DOS attacks very much more difficult if we used more secure systems. Perhaps the law could be used to mandate a particular level of OS security.
2. We could make them very much more difficult if there was a Trusted Computing. However, for this to be accepted it would have to be an open system.
3. We could make DOS attacks more difficult if ISPs used profiling software to try to determine if a DDOS was happening with outgoing packets from their network. Such software would block suspected DOS packets.
b. DNS
1. A decentralised system would be harder to DDOS, but it's also hard to see how a heirarchical system can also be decentralised; we want one namespace, but we want each subspace to be multihomed, but we don't want clashes. Perhaps this is possible if naming is delegated and crypto checkable, to see who is genuine and who is fake.
2. Run lots more caching.
What other ideas? And are there people taking these forward already?
Jeff Veit
I prefer the 'Sunspots' explaination. BOFH rules!
If all you have is a hammer, everything looks like a nail.
In case you didn't notice it, IEEE Spectrum published last December an article about the 13 servers and a possible attack against them.
Yes, a pure coincidence.
CapHaddock, from Spain.
http://www.opennic.unrated.net/
democratic namespace.
born from a thread on kuro5hin.
Collecting data is only the first step toward wisdom. But sharing data is the first step toward community
I agree, you make a fair point about timewasters who are absorbing too much of your valuable resource. I dont know how the medical profession deals with hypercondriacs but I guess they have found some way. On reflection I do know how they do it - they hired my mom as receptionist, try getting an appointment out of her with your third cold in two weeks :-)
Facts are history now plebs have politics for religion on social media.
There are still people around who dont understand computers, this problem will go away when they are all dead and Microsoft windows 2040 actualy replaces most humans in the workplace.
However I would rather be living around now at the dawn of the computer revolution when I understand them better than they understand me, especialy as there are plenty of people who have some respect for my skills.
I'm not looking forward to retraining as a basket weaver in 2039....
Facts are history now plebs have politics for religion on social media.
washingtonpost.com reports that hours after the root-server attack ended, a second DDOS attack occurred targeting name servers. No proof that attacks were perpetrated by same person(s), but similarities abound.
"Except that I could not see how to get the record serving and caching DNS on the same IP address since they both run on UDP 53."
Read what I wrote. You have TinyDNS running on 127.0.0.1, and have dnscache on your public IP. Then you have your DNSCache refer to your 127.0.0.1 for every query relating to your domains.
But you should understand that is a dumb way of having your DNS setup anyways. For networks that need DNS resolution, only cached queries matter. For sending out requests for domains you have authority over, you want to be using the latest DB dumps anyways. There is no excuse for having two opposed functions on one server, but djbdns does not prohibit this bizarre configuration.
--
Internet Explorer (n): Another bug -- that is, a feature that can't be turned off -- in Windows.
in theory, even if ALL the root servers went out ...or at least it should... i mean a smattering of repairable brownouts would occur very slowly. that's all.
the TTL'd keep the internet alive for a few days
and all you need is 1 working - each 1 can handle the whole load.... and it's not like we add new TLD's every day.
** the real weakness are the gtld servers not the root **
they handle 20 times more queries than the root - and are responsible for all COM/NET/ORG
you would only have to take out half the GTLD servers for about 6 hours to cause major outages across the world.
the root may be a fun target - but really - there's no comparison in damage done
no one really felt this DOS attack - because the DNS n00bs - who executed it - picked the wrong target
my guess is it's an inside job designed to scare vrsn into making changes to their DNS architecture
Or you or I must yield up his life to Ahrimanes. I would rather it were you.
I should have no hesitation in sacrificing my own life to spare yours, but
we take stock next week, and it would not be fair on the company.
-- J. Wellington Wells
- this post brought to you by the Automated Last Post Generator...
If there is a possibility of several things going wrong,
the one that will cause the most damage will be the one to go wrong.
If you perceive that there are four possible ways in which a procedure
can go wrong, and circumvent these, then a fifth way will promptly develop.
- this post brought to you by the Automated Last Post Generator...