Slashdot Mirror
Internet Backbone DDOS "Largest Ever"
wontonenigma writes "It seems that yesterday the root servers of the internet were attacked in a massive Distributed DoS manner. I mean jeeze, only 4 or 5 out of 13 survived according to the WashPost. Check out the orignal Washington Post Article here."
If the servers can withstand the attack without going compleatly down, I guess they know they did something right.
Article:
"Despite the scale of the attack, which lasted about an hour, Internet users worldwide were largely unaffected, experts said."
All I can say is that if you think of this as a test, I'm happy it passed.
(Insert joke about Beowulf cluster of DDOS attacks / the servers ability to withstand the slashdot effect.)
the servers themselves. I am not an expert but surely these servers connect to the net through some sort of router/hub whatever. The servers are made to handle a lot of traffic but what about the connecting hardware. If the routers were attacked directly wouldn't the DDOS attack still be succesful without touching or alerting the dns servers themselves.
Also I doubt that the routers are setup to recognize any kind of attack as they are just relays between the net and the server. Possibly the attack could go on for quite some time before any one realized what was going on.
As I said I am not an expert could some-one enlighten me?
"when uunet or at&t takes many customers out for many hours, it's not a problem
With something like the root nameservers, if it was an important attack, you would have noticed. I run an ISP and we had zero complaints, even from the Everquest whiners who complain at the drop of a hat about anything.when an attack happens that was generally not even perceived by the users, it's a major disaster
i love the press"
I'm pretty sure they mean that UUNet handles about half of the net traffic in the world, not those two servers.
I'd love to see a breakdown of what networks the attacks came from and what the OS distribution was... pie charts optional.
-B
Ash and Hickory, straight-grained and true, make excellent bludgeons, dandy for the cudgeling of vegetarians.
FWIW, I did see massive problems. I had done a Google search for mountain bikes, and only 1 in 5 sites would resolve. I popped open a terminal window to cross-check some of the failing queries against a different nameserver, and nslookup/dig would hang or timeout on the ones that Mozilla had a problem with. Very annoying, to say the least.
Twenty minutes later, though, everything seemed fine, and the sites that wouldn't resolve earlier finally did. I wondered if something... erm.. unusual was going on, and it looks like there was...
As always, your mileage will undoubtedly vary...
Where the value of X-Mailer: is the true measure of a man...
Here in the UK I certainly felt it. I was running traces and pinging well-known sites, reconnecting and I *almost* called my ISP asking them what the hell was going on. Mail was coming in slowly, servers were appearing to fade in and out of existence... it sucked.
Any other comparisons from around the world?
I doubt the root servers run on Windows.
And *nix systems are infinitely more scriptable, so I think it's more likely those were used for the attack (if I remember correctly, unsecured Linux where used for the big DDOS attacks on Yahoo and Ebay etc some years ago).
Je ne parle pas francais.
Err, replying to myself.. Anyway, look at this: ICMP filtered during the attack for some, and it doesn't look as bad as it sounds.
have you been defaced today?
Quite often, in fact. I only visit a few sites daily (Slashdot, El Reg, and the rest) and my box caches the domain names, therefore I never touch DNS. Couple that with leaving my computer on 24/7, and I have effectively eliminated egress DNS traffic.
"The lesson to be learned is not to take the comments on slashdot too literally." --Vinnie Falco, BearShare
doesnt have to be your own ISPs DNS servers though right? I have been using earthlink's for about 3 years though have not been a customer of theirs...
Likewise the ISPs who carried these people should also be punished.
one possible punishment is to have your IP blacklisted for a month. Or maybe just have your Domain Name removed from the top level DNS for a month.
Sure that would suck, but punishment is supposed to suck.
Some drink at the fountain of knowledge. Others just gargle.
Disclaimer, I work for VeriSign. This is a personal opinion, not company policy. The details of the disaster recovery scheme are of course confidential. However I can tell people that we did think about these issues during the design. We have always known that people might think the DNS was a single physical point of failure for the internet. That is why we designed it so that it is not.
There are multiple locations. The 'A root' is NOT a single machine. There are actually multiple instances of the A root with multiple levels of hotswap capability.
Incidentally it is no accident that the VeriSign root servers stayed up. They were designed to handle loads way beyond normal load. The ATLAS cluster is reported to handle 6 billion transactions a day with a capacity very substantially in excess of that.
Even if all the A roots were physically destroyed the roots can be reconstructed at other locations. Basically all that is needed is a site with a very fast internet connection. In the case of a major terrorist attack AOL or UUNet or even an ARPAnet node could be comandered. The root could even be moved out of the country entirely, British Telecom is a VeriSign affiliate, there are also several other affiliates with nuclear hardened bunkers.
Most Americans have only been thinking about terrorism since 9-11. VeriSign security was largely designed by people who thought about terrorism professionaly, unless of course they were in charge of securing nuclear warheads.
All a terrorist could do is to kill a lot of people, there is absolutely no single point of failure. Even if the entire constellation is destroyed it would result in an outage of no more than a day given the resources that would become available in the aftermath.
Yes, IP is more important than DNS. But is Ethernet more important than TCP?
"The lesson to be learned is not to take the comments on slashdot too literally." --Vinnie Falco, BearShare
To equate, in a round about
way, concern with terrorism with Genocide or
Mc Carthyism is silly. Your style of thinking
is perhaps more susceptible to some moral crime.
BTW, I live in DC. I actually do think we need
to suspend our concerns with "offending somebody"
or "behaving unpolitically correct" and crack down.
We must stand up to evil and if it means
outraging an ACLU lawyer, then so be it.
It's better to live in a free society that
must occassionaly be brutal and unfair than to lapse into
a tyranny. Witness the well meanging Russian,
French and Iranian revolutions. The war
against Terror has just begun.
The question stands: Is it a coordinated
terrorist attack?
piddly and unintelligent
Fine, so the attack was unintelligent. What will happen when someone attacks MAJORLY and INTELLIGENTLY?
This gets my panties in a knot. A piddly attack brought down 65% of the root name servers! A good attack would have brought them all down! That doesn't that worry you?
It's rare that you're presented with a knob whose only two positions are Make History and Flee Your Glorious Destiny.
HACZBY : FADABOI
CORPZ : MVDOMIZN HELLO TO KOTARI ON UNDERNET
Well, this shouldn't take the FBI long. A quick Google search shows that Undernet's Kotari owns the domain www.kotari.com, which he's recently taken down but still shows whois records..
--
Mod up a post Rob doesn't like and you'll never mod again
Alright man, I got +! KARMA and +& REPLIES. Who'se !Smart now?
"The lesson to be learned is not to take the comments on slashdot too literally." --Vinnie Falco, BearShare
Why?
It's really easy to setup a system which dumps your SQL database out to a TinyDNS file. TinyDNS is provably secure software. I would expect that you would use it on the root servers, since it's designed to work at very high levels of output/uptime, and be attack resistant to the point of being attack proof.
Say what you will about D. J. Bernstein, he does have a very capable DNS solution available.
--
Internet Explorer (n): Another bug -- that is, a feature that can't be turned off -- in Windows.
That be funnier if it didn't really happen...all the time. I work at a University and I get at least one call a day: "Is the server down?" There are many many servers on campus and it is (almost) never the server causing the problem. Users wank up their software configuration and then blame it on "the server" instead of their own ignorance (notice I didn't say stupidity, I said ignorance. many of these people are very intelligent...just in fields without a technical basis). Some basic user education on the technology that is an integral part of their jobs could go a long way.
FoundNews.com - get paid to blog.,
For the most common 2LD names, any major ISP will have cached the addresses for them, and won't need to hit the .com server until the typical 1-week or 24-hour cache timeout periods. If your nameserver is ns.bigisp.net, somebody there will have looked up google.com in the last 2 seconds, even though nobody at your ISP has looked up really-obscure-domain.com this week - but even that one may be in the cache because some spammer was out harvesting addresses. An obvious scaling/redundancy play for the root servers and for the major ISPs would be to have them cache full copies of the root server domains to keep down the load and reduce dependency. It's not really that much data - 10 million domains averaging 30 characters for name and IP addresses is only half a CD-ROM. An interesting alternative trick would be for the Tier 1 ISPs to have some back-door access to root-level servers for recursive querying.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
Comment removed based on user account deletion
Until your favorite website's IP address changes. Then you're screwed. I mean you can always "find" an IP address, you just route to it.
At a hosting company for example, let's say they have two class Cs 1.2.3.0/24 and 4.5.6.0/24, now let's say the first one is used for webhosting and the second one is used for other company services. Okay, great, except they decide to restructure. Now www.knittingforoldladies.com used to be 1.2.3.4, and Granny bookmarked it and her browser oh-so-intelligently caches the IP. Except now the company restructures, and www.knittingforoldladies.com is now 4.5.6.7. 1.2.3.4 is now some other random customer website. Oh, crap, what happened to the knitting? Sure, the browser could check and note that the connection it has made does not respond for 'knittingforoldladies.com', but why even go that far? DNS is meant to provide access to a rapidly changeable hierarchial database of names which map to addresses. Doing bogus cacheing on the client end for any length of time is not sane.
"question = (to) ? be : !be;" --Shakespeare
Um, there is if you run BIND, considering its appalling security record.
Female Prison Rape in NY
Most good routers are designed to have the ability (if you enable it) to look inside of the packets
Hmmm, last I looked at the Cisco feature set (or the like from Foundry and Nortel and what have you), it was a challenge to put in rules that
a) didn't take out significant "good" traffic, and
b) did take out significant "bad" traffic.
I agree that rate limiting ICMP traffic is an appropriate answer, especially in the light of this particular attack, but I'm appalled by the number of illitarate dorks who copy snippets titled "how to block all ICMP" from a textbook into their firewall without the slightest understanding of why ICMP was implemented in the first place.
I hate to think of what could happen if the 31334 hackers really start mixing attacks.
I positively _love_ wd40, but I will not apply it to reduce the squeeking of my cars brakes. Too many people use the Internet equivalent of WD40 on their network brakes.
Bert Driehuis -- All I asked was a friggin' rotatin' chair. Throw me a bone here, people.
In the world of Winblows users and Linux newbies, you don't have to have the most secure machine in the world, it just has to be more secure than 50% of the machines in the world.
It is like the joke about 2 people running from a bear. You don't have to outrun the bear, you only have to outrun your friend.
Why bother cracking an almost insecure machine, when you have thousands of completely insecure ones to do your bidding?
Saskboy's blog is good. 9 out of 10 dentists agree.
With that self-righteous bigoted attitude, you can ONLY be an American.
I remember reading somewhere about ingress and egress filtering on outer routers. If the ISPs ad big providers would do this as many ppl have suggested (even the damn gov) wouldn't that solve most of the problems like this and prevent DDoS from happening as often? Is that how VeriSign was able to stay up during the attack? Just curious....
"an eye for an eye only makes the whole world blind"
But, yeah, some of the attacks aren't much different than using a loudspeaker to announce "Free Beer at Victim.com"
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
http://www.cisco.com/warp/public/707/newsflash.htm l
Secondly, Rob Thomas has made an excellent template for securing BIND against all sorts of "stupid user tricks" which can be found here:
http://www.cymru.com/Documents/secure-bind-templat e.html
Thirdly, quoting Louis Touton saying "We're not aware of any users that were in any way affected." was a serious mistake. ICANN haven't taken any notice of internet users up until now, so why should they start now?
The article went on to say "VeriSign expects that these sort of attacks will happen and VeriSign was prepared," company spokesman Brian O'Shaughnessy said. If you want a likely suspect, try this one - brought to you, of course, by Verisign:
http://www.arabtrust.com/training/courses/hacking/ index.html
Those of you who actually took the time to read my essay, "Cyberwar: How Terrorists Could Defeat the U.S., and Why They Won't," (requires Acrobat 5, not 4.) might get chill running up your backs when you read this. I'm still sticking to my original thesis, however: The Internet won't be brought down by terrorists because corporations and governments need it, and the terrorists serve the interests of corporations and governments. Regardless, I hope this DNS attack isn't a prelude to a bigger operation. Note how they say that it just ran for an hour and then stopped! Note this story, which detailed the creation of attack zombies with P2P capabilities, allowing them to be targetted at will. Also note that a top infrastructure protection analyst was just killed by the Maryland area sniper! And within a couple of days we see the largest DDOS attack on root DNS systems ever!? (Long Pause) Keep a sharp eye out for weirdness, folks, something BIG might be coming down:
Here's what I wrote back on September 14, 2002:
Maybe the terrorists start taking out some or all of the thirteen root domain name server systems (I think there are still 13) or interrupting communications to those root servers [today's DDOS incident]. (Thankfully, a couple of these systems are located in places that have people with guns guarding them.) These root servers are used by thousands of other lower level domain name systems and receive about 300 million requests per day.
Domain name systems are used to translate human readable URLs, like www.cryptogon.com into machine usable IP addresses like 209.115.132.59. There is much concern about the root DNS systems. Many articles on this topic are easily accessible. Much of the concern, however, is focused on hackers DOSsing the root servers. Again, this misses the point.
What is the physical security like at the non-military root DNS facilities?
I've driven by one of the buildings hundreds of times because I used to live near it. It looks just like any other small office building. How long would this place hold up against a few armed terrorists who were willing to die TO BRING DOWN A ROOT DNS NODE? Think about it. The same goes for the data centers mentioned previously. Surely these places should have armed security. But even if they did, are they prepared to stop terrorists who have no intention of ever getting out alive?
Here's what just happened:
The heart of the Internet sustained its largest and most sophisticated attack ever, starting late Monday, according to officials at key online backbone organizations.
Around 5:00 p.m. EDT on Monday, a "distributed denial of service" (DDOS) attack struck the 13 "root servers" that provide the primary roadmap for almost all Internet communications. Despite the scale of the attack, which lasted about an hour, Internet users worldwide were largely unaffected, experts said.
FBI officials would not speculate on who might have planned or carried out the attack.
David Wray, a spokesman for the FBI's National Infrastructure Protection Center (NIPC), said the bureau is "aware of the reports and looking into it."
DDOS attacks overwhelm networks with an onslaught of data until they cannot be used. According to security experts, the incident probably was the result of multiple attacks, in which attackers concentrate the power of many computers against a single network to prevent it from operating.
"This was the largest and most complex DDOS attack ever against the root server system," said a source at one of the organizations responsible for operating the root servers.
What my DNS server does is mandate an ACL (list of IPs allowed to make recursive queries; this can be set to "all hosts on the internet" if desired) if recursion (talking to other DNS servers) is enabled. Recursion takes a lot more work to do than authoritative requests; it is best to limit access to this.
Unlike Dan, I feel that a DNS server should be both recursive and authoritative because it allows one to customize the resolution of certain hostnames. The idea is similiar to /etc/hosts, but also works with applications which ignore /etc/hosts and directly perform DNS queries. For example, I was able to continue to connect to macslash.com when a squatter bought the domain and changed its official ip; I simply set up a zone for macslash.com, and made MaraDNS both recursive and authoritative.
SMTP servers have IP restrictions at the application layer because this gives people some idea why they can't send email to a given host. A firewall restriction gives a vague "connection timed out" message in the bounce email message; application-level filtering allows the bounce message to say something like "You're from a known Spam-friendly ISP; go away".
- Sam
The secret to enjoying Slashdot is to realize that it should not be taken too seriously.
In spite of the responses by UUNet and others that sounded like claims that they gained control internally and ended the attack, chances are the attackers stopped it intentionally after they themselves detected tracking attempts by their victims.
UUNet/MCI has known that its network has hidden vulnerabilities since July of this year when I contacted them about similar symptoms on their customers' networks, and that there was a fix. The US House and Senate Armed Services Committees were contacted over a month ago about this issue in light of the obvious national security implications. MCI's Legal Department knew, in their words, 'that their network had these problems' and that it was a matter of time before this happened but so far have refused to negotiate for my help to show them how to fix their net's probs claiming they were working on it 'internally.'
Moderation in All Things... Especially Moderation - gurutc