Slashdot Mirror
Internet Backbone DDOS "Largest Ever"
wontonenigma writes "It seems that yesterday the root servers of the internet were attacked in a massive Distributed DoS manner. I mean jeeze, only 4 or 5 out of 13 survived according to the WashPost. Check out the orignal Washington Post Article here."
it's supposed to withstand a nuclear war?
...when someone calls up and says "Is the internet down?" you can finally say, "It was." not just to simplify it to the level that your callers can understand, but because its the truth.
Mod me down and I will become more powerful than you can possibly imagine!
I mean jeeze, only 4 or 5 out of 13 survived according to the WashPost.
I'd say this just goes to show how reliable the root name servers are. I didn't notice any dns problems yesterday. In fact, I don't remember any root name server problems since the infamous alternic takeover.
Anything that is so important that it can't be disturbed during transmission is already taken off the Internet and on its own network cable.
You don't think the military puts any critical systems on the Internet, do you?
From the article: "UUNET is the service provider for two of the world's 13 root servers. A unit of WorldCom Inc., it also handles approximately half of the world's Internet traffic." Only two servers for half the world's internet traffic? That is scary. What are the specs on those babies?
FoundNews.com - get paid to blog.,
If the servers can withstand the attack without going compleatly down, I guess they know they did something right.
Article:
"Despite the scale of the attack, which lasted about an hour, Internet users worldwide were largely unaffected, experts said."
All I can say is that if you think of this as a test, I'm happy it passed.
(Insert joke about Beowulf cluster of DDOS attacks / the servers ability to withstand the slashdot effect.)
"when uunet or at&t takes many customers out for many hours, it's not a problem
With something like the root nameservers, if it was an important attack, you would have noticed. I run an ISP and we had zero complaints, even from the Everquest whiners who complain at the drop of a hat about anything.when an attack happens that was generally not even perceived by the users, it's a major disaster
i love the press"
So what was on /. yesterday, anyway? Nothing that interesting that I remember it, obviously...
<wanders off to check the "Yesterday's headlines" box...>
|>
Here be Dragons
Now I know why my Tribes 2 experience lagged last night.
I'm going to beat the crap out of that 12-year-old as soon as I find him; he made me look like I had no skillzzz.
The root DNS servers are required to go from the TLD to the actual TLD's nameservers, eg to go from ".com" to the .com root nameservers. As a result, although critical, their results are cached with very, VERY long cache timeouts (TLD DNS servers seldom change).
.su.
Thus the hour long attack was not enough to meaningfully disrupt things, as most lookups would not require querying the root, unless you were asking for some oddball TLD like
Change the attack to be several hours, or a few days, and then cache entries start to expire and people are unable to look up new domain names. But that attack would be harder to sustain, as infected/compromised machines could be removed.
It is an interesting question who or how this was achieved. THere seems to be a lot of scanning for open windows shares (Yet Another Worm? Who knows) also going on in the past couple of days, but there is no clue if it is related.
Test your net with Netalyzr
I'd love to see a breakdown of what networks the attacks came from and what the OS distribution was... pie charts optional.
-B
Ash and Hickory, straight-grained and true, make excellent bludgeons, dandy for the cudgeling of vegetarians.
Well we can laugh about it now (What DOS? my instinct when I read about this was to flip the unsuccessful hax0rs the bird) but my concern is that this could be a test run for something more unpleasant.
Maybe to cause a false sense of security, maybe to analyse how those crucial networks cope with DOS attacks so as to be more successful next time.
Whether these people were Bin Laden's boys or garden variety hax0rs don't get too comfortable. The worst is yet to come.
-- INTX Grouch. http://www.midnightblue.net
That A isn't accessable to the outside world. I just tried pinging it, and it didn't respond, while b, c, e, and f (that I tried) did work. On the other hand, it could just be the DDos. But in any event, I would assume that even if A isn't accessable, the other root servers would always be able to touch it.
autopr0n is like, down and stuff.
It Couldn't have been...
I was using the computer in Afghanistan to surf pr0n.
The heart of the Internet sustained its largest and most sophisticated attack ever
I've never considered DDOS all that sophisticated myself. It's seems to me that "wow a script kiddie got more systems under his control than usual" more than "a great cracker is on the loose". Though I suppose if it were a great cracker then they could have been proving themselves by predicting the attack.
I doubt the root servers run on Windows.
And *nix systems are infinitely more scriptable, so I think it's more likely those were used for the attack (if I remember correctly, unsecured Linux where used for the big DDOS attacks on Yahoo and Ebay etc some years ago).
Je ne parle pas francais.
" I couldn't load ESPN.com yesterday at school, now I know why!" ...Because you got high, because you got high, because you got high...
(It can't just have been me!)
graspee
Yeah of course it's China!
Here is the proof!
I know I shouldn't have pressed this button...
---
Hello, Slashdot user. My name is Dr. Sbaitso. I am here to help you.
Which could happen if these guys tried again:
:)
We'll have to rely on IP addresses, obviously, so start changing your bookmarks now!
http://64.28.67.150/index.pl
instead of
http://slashdot.org/index.pl
Cogito ergo sum in Slashdot.
Despite the scale of the attack, which lasted about an hour, Internet users worldwide were largely unaffected, experts said.
Indeed, no traffic slowdown, no more than usual support calls. The system works as expected, even under attack.
Worth a read: Caida DNS analysis, and more specifically those graphs. It would be interesting to know which DNS sustained the attack, in regard to the graphs.
have you been defaced today?
Internet addressing giant VeriSign Inc., which operates the most important server from an undisclosed Northern Virginia location, reported no outages.
;-)
Does Cheney play QIII on it?
Seriously, I know squat about what goes on outside the biege box, but should we be scared about this?
I mean, if I were a terrorist and read this, I'd immediately start salivating and try to find out as much about Verisign as possible -- everything from employee car rentals and hotel rentals to phone calls, merchandise, shopping... id do everything in my power to find the 'undisclosed location'. Is this another weakness that hasn't truly been protected yet?
https://www.accountkiller.com/removal-requested
Because that country invented the Internet. It's the most poweful, the most prosperous, the most democratic country in the world. Where would you rather the root servers be... Iran, Iraq, China, Russia? Use your fucking mind.
Maybe they were attacking root servers but those server failing couldn't cause all the DNS records to get lost. Some people might have had temporary problems, some might have not.
If you really want to, build your own root server
So how often do YOU utilize the internet without using DNS? Not often, I bet.
"Can of worms? The can is open... the worms are everywhere."
Probably, the reason why the internet was not affected was because there are many other DNS servers not considered 'root'. For example, my school uses a DNS server to speed requests along without having to do a DNS search. It keeps track of known domain name/ip combos in a hosts file. It even caches these pages, letting users on the school load pages faster! I believe we called it a 'proxy server'?
I'm the Devil the Windows users warned you about.
Hi,
::
I'm at JpNIC & JPRS we manage the Japanese servers here. The attack progressed through our networks and effected 4 of our secondary mapped servers (these servers are used as a backup and in no way are real root servers). The servers were running a suite of Microsoft products (Windows NT 4.0) and security firewall by Network Associates.
Here is a quick log review:
Oct20: The attackers probed our system around 2100 hours on Oct 20 (Japan). We saw a surge in traffic onto the honeypot (yes these backups are honeypots) systems right around then.
2238: We saw several different types of attacks on the system, starting with mundane XP only attacks (these were NT boxes). We then saw tests for clocked IIS and various other things that didnt exist on our system.
2245: We saw the first bind attacks, these attacks were very comprehensive. We can say they tried every single bind exploit out there. But nothing was working.
Attacks ended right then.
Then on the 22nd they resumed (remember we are ahead)
22nd: A new type of attack resumed. The attack started with port 1 on the NT box, we have never seen this type of attack and the port itself responding was very weird. Trouble started and alarms went off, we were checking but couldnt figure out what happend, then we saw a new bind attack. The attack came in and removed some entries from bind database (we use oracle to store our bind data)..
The following entries were added under ENTRI_KEY_WORLD_DATA
HACZBY : FADABOI
CORPZ : MVDOMIZN HELLO TO KOTARI ON UNDERNET
Several other things were changed or removed.
Till now, we have no idea what the exact type of hack this was, we are still looking into this. The attack calls himself "Fadaboi", and has been seen attacking other systems in the past.
We are now working hard with network solutions.
Thank you.
I am not an expert but surely these servers connect to the net through some sort of router/hub whatever. The servers are made to handle a lot of traffic but what about the connecting hardware. If the routers were attacked directly wouldn't the DDOS attack still be succesful without touching or alerting the dns servers themselves.
It's an interesting idea, but it doesn't quite work like that. The routers we're talking about here (I imagine that most of the root servers are on 100BT or Gigabit Ethernet LANs which then plug into one or more DS-3s [45 Mbps] or more likely OC-3s [155 Mbps]) are designed to be able to handle many, many times more traffic than the servers are. Your average Cisco 7xxx or 12xxx router is built to handle far more traffic than any given server might see. Think about it ... you generally have many servers being serviced by one router, not the other way around. Additionally, each root server is most likely connected to multiple routers (say, they're hosted at an ISP with three DS-3s to different providers and each DS-3 is plugged into a different Cisco 7500).
Also I doubt that the routers are setup to recognize any kind of attack as they are just relays between the net and the server. Possibly the attack could go on for quite some time before any one realized what was going on.
Actually, it's the other way around. Most good routers are designed to have the ability (if you enable it) to look inside of the packets that pass through them and filter out "bad" ones based on various criteria. Thus, routers are actually perfectly suited to stopping attacks like this, while servers are expected to burn their CPU cycles doing other things (yes, servers can do this sort of filtering, but they generally have something more important to do). The only real problem is that it's often very difficult to tell the "good" packets from the "bad." After all, how do you distinguish automatically between a distributed flood of HTTP malicious requests and a Slashdotting? You get the idea.
"95% of all Slashdot
In other news, Slashdot posted a story about the internet yesterday. as a result, the internet had been completely obliterated within 5 minutes.
-- If you try to fail and succeed, which have you done? - Uli's moose
:)
I can see how that site would totally confuse Grandma.
Grandma: "I clicked the red button."
Grandson: "YOU DID WHAT?"
Grandma: "I clicked the red button and the screen
went dark."
Grandson: "NO....IT CAN'T BE! YOU NEVER CLICK THE
RED BUTTON.! DO YOU KNOW WHAT YOU DID?"
Grandma: "Huh?"
Grandson: "YOU KILLED THE INTERNET! YOU BASTARD!"
nbfn
seriously, cool site...
the only thing missing is the goat.cx guy
A certain mil/gov organization I consult with was jumping through their own asses worried about this. The funny thing is, ummm... NOTHING CHANGED! We experienced NOTHING. I think they wanted us to do something... ANYTHING.
You know... next time this happens, I'm setting up my own root servers... errr... wait...
3cx.org - A truly bad website.
Quite often, in fact. I only visit a few sites daily (Slashdot, El Reg, and the rest) and my box caches the domain names, therefore I never touch DNS. Couple that with leaving my computer on 24/7, and I have effectively eliminated egress DNS traffic.
"The lesson to be learned is not to take the comments on slashdot too literally." --Vinnie Falco, BearShare
I think I can. The US Army-operated root server looks like it took the brunt of the attack, as opposed to the JPNIC servers, which seem to have had a much lower rate (perhaps because most of the attacking hosts were US-based?).
"The Domain Name System (DNS), which converts complex Internet protocol addressing codes..."
And I suppose the person who wrote this article would consider arithmetic a complex system of digits and symbols.
come on fhqwhgads
I'm not too sure I'd call the USA the most democratic nation in the world, but that's a discussion for a totally different time and place.
The Internet's roots have nothing to do with democracy. Quite the opposite, your military wanted a communications network that could survive a nuclear holocaust so that it would be the first to rebuild and conquer the world when the evil reds launched the first nuke.
Most of the TLDs are in the USA because the DNS system was created in the USA, and was largely hosted by US providers. It's too much trouble to move them, and of limited benefeit. If they ever decide to add new ones, it's likely that they'll put at least one in Japan, and probably a couple in Europe.
Even so, though, the main reason for their dispersal is to survive a nuclear attack that takes out one or two. I don't know if you've looked at a map recently, but the USA is big. It's not like all 13 of the TLD servers are located in a trailer in rural Kentucky. You'd have to carpet bomb the entire USA to be sure of taking out all 13 of them, and frankly, if somebody had the resources to turn the entire country into a self-illuminating glass-floored parking lot, the Internet would be the least of my worries.
If you believe everything you read, you'd better not read. - Japanese proverb
Root-servers.net
The legendary cymru.com data.
I haven't looked yet but LINX mrtg charts might show something interesting.
Of course, even if someone could knock all the root servers over, the net as we know it wouldn't stop working instantly. That's what the time to live value is for :)
"None are more hopelessly enslaved than those who falsely believe they are free." -- Goethe
piddly and unintelligent
Fine, so the attack was unintelligent. What will happen when someone attacks MAJORLY and INTELLIGENTLY?
This gets my panties in a knot. A piddly attack brought down 65% of the root name servers! A good attack would have brought them all down! That doesn't that worry you?
It's rare that you're presented with a knob whose only two positions are Make History and Flee Your Glorious Destiny.
The stats for the h.root servers are available for the time period of the attack. Seems as though the h servers were taking in close to 94Mbits/second for a while.
More links to server stats can be found at Root Servers.org and some background is available at ICANNWatch.
I was using the computer in Afghanistan to surf pr0n. Damn. I wasn't aware that there was an IP stack available for the Altair!
You can only drink 30 or 40 glasses of beer a day, no matter how rich you are.
-- Colonel Adolphus Busch
There's only one critical file? Hey, just email it to me, I'll keep it on my hard drive. If anyone needs it, just shoot me an email.
It's rare that you're presented with a knob whose only two positions are Make History and Flee Your Glorious Destiny.
... Or, this just might be the work of a terrorist group launching a cyber attack, maybe even your neighbor, Billy the w0nd3rh4x0r.
... Or, maybe they just got slashdotted. Heh heh heh...
-agent oranje.
How do you plan on enforcing this, sir?
Seriously. How do you plan on enforcing this? Not only is it a huge expenditure of resources to track down the number of computers used in the attacks, to track down their IP addies, to obtain the needed court orders to obtain their ISP's logs, the resources to parse those logs to find out who was logged on, and *then* go about prosecuting the offenders, what would it accomplish?
If Code Red taught us anything, it's that the dumb won't change a thing about the way they work, regardless of how much the internet community ridicules them. It's also completely nuts to punish the ISPs for this... where does it stop? I'm pretty sure that some AOL clients were responsible (and while I wouldn't complain about no AOL'ers for a while, I bet they would). How about people who buy their access directly from UUNet? Gonna block out UUNet for a month?
Even if you could implement that punishment of the ISPs, it wouldn't accomplish much. It wouldn't hurt me at all if I was blocked from direct access to the TLD servers, because inside my network I'm running a mirror. My ISP is running a mirror. I know of a dozen open DNS servers on the internet. I'm betting I could find at least one that wouldn't block me.
Seriously, though. It's great to say we should punish these people for not securing their systems, but you have to understand just how many computers would be needed for this attack. The TLD servers aren't running on 64k ISDN: they're on OC48 at least. There's 13 of them. The kind of bandwidth needed to adequately DoS them is obscene. You either do it the dumb way and use 50 computers running on the fastest connection available, or you use *hundreds* of computers, possibly thousands or tens of thousands.
Looks great on paper, but realistically there's not much point in ranting like this. Besides... if it wasn't for the article, I'm betting that most of the world wouldn't have noticed.
If you believe everything you read, you'd better not read. - Japanese proverb
Wow. I must've stumbled onto Activewin by mistake. Must be that damn DNS attack....
BTW, an unmanaged hub is nothing more than an electrical device. It propagates electrical signals (packets) to the various ports. A managed hub (which are usually switches-similar to hubs, but not quite the same.) does indeed get an IP address, though it doesn't need one to act as a dumb hub (or switch).
The attack only lasted an hour or so, didn't affect all the servers, and if most of the sites you were looking at were in your ISP's DNS caches, you wouldn't have hit the root servers anyway. If you're looking for google.com, your ISP's cache has it because somebody else looked at it 2 seconds ago - it's when you want really-obscure-domain.com that you need to hit the root servers.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
I hope for your sake that Slashdot doesn't change it's IP address any time soon then.
One would assume you still have to check periodically to see if the IP address from DNS is the same as your cached one. Either way, you are not the majority of Internet users, so for most everyone, DNS going dead == Internet going dead.
Determining whether or not kicking the majority of users off the Internet is a bad thing is left as an exercise to the reader.
...if they'd looked up their favorite pr0n and warez sites first, so the names were in their DNS caches and their ISP's caches.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
I only noticed it because I use my own DNS server to resolve requests; and pay close attention whenever I see any problems resolving host names (there is the possibility of it being a bug with my software).
The person who orchastrated this attack is not very familiar with DNS. Attacking the root name servers is not very effective; all the root servers do is refer people to the .com, .org, or other TLD (top-level-domain) name servers. Most DNS servers remember the list of the name servers for a given TLD for a period of two days, and do not need to contact the root servers to resolve those names. While some lesser-used country codes may have had slower resolution times, an attack on the root servers which only lasts an hour can not even be felt by the average end user.
In the case of MaraDNS, if a DOS (denial of service) is happening against the root servers, MaraDNS will be able to resolve names (albeit more slowly for lesser-used TLDs) until every single root server is sucessfully DOS'd.
- Sam
The secret to enjoying Slashdot is to realize that it should not be taken too seriously.
Why?
It's really easy to setup a system which dumps your SQL database out to a TinyDNS file. TinyDNS is provably secure software. I would expect that you would use it on the root servers, since it's designed to work at very high levels of output/uptime, and be attack resistant to the point of being attack proof.
Say what you will about D. J. Bernstein, he does have a very capable DNS solution available.
--
Internet Explorer (n): Another bug -- that is, a feature that can't be turned off -- in Windows.
And if I break your car window, steal your car, and drive it into a bank...I suppose you should lose your driver's license, right?
Genocide?
McCarthyism?
No race is being systematically killed that I can see.
McCarthy, though a power mad drunk and witless individual did point out the broadening influence of Communism and help to root out some very corrupt individuals. Wouldn't call him a hero. But his name has taken on a connotation that moves away from reality.
Al Qaeda is not a random group. If people, especially Americans are paranoid right now, it might have something to do with Muslims killing innocent civilians for their religious salvation.
Couple that with a sniper on the loose around the Nation's capital, and yeah, a DDOS attack on the backbone of the worldwide information structure the U.S. built, I'm thinking Terrorism is a fairly good guess.
Why? Are you from France?
The opposite of progress is congress
It's just change propagation that's a bitch.
What we call folk wisdom is often no more than a kind of expedient stupidity.-Edward Abbey
..memorising the slashdot servers IP address in case of total DNS meltdown? Seriously, if the DNS system was totally destroyed, would you be able to think of any IP addresses by memory to get you in contact with other net people?
Smaller isp's dont'cache info from larger ones... most dns servers simply use the root servers directly. There is no heirarchy beyond that with regards to caching.
It is heirarchial with regards to namespace, but not so much with regards to lookups.
Actually that is not the reason. By the time DNS came along the Internet was already international. And never confuse the claim that the US invented the Internet with the idea that the US invented computer networking. Lots of countries had computer networks, the idea of protocol design to overcome the political problems of connecting disparate networks was what came out of the US.
The DNS servers are where they are because they are expensive to maintain and are run on a volunteer basis. Most of the people prepared to provide the necessary resources happened to be in the US. This is the reason why 9 of the root servers went down you cannot expect someone to pay for multiple OC3 or above connectivity to support a volunteer effort.
As far as geography goes China and Russia should have a root server. There should also be servers in Australia, south America and northern and southern africa. This is actually likely to happen when it becomes feasible to turn on use of anycast. At present there is a hard limit of 13 root servers. Some of those servers are multiple machines in fault tolerant configurations but they are still bound by the IP assumption that an IP address is served at a single location.
With anycast we simply fiddle the router tables so that there are multiple servers arround the world all responding to the same IP address. This will make it possible to have 50 sites serving each of the 13 root DNS addresses. In practice it is likely that only one of those addresses will need to be anycast and the BIND software tweaked to favor it.
Looking for an Information Security student project suggestion?
Try http://dotcrimeManifesto.com/
That be funnier if it didn't really happen...all the time. I work at a University and I get at least one call a day: "Is the server down?" There are many many servers on campus and it is (almost) never the server causing the problem. Users wank up their software configuration and then blame it on "the server" instead of their own ignorance (notice I didn't say stupidity, I said ignorance. many of these people are very intelligent...just in fields without a technical basis). Some basic user education on the technology that is an integral part of their jobs could go a long way.
FoundNews.com - get paid to blog.,
Yeah, it would still take a lot of effort, but not "the resources to turn the entire country into a self-illuminating glass-floored parking lot". Not even close.
"Destroy science and religion. Science would re-emerge exactly the same; but not religion." - Penn Jillette, paraphrased
For the most common 2LD names, any major ISP will have cached the addresses for them, and won't need to hit the .com server until the typical 1-week or 24-hour cache timeout periods. If your nameserver is ns.bigisp.net, somebody there will have looked up google.com in the last 2 seconds, even though nobody at your ISP has looked up really-obscure-domain.com this week - but even that one may be in the cache because some spammer was out harvesting addresses. An obvious scaling/redundancy play for the root servers and for the major ISPs would be to have them cache full copies of the root server domains to keep down the load and reduce dependency. It's not really that much data - 10 million domains averaging 30 characters for name and IP addresses is only half a CD-ROM. An interesting alternative trick would be for the Tier 1 ISPs to have some back-door access to root-level servers for recursive querying.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
4711 Mission Rd. - Westwood, KS (sub. of Kansas City), Tel: (913) 432-5678
Good enough for a lot of professional athletes, and they straightened me up after my car wreck.
But I don't think they can fix uunet.
[100% ISO 646 Compliant]
SVM, ERGO MONSTRO.
Comment removed based on user account deletion
Hmmm, maybe someone else mentioned this, but I wonder why web browsers don't perhaps cache the IP address as part of a saved bookmark. It would seem to help if they played nice by using a bit less load on the DNS system, and avoid problems like this if (perhaps) DNS went down. You could add a button to "refresh bookmark IPs from DNS", or just have the browser automatically do it if the cached IP address was not found...
We know where leadership by an anti-intellectual "strongman" who scapegoats minorities and likes boisterous rallies goes
>Users wank up their software configuration and then blame it on "the server" instead of their own ignorance (notice I didn't say stupidity, I said ignorance.
You only get to use the ignorance excuse once. Not following instructions when you've been explicity given them is stupidity.
If you could be told what you can see or read, then it follows that you could be told what to say or think - BoC
Vixie said he kept the server at Internet Software Consortium operating by "pushing" the flood of data far enough away from his servers that legitimate traffic could flow around the obstruction. Such clogs still affect some Internet users by gumming up Internet communications somewhere else in the network. ... 2nd to last paragraph in the article. I can't even touch that. wow. I can make up shit like that too... can I have a job at the washington post please?
Skiers and Riders -- http://www.snowjournal.com
Excellent point. There are many people who are repeat offendors and are certainly stupid! Some of these people are even supposed to be technically inclined according to their job description at the University.
FoundNews.com - get paid to blog.,
The fact that something exists in DNS dosn't actualy mean you can reach it :P
autopr0n is like, down and stuff.
Original Washington Post article was: "Attack On Internet Called Largest Ever"
/.
Followup article, after slashdot story, was: "Attack on Washington Post Called Largest Ever".
Ah.. behold the mighty power of
In the Portland, Ore area and like card games? Check out: http://groups.yahoo.com/group/portlandgames/
However at work, we use BIND. Why? Cause it's the "lowest common denominator". All the admins know at least the basics on how it works and could probably update the zone files if they had to, even if they don't deal with it on a daily basis like I do.
The simple truth is that interstellar distances will not fit into the human imagination
- Douglas Adams
Like many, I didn't notice: Speakeasy's DNS servers weren't involved. Besides, isn't DDOSing root DNS to take out the entire 'net a little like trying to chop down a sequoia with a piece of fried chicken to get lumber?
This sig no verb.
Suppose that the root nameservers were to only allow connections from certain hosts. In other words, if I run one of the root nameservers, everyone but certain DNS servers is blocked at the router level. This makes it more difficult to attack a root server, as you'd have to either take over a nameserver I allow connections from, or somehow exploit my router which blocks you.
This does have a potential problem -- say I charged $100,000/year to be able to use my root nameserver. Suddenly, only the largest ISPs can connect -- the whole DNS system could potentially become highly commercialized. (I suppose the wealthy ISPs could "resell" access, but...) But if it's carefully planned, I think this might be a rather effective method of preventing problems with the root nameservers. It seems strange to have a handful of "essential" servers just sitting out there on the web.
________________________________________________
suwain_2
I run a small intranet. We use BIND on Linux for our core DNS, and TinyDNS on the firewall as the external DNS server. TinyDNS is a great package, though it can take a little getting used to. However, I still see TinyDNS and BIND as being in different markets.
On my main server, I want to be able to manage chacheing, record serving, have multiple zones some of which are dynamically updated, etc. all on the same box, and TinyDNS doesn't provide this capability. Besides, Bind 9 actually has some security built into the architecture, though it is not as paranoid as TinyDNS.
LedgerSMB: Open source Accounting/ERP
Most good routers are designed to have the ability (if you enable it) to look inside of the packets
Hmmm, last I looked at the Cisco feature set (or the like from Foundry and Nortel and what have you), it was a challenge to put in rules that
a) didn't take out significant "good" traffic, and
b) did take out significant "bad" traffic.
I agree that rate limiting ICMP traffic is an appropriate answer, especially in the light of this particular attack, but I'm appalled by the number of illitarate dorks who copy snippets titled "how to block all ICMP" from a textbook into their firewall without the slightest understanding of why ICMP was implemented in the first place.
I hate to think of what could happen if the 31334 hackers really start mixing attacks.
I positively _love_ wd40, but I will not apply it to reduce the squeeking of my cars brakes. Too many people use the Internet equivalent of WD40 on their network brakes.
Bert Driehuis -- All I asked was a friggin' rotatin' chair. Throw me a bone here, people.
The behaviour he described is normal. As part of a DNS entry you specify the expire time, telling a client how long for which it's okay to a cache an entry.
-Bill
SlashSig Karma: Excellent (mostly affected by moderatio
In the world of Winblows users and Linux newbies, you don't have to have the most secure machine in the world, it just has to be more secure than 50% of the machines in the world.
It is like the joke about 2 people running from a bear. You don't have to outrun the bear, you only have to outrun your friend.
Why bother cracking an almost insecure machine, when you have thousands of completely insecure ones to do your bidding?
Saskboy's blog is good. 9 out of 10 dentists agree.
I have found AoA to be extremely useful in my understanding of Boolean Algebra, Chapter 2 covered the basic postulates, theorems, functions very well. I printed the "16 Possible Boolean Functions of Two Variables" table he included and kept it in a handy location. I first came across minterms/maxterms and how they are used to find the canonical expression, as well as k-maps for optimization. I don't particularly like Hyde's assembly library however, for me the Intel Programmers Manual Volume 1-3 dead tree book was most clear and straight-forward, unlike assembly "tutorials".
I challenge you to provide a link to a better reference than Hyde's AoA that explains boolean algebra more clearly and more comprehensively. Go ahead.
"The lesson to be learned is not to take the comments on slashdot too literally." --Vinnie Falco, BearShare
A warrant
--Joey
You're right, you wouldn't want to block all queries, but you can do almost as good: you can block all queries except the queries for the domains that you're hosting. In fact, doing so is generally considered a very good idea, since it protects you against some forms of cache poisoning attacks.
Check out the allow-recursion command in the named.conf (5) man page, which does exactly what I describe.
"to rebuild and conquer the world"
If the U.S. wanted to conquer the the world, 1946 would have been a good time to do it. The U.S. only wants to be as strong as it needs to be to protect itself from powerful fascist nations. The average U.S. taxpayer would much rather buy education and healthcare than guns.
If you're looking for counties to blame for the state of the world, blame Germany and Russia. We will be feeling the effects of their past aggressions for centuries to come.
Ah, that graph brings back some memories. I miss working in a NOC for a colo facility.
:) (After they got the game servers up, of course.)
We hosted WWII Online's web servers and game servers for a while. When it first was released many of their customers weren't happy because nothing worked right.
Apparently somebody got mad and had an OC3 available to try a DOS attack, but little did they know WWIIOL's servers had 200Mbps internet. The spike went up to 45mbit over normal for a short while, but I guess they quickly realized it didn't do any good and gave up.
I thought that was funny. But what was funnier is that one of their customers was clever enough to figure out how to get hold of the NOC and complained that the game servers were down! I couldn't tell him anything helpful except to contact the WWIIOL folks.
Of course it was also cool to play an online game with a ping of less than 10ms.
And then there was the time one of their techs was setting up a Linux server, stepped out for a few minutes and came back to find that it had been root kitted! He had just finished the base load and not patched it yet, thinking it would be okay long enough to get a bite to eat. He was pissed. But the script kiddie was stupid because he locked himself out by deleting the telnet and sshd servers and logging out before activating his trojan software.
ok, everyone keeps saying the bunkers these thigns are in were designed to withstand a nuclear blast, my question is, are the bunkers themseves, or the equiptment in the bunkers sheilded enough to survive the electromagnetic pulse given off by the detonation of a nuke? its not just sci-fi, an emp is another devastating effect of nukes, its just ussually there isn't anyone left around to complain about their radio not working
"Sic Semper Tyrannosaurus Rex."
And even if you can, they can probably weasel a settlement out of you anyway.
To provide caching, use DNScache. If your box is exposed to the internet, you likely don't want to be doing cache requests for the world. You can easily configure DNScache to broker for several internal (TinyDNS) systems. Note that only TinyDNS will set the authoritative flag; DNScache will not.
For dynamically updating zones, I use a small Perl DBI script which dumps zones from the DB into a directory. All files in the directory are sorted (via sort) into a main text file, which is hashed into data.cdb. I also have a big text file from the other DNS server scped over and included in the hash. The entire system is dynamic, with every important entry controllable from within an easily backed-up (and restorted) SQL server. Adding things like DynDNS to this setup would be trivial (all I'd need is another table for actual accounts, which allow people to modify their own zone files).
Best of all, because there is an order of magnitude less code running, TinyDNS is a lot easier to inspect for correctness. You can spend a couple of evenings reading over all the code for the package (even if it's not the best looking C code in the world), and really understand it.
--
Internet Explorer (n): Another bug -- that is, a feature that can't be turned off -- in Windows.
No race is *yet* being systematically killed. I was just pointing out that then when a society is running scared and they have a Name for their fears it is very possible that a dictator can sway a Nation and cause Nazi-Germany style disaster.
/. at -1 to see further evidence: "Let's kill all those dirty sand-niggers and turn their homes into glass" etc.
Sniper ? DDOS attack ? While you can brand these things "terrorism", no right-minded individual would think that the same group of people who planned the WTC terror are behind these things.
There have been and always will be mad serial killers and bad hackers (oops sorry, "crackers" for ESR/jargon file defenders). The fact that people are connecting ANY evil act to the same people who destroyed the WTC is evidence of the group insanity I originally mentioned. You have only to read
Yes there are evil acts being carried out all over the world, not just targetted at Americans. However this is not a Star Wars film and there is no one set of "bad guys", just lots of mad, evil people with their own agendas and schedules.
Even your own post, with its "...Muslims killing innocent civilions" is guilty of gross generalization- we aren't on a holy crusade against the whole of Islam, you know...
graspee
iirc, for ip addresses in email, foo@123.123.123.123 is not a valid email address, it should be foo@[123.123.123.123]
Did you mount a military-grade, variable-focus MASER on an unlicensed artificial intelligence?
You'd be surprised just how large my /etc/hosts file is.
python -c "x='python -c %sx=%s; print x%%(chr(34),repr(x),chr(34))%s'; print x%(chr(34),repr(x),chr(34))"
Re, "Mail was coming in slowly, servers were appearing to fade in and out of existence..."
Sounds like A Fire Upon the Deep (Vinge, about 1993).
Scary in real life.
Didn't notice anything in North Texas, but at 4:00 pm our time, not much was going on at work, no intense outside connectivity.
Heck, with rules like that I'd be deploying my 802.11b with full-scale WET11 wireless bridges and microwave amplifiers all around my town. Conserve bandwidth? I'll create bandwidth.
"The lesson to be learned is not to take the comments on slashdot too literally." --Vinnie Falco, BearShare
What bullshit. Like who? I can identify plenty of corrupt individuals at the time, starting with McCarthy himself and of course J Edgar. What McCarthy did was help the government get rid of everyone who knew anything about communism, so that by the time we actually had to fight a war against communists in Vietnam, there wasn't anybody in the government who knew a damn thing about our enemies. This is supposed to have helped America?
As for connecting al-Qaeda to the DC sniper or the DDOS, I doubt it. The DC sniper leaves tarot cards and notes that say "I am God" -- hardly sounds like the handiwork of a Muslim extremist; sounds more like another home-grown American whacko. As for the DDOS, again, I doubt it. Disrupting e-commerce may be a goal of al-Qaeda's ideology at some level, but I doubt they spend too much time thinking about it. Their M.O. has always been large scale spectacular attacks on civilians, like the WTC and Bali. A DDOS just doesn't offer the same spectacle as an attack that litters the streets with the bodies of "infidels." Al-Qaeda is a grave threat, to be sure, but it doesn't help anybody if we get so paranoid that we start seeing Islamic terrorists behind every bush. In fact, I think that's their goal.
(And no, I won't say, "then the terrorists win.") (shit, I said it!)
Ethernet is a physical transport, while TCP/IP is a protocol. In fact, TCP (transmission control protocol) sits on top of IP (internet protocl). There is also UDP on top of IP (but no one says UDP/IP that I've ever heard) and ICMP on IP. UDP are short messages that are sent without creating a link, and ICMP is for things like Ping, tracerout, etc. You can create your own protocol and use it on the internet.
You can use any physical layer: ethernet, a modem, a cell phone, wifi, bluetooth, firewire, USB, power lines, etc with IP, and similarly you can use may other protocols with Ethernet or any other link Such as IPX, NetBui, Apple talk, etc.
TCP, UDP, and ICMP are tied to IP and wont work with anything else.
Then there are higher level protocols that sit on top of TCP or UDP, for example DNS sits on UDP, FTP, telnet, gnutella and others sit on TCP. Interestingly HTTP should work on other protocols as long as you can establish a link between a server and a host on it. And you have software that implements it on these other links.
There's also Ipv6, which is a newer version of IP.
Lonely?
Find love on the internet
First of all, DDoS attacks use many computers, thats why they are called *Distributed* Denial of Service attacks. Secondly, most DDoS attacks are a form of attack known as a smurf attack. In a smurf attack, the attacker can multiply its effective bandwidth by pinging a vulnerable network and having every computer on that network reply. The attack also forges the source IP. The pinged network then sends their replies to the source IP that was forged. The IP that was forged is the real target. In this way, the real attackers IP is never sent to the target. It also means there are many computers responding for each attacking computer. When you multiply this by many zombie attackers, it presents a very formidable packet storm.
And that's just a little fragment of it. I'm really worried about these guys taking over the internet!!
Maybe the purpose of the backdoor in bugbear was to create a zombie army to launch this ddos attack. "Great, Smithers! Another recruit for my ever growing army of the undead."
How ya like dat?
Comment removed based on user account deletion
That is, assuming that you have your local DNS server (if you have one) set to override the TTLs stored with the A records.
I remember reading somewhere about ingress and egress filtering on outer routers. If the ISPs ad big providers would do this as many ppl have suggested (even the damn gov) wouldn't that solve most of the problems like this and prevent DDoS from happening as often? Is that how VeriSign was able to stay up during the attack? Just curious....
"an eye for an eye only makes the whole world blind"
If someone could kindly point me to the person or persons who launched this latest DDOS attack, I would certainly appreciate it. I hold the patent on Distributed Denial-Of-Service Attacks By Electronic Means, and I will get my day in court, and royalties due to me.
But, yeah, some of the attacks aren't much different than using a loudspeaker to announce "Free Beer at Victim.com"
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
http://www.cisco.com/warp/public/707/newsflash.htm l
Dammit! I might lose marks in a course because of this. I couldn't access the site for electronic submission!
Becuase I use an OpenNIC name server, which loads its own copy of the root zone, I never even noticed that there was a problem.
Another strong vote for distributed name systems.
-Chris
-- This sig is only a test. If this were a real sig it would say something witty. --
I won't post the addresses to avoid slashdotting them, but several of the root-servers have graphs for response-times as well as traffic-levels. On some of the servers, the response-time went up, but on a number of them it went to zero for an hour or so, which I assume means no response rather than infinitely-fast response. Somebody set them up the bomb.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
Secondly, Rob Thomas has made an excellent template for securing BIND against all sorts of "stupid user tricks" which can be found here:
http://www.cymru.com/Documents/secure-bind-templat e.html
Thirdly, quoting Louis Touton saying "We're not aware of any users that were in any way affected." was a serious mistake. ICANN haven't taken any notice of internet users up until now, so why should they start now?
The article went on to say "VeriSign expects that these sort of attacks will happen and VeriSign was prepared," company spokesman Brian O'Shaughnessy said. If you want a likely suspect, try this one - brought to you, of course, by Verisign:
http://www.arabtrust.com/training/courses/hacking/ index.html
The caching nameserver pdnsd does something like this -- if it can't manage to get a new record, it uses the old (stale) copy. So you have a cached copy of Slashdot's NS for a long, long time.
If root DNS went down, you'd have to have Slashdot's DNS move as well.
May we never see th
The outbound queues on our mail server kept backing up as normally available clients couldn't be reached.
If you don't want to repeat the past, stop living in it.
That being said, Randall Hyde's antics are legendary. He screams, throws tantrums, is belligerent to student, staff and faculty. He has flunked entire classes delaying their graduation, instead of teaching course materials he teaches languages *he* invented. Linking to him is kind of like saying, here's a link to the devils website, he's the devil, but he's got some good points.
But I didn't expect you to know any of that, was just making an observation :) If you'd like to discuss it privately you can shoot an email to my address above.
Religion is a gateway psychosis. -- Dave Foley
Also, some of the press about the attack said it was using ICMP rather than UDP, and it's much easier to go around squashing ICMP than trying to figure out which correctly-formed queries for foo.com are real and which are DDOS.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
Are you all nuts? An AC makes an obviously bogus post and it gets +5?
I should post AC that, oh, I don't know. That Stephen King is dead. People would probably buy into that as well.
You really think a legitimate employee would be handing out information on which systems are honeypots? And then bogus pseudo-hacker crap like "the attack calls himself 'Fadaboi'"? Where did that come from?
Christ.
May we never see th
If you wanted to be a bit more democratic about access, you could provide priority service (or push service) to the big ISPs' main servers, and volume-restricted service to the free-use crowd. It's most important that the ~20 Tier 1 ISPs have good copies, because most of the smaller ISPs get connectivity from one or more Tier 1s, so they could get DNS as well.
A fun side-effect of making direct DNS access expensive would be that it would encourage more people to use the alternate root providers, who used to have about 0.5% of the market, except I think some of the cable modem companies were using alternate roots to have more options for selling namespace to their customers.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
I hope this moderator doesn't get killed in metamod.
The post is interesting. Because the poster is out of his mind. I was curious if this whole sniper thing would drive some DC residents out of their minds.
The obvious response: the question isn't whether "standing up to evil" means offending anyone, ACLU lawyer or otherwise. The question is whether your description of "standing up to evil" requires the suspension of our rights as guaranteed by the constitution.
I'm curious how you think such an obsession with freedom (as the ACLU would request it) could lead to tyranny.
There are no trails. There are no trees out here.
Of course, the next attack won't be something dumb like ICMP - they'll try something new, either because they learned a lesson from the people who did this one, or because they suspect they'll get their butts kicked if they try this method. For instance, I'd really rather *not* see the next Outlook Email Virus mail stuff to the root servers, or to randomized non-existent 2LD.COM addresses... I'm sending you this DNS request in order to have your advice
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
Those of you who actually took the time to read my essay, "Cyberwar: How Terrorists Could Defeat the U.S., and Why They Won't," (requires Acrobat 5, not 4.) might get chill running up your backs when you read this. I'm still sticking to my original thesis, however: The Internet won't be brought down by terrorists because corporations and governments need it, and the terrorists serve the interests of corporations and governments. Regardless, I hope this DNS attack isn't a prelude to a bigger operation. Note how they say that it just ran for an hour and then stopped! Note this story, which detailed the creation of attack zombies with P2P capabilities, allowing them to be targetted at will. Also note that a top infrastructure protection analyst was just killed by the Maryland area sniper! And within a couple of days we see the largest DDOS attack on root DNS systems ever!? (Long Pause) Keep a sharp eye out for weirdness, folks, something BIG might be coming down:
Here's what I wrote back on September 14, 2002:
Maybe the terrorists start taking out some or all of the thirteen root domain name server systems (I think there are still 13) or interrupting communications to those root servers [today's DDOS incident]. (Thankfully, a couple of these systems are located in places that have people with guns guarding them.) These root servers are used by thousands of other lower level domain name systems and receive about 300 million requests per day.
Domain name systems are used to translate human readable URLs, like www.cryptogon.com into machine usable IP addresses like 209.115.132.59. There is much concern about the root DNS systems. Many articles on this topic are easily accessible. Much of the concern, however, is focused on hackers DOSsing the root servers. Again, this misses the point.
What is the physical security like at the non-military root DNS facilities?
I've driven by one of the buildings hundreds of times because I used to live near it. It looks just like any other small office building. How long would this place hold up against a few armed terrorists who were willing to die TO BRING DOWN A ROOT DNS NODE? Think about it. The same goes for the data centers mentioned previously. Surely these places should have armed security. But even if they did, are they prepared to stop terrorists who have no intention of ever getting out alive?
Here's what just happened:
The heart of the Internet sustained its largest and most sophisticated attack ever, starting late Monday, according to officials at key online backbone organizations.
Around 5:00 p.m. EDT on Monday, a "distributed denial of service" (DDOS) attack struck the 13 "root servers" that provide the primary roadmap for almost all Internet communications. Despite the scale of the attack, which lasted about an hour, Internet users worldwide were largely unaffected, experts said.
FBI officials would not speculate on who might have planned or carried out the attack.
David Wray, a spokesman for the FBI's National Infrastructure Protection Center (NIPC), said the bureau is "aware of the reports and looking into it."
DDOS attacks overwhelm networks with an onslaught of data until they cannot be used. According to security experts, the incident probably was the result of multiple attacks, in which attackers concentrate the power of many computers against a single network to prevent it from operating.
"This was the largest and most complex DDOS attack ever against the root server system," said a source at one of the organizations responsible for operating the root servers.
The more serious attacks using Windows would be easier to implement with a wetware-propagated Trojan Horse, such as a popular Kazaa-replacement client, or else with Yet Another Windows Outlook Email Virues. I'm sending you this DDOS client in order to have your advice.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
What really sucks about this is the people that bitch about "not having their Internet" are the ones potentially causing the problem with unprotected computers. We know nothing this massive could be caused without some kind of trojan`ed DDoS network, and the way those get propogated is through ignorant users.
No sig for you. YOU GET NO SIG!
The people that did this are only hurting themselves in the long run, because I would bet a majority of thier lives are spent on the internet. If their main goal is to bring down the internet, what are these 13 year old boys going to do when they succeed?
There's no "I" in Linux.. err..
Go look at Where Wizards Stay Up Late.
BBN designed the (D)ARPAnet, and nuclear war had nothing to do with it. Read up before you perpetuate an urban myth.
Jouster
This raises another question; of the ones which survived, which OS's were they running? It would be interesting indeed if the only surviving name servers were the ones running a specific OS...
I just sent an e-mail to my work e-mail account.
Apparently I made a mistake in my named.conf file...
Code, Hardware, stuff like that.
1. every DNS zone (including the . root zone) has a TTL (time to live) - the amount of time you are allowed to keep the results of a query. The idea being that if you a server looks up a zone e.g. foobar.com it doesn't have to look again until the TTL runs out. This is typically about 24 hours for an average .com domain (but can be set to whatever the controller of the domain's DNS likes)
2. The TTL of the . root zone is* 6 months. This means an ISP's server only has to recheck a top level domain (.org, .com, .net) every 6 months. This means that if all the top level DNS servers were out for say a day, then 99% of the other servers out there wouldn't even notice, as they wouldn't need to query the roots for on average another 3 months. Sure, if the root servers were down for longer, the TTL would run out on more and more DNS servers, but in principle the root servers would have to be down for a sustained time to start to significantly affect the Internet's DNS.
* - the TTL of the root domains at the moment has been changed to 3 hours, presumably as they are changing the top level infrastructure and need to have the changed propogate quickly.
3. this is why all ISPs who have correctly setup DNS servers would not have noticed anything. If run your own DNS server on your home box, and don't run it all the time, you'll be checking the root servers the first time you do a DNS query when you switch your machine on; so would probably notice something. Lesson - use your ISPs DNS server to resolve domains!
" To steal ideas from one person is plagiarism; to steal from many is research. "
The alternative is to use a set of name-servers that isn't part of root-servers.net, then. Partly you gain in reliability through using them as forwarders for existing TLDs, but you also stand to gain your own TLDs as well.
:)
Can't say *I* noticed any DNS problems on the colo server or at home yesterday...
Whatever happened to TRNS and friends?
~Tim
--
Rushing on down to the circle of the turn
10 of 13 root servers a phyiscally located withen the United States.
I am unaware of one of the remaning three being located in Croatia.
If it upsets you that US law enforcement is protecting interests owned or located withen the United States, perhaps instead of complaning about the big bad US you could take steps to encourage development of higher level backbone resources in your country of choice.
The Internet is generally stupid
It was 500,000 people downloading patches for Planes of Power.
May be redundant, but it's now on
Yahoo! News.
Mod Karma -1: I sed bad wurds. If I cep my mouf shut, I wud be at riyses.
In spite of the responses by UUNet and others that sounded like claims that they gained control internally and ended the attack, chances are the attackers stopped it intentionally after they themselves detected tracking attempts by their victims.
UUNet/MCI has known that its network has hidden vulnerabilities since July of this year when I contacted them about similar symptoms on their customers' networks, and that there was a fix. The US House and Senate Armed Services Committees were contacted over a month ago about this issue in light of the obvious national security implications. MCI's Legal Department knew, in their words, 'that their network had these problems' and that it was a matter of time before this happened but so far have refused to negotiate for my help to show them how to fix their net's probs claiming they were working on it 'internally.'
Moderation in All Things... Especially Moderation - gurutc
I'd have to agree with you on that!
I have a number of friends working in the field of physical therapy and they consider chiropractors as a threat to public health. The PTs tell horror stories about people who've been going to chiropractors for years and being "adjusted" rather than talking to a Dr. who can refer them to a PT who will help them fix the problem (through exercise and stretching)
I had some knee problems and talked to a good friend of mine.. She spent 5 minutes diagnosing the problem (an imbalance in the strength of the muscles on each side of my thigh causing the kneecap to slide across the knee as well as along it).. She told me to buy a new pair of shoes because the soles on my current pair were worn unevenly and that was probably the cause of the problem. Then she recommended a few exercises and some stretching techniques.. After a few weeks, my knee felt great and I haven't felt any pain in 2-3 months..
Yeah, it was an attempt and a fairly lame one, too. I should have been blunt: I was originally talking about home users on windows machines with DSL/cable needing to patch/firewall their machines. Hence that whole "preaching to the choir" thing. Anyone that asssumes the root servers aren't very well taken care of is a fool. And as you can see from some of the replies I got, there are more than a couple living here...
-B
Ash and Hickory, straight-grained and true, make excellent bludgeons, dandy for the cudgeling of vegetarians.
Oh, and it's not Windows users that are the issue. It's not like people who use Windows are a lower life form, it's that (a) 90% of users use Windows, and (b) Probably 70% of users aren't technically savvy about their PC. Cross the 2 together, and you'll have an awful lot of unsavvy Windows users.
>I dont notice medical doctors getting bored with their patients and for a joke amputating a leg instead of an ingrowing toenail because the patient was too stupid to cut their nails correctly and wear the right footware.
But you do notice that if you constantly harm yourself after being told something is bad for you that you end up in a psychiatric ward.
Let's put it this way: If you owned a car and didn't put oil in it, blew up the engine, and were told you need to put oil in the next car, but didn't and blew that one up too, the entire world would laugh at you. Especially the mechanic. And if it were a company mechanic, and not Midas mufflers, so he isn't getting paid by the job, don't expect the car to get fixed anytime soon. In fact, expect your boss to call you an idiot.
For some reason, in the world of computers, it doesn't work like this. If you consistently break your computer in the same way in an office, the boss isn't likely to call you a moron, and you're still going to get it fixed as fast as the first time. Maybe calling that person an idiot is what needs to happen to get these users to respect their computers. Whatever is happening now sure isn't working.
If you could be told what you can see or read, then it follows that you could be told what to say or think - BoC
You're assuming a few things that you don't acknowledge:
These are not always true. I always configure myself, and my customers, to use their own Linux box running dnscache to query and cache DNS requests because it is fast, secure, and uses a stable memory size. Relying on my ISP for DNS service is solely a backup plan (your OS does allow you to specify backup DNS servers, right?), regular resolution is done by each machine's copy of dnscache.
- Michael T. Babcock (Yes, I blog)
Not really. Like I said in a previous post, attempting to take down the internet by DDOSing root DNS is kind of like trying to chop down a sequoia tree with a piece of fried chicken. It won't actually do anything but make a mess around the tree (which, btw, will recover from the relatively trivial amount of damage), it's the wrong tool for the job to begin with, and the person doing this if found would probably just be thrown in jail for little more than being a blithering idiot.
This sig no verb.
Mabey I'm just being paranoid, but to me this seems like it's a probing attack. Now that the attack is done, they know exactly what they need to do to kill the servers:
Go a little bigger and have it last 12+ hours.
Now that would start some serious problems.
Patience and professionalism is a must in IT support. You wouldn't last long without it. I am not sure how your analogy applies. Some users are too stupid to understand the problem they are having, and I am guilty of not trying to explain it them (just fixing it and then feeding them BS), but I don't take things (legs) away from them if they can't operate it properly. What frustrates me is that is the people that can't perform their job without calling IT support at least once a day, often about the same problem that has been carefully explained to them numerous times. These people shouldn't have jobs...but I suppose I wouldn't have a job if it wasn't for them.
FoundNews.com - get paid to blog.,
"Except that I could not see how to get the record serving and caching DNS on the same IP address since they both run on UDP 53."
Read what I wrote. You have TinyDNS running on 127.0.0.1, and have dnscache on your public IP. Then you have your DNSCache refer to your 127.0.0.1 for every query relating to your domains.
But you should understand that is a dumb way of having your DNS setup anyways. For networks that need DNS resolution, only cached queries matter. For sending out requests for domains you have authority over, you want to be using the latest DB dumps anyways. There is no excuse for having two opposed functions on one server, but djbdns does not prohibit this bizarre configuration.
--
Internet Explorer (n): Another bug -- that is, a feature that can't be turned off -- in Windows.