Slashdot Mirror
Internet Backbone DDOS "Largest Ever"
wontonenigma writes "It seems that yesterday the root servers of the internet were attacked in a massive Distributed DoS manner. I mean jeeze, only 4 or 5 out of 13 survived according to the WashPost. Check out the orignal Washington Post Article here."
"when uunet or at&t takes many customers out for many hours, it's not a problem
With something like the root nameservers, if it was an important attack, you would have noticed. I run an ISP and we had zero complaints, even from the Everquest whiners who complain at the drop of a hat about anything.when an attack happens that was generally not even perceived by the users, it's a major disaster
i love the press"
Article: "The Domain Name System (DNS), which converts complex Internet protocol addressing codes into the words and names that form e-mail and Web addresses, relies on the servers to tell computers around the world how to reach key Internet domains."
The "IP system" should have been fine. The DNS system, which has become an integral part of the "internet" is not decentralized as regular internet infrastructure is. Yes it is supposed to withstand a nuclear war, and yes, it would have. btw, the system worked yesterday. only 4 of 13 may have survided, but the system still ran.
We can have the internet without dns, but we cannot have dns without the internet
If you blog it...
The root DNS servers are required to go from the TLD to the actual TLD's nameservers, eg to go from ".com" to the .com root nameservers. As a result, although critical, their results are cached with very, VERY long cache timeouts (TLD DNS servers seldom change).
.su.
Thus the hour long attack was not enough to meaningfully disrupt things, as most lookups would not require querying the root, unless you were asking for some oddball TLD like
Change the attack to be several hours, or a few days, and then cache entries start to expire and people are unable to look up new domain names. But that attack would be harder to sustain, as infected/compromised machines could be removed.
It is an interesting question who or how this was achieved. THere seems to be a lot of scanning for open windows shares (Yet Another Worm? Who knows) also going on in the past couple of days, but there is no clue if it is related.
Test your net with Netalyzr
It Couldn't have been...
I was using the computer in Afghanistan to surf pr0n.
The heart of the Internet sustained its largest and most sophisticated attack ever
I've never considered DDOS all that sophisticated myself. It's seems to me that "wow a script kiddie got more systems under his control than usual" more than "a great cracker is on the loose". Though I suppose if it were a great cracker then they could have been proving themselves by predicting the attack.
Despite the scale of the attack, which lasted about an hour, Internet users worldwide were largely unaffected, experts said.
Indeed, no traffic slowdown, no more than usual support calls. The system works as expected, even under attack.
Worth a read: Caida DNS analysis, and more specifically those graphs. It would be interesting to know which DNS sustained the attack, in regard to the graphs.
have you been defaced today?
I am not an expert but surely these servers connect to the net through some sort of router/hub whatever. The servers are made to handle a lot of traffic but what about the connecting hardware. If the routers were attacked directly wouldn't the DDOS attack still be succesful without touching or alerting the dns servers themselves.
It's an interesting idea, but it doesn't quite work like that. The routers we're talking about here (I imagine that most of the root servers are on 100BT or Gigabit Ethernet LANs which then plug into one or more DS-3s [45 Mbps] or more likely OC-3s [155 Mbps]) are designed to be able to handle many, many times more traffic than the servers are. Your average Cisco 7xxx or 12xxx router is built to handle far more traffic than any given server might see. Think about it ... you generally have many servers being serviced by one router, not the other way around. Additionally, each root server is most likely connected to multiple routers (say, they're hosted at an ISP with three DS-3s to different providers and each DS-3 is plugged into a different Cisco 7500).
Also I doubt that the routers are setup to recognize any kind of attack as they are just relays between the net and the server. Possibly the attack could go on for quite some time before any one realized what was going on.
Actually, it's the other way around. Most good routers are designed to have the ability (if you enable it) to look inside of the packets that pass through them and filter out "bad" ones based on various criteria. Thus, routers are actually perfectly suited to stopping attacks like this, while servers are expected to burn their CPU cycles doing other things (yes, servers can do this sort of filtering, but they generally have something more important to do). The only real problem is that it's often very difficult to tell the "good" packets from the "bad." After all, how do you distinguish automatically between a distributed flood of HTTP malicious requests and a Slashdotting? You get the idea.
"95% of all Slashdot
DNS is hierarchical, both is naming and in server implementation. Small ISPs cache their DNS from more major providers, up until the A to J.ROOT-SERVERS.NET main Internet servers. There is in fact one critical file, but it is mirrored to the 13 root servers, and domain look-ups are cached at the ISP level. I'm not suprised most Internet users were not affected, you wouldn't be affected if several large mail servers where DDoSed would you?
"The lesson to be learned is not to take the comments on slashdot too literally." --Vinnie Falco, BearShare
Hehe, that's the opposite of true. If anything, your performance would've increased (assuming you could reach the server at all), because other internet users were unable to expend your shared bandwidth.
If you want to see in gory detail what a DDOS attack looks like in relation to what NORMALLY happens to these servers, try here. Notice the really big spike. As if you could miss it.
"The Domain Name System (DNS), which converts complex Internet protocol addressing codes..."
And I suppose the person who wrote this article would consider arithmetic a complex system of digits and symbols.
come on fhqwhgads
I'm not too sure I'd call the USA the most democratic nation in the world, but that's a discussion for a totally different time and place.
The Internet's roots have nothing to do with democracy. Quite the opposite, your military wanted a communications network that could survive a nuclear holocaust so that it would be the first to rebuild and conquer the world when the evil reds launched the first nuke.
Most of the TLDs are in the USA because the DNS system was created in the USA, and was largely hosted by US providers. It's too much trouble to move them, and of limited benefeit. If they ever decide to add new ones, it's likely that they'll put at least one in Japan, and probably a couple in Europe.
Even so, though, the main reason for their dispersal is to survive a nuclear attack that takes out one or two. I don't know if you've looked at a map recently, but the USA is big. It's not like all 13 of the TLD servers are located in a trailer in rural Kentucky. You'd have to carpet bomb the entire USA to be sure of taking out all 13 of them, and frankly, if somebody had the resources to turn the entire country into a self-illuminating glass-floored parking lot, the Internet would be the least of my worries.
If you believe everything you read, you'd better not read. - Japanese proverb
Disclaimer, I work for VeriSign. This is a personal opinion, not company policy. The details of the disaster recovery scheme are of course confidential. However I can tell people that we did think about these issues during the design. We have always known that people might think the DNS was a single physical point of failure for the internet. That is why we designed it so that it is not.
There are multiple locations. The 'A root' is NOT a single machine. There are actually multiple instances of the A root with multiple levels of hotswap capability.
Incidentally it is no accident that the VeriSign root servers stayed up. They were designed to handle loads way beyond normal load. The ATLAS cluster is reported to handle 6 billion transactions a day with a capacity very substantially in excess of that.
Even if all the A roots were physically destroyed the roots can be reconstructed at other locations. Basically all that is needed is a site with a very fast internet connection. In the case of a major terrorist attack AOL or UUNet or even an ARPAnet node could be comandered. The root could even be moved out of the country entirely, British Telecom is a VeriSign affiliate, there are also several other affiliates with nuclear hardened bunkers.
Most Americans have only been thinking about terrorism since 9-11. VeriSign security was largely designed by people who thought about terrorism professionaly, unless of course they were in charge of securing nuclear warheads.
All a terrorist could do is to kill a lot of people, there is absolutely no single point of failure. Even if the entire constellation is destroyed it would result in an outage of no more than a day given the resources that would become available in the aftermath.
The attackers were idiots. They used ICMP echo requests (easily filterable, since the DNS servers don't _have_ to answer those) and quit after an hour. More publicity stunt than actual attempt to damage, IMNSHO.
I've been trying to publish a paper about exactly this (and how to redesign DNS to avoid the vulnerability) and I'm just pissed that they didn't tell me in advance so that I could do some measurements. :)
The stats for the h.root servers are available for the time period of the attack. Seems as though the h servers were taking in close to 94Mbits/second for a while.
More links to server stats can be found at Root Servers.org and some background is available at ICANNWatch.
There's only one critical file? Hey, just email it to me, I'll keep it on my hard drive. If anyone needs it, just shoot me an email.
It's rare that you're presented with a knob whose only two positions are Make History and Flee Your Glorious Destiny.
HACZBY : FADABOI
CORPZ : MVDOMIZN HELLO TO KOTARI ON UNDERNET
Well, this shouldn't take the FBI long. A quick Google search shows that Undernet's Kotari owns the domain www.kotari.com, which he's recently taken down but still shows whois records..
--
Mod up a post Rob doesn't like and you'll never mod again
How do you plan on enforcing this, sir?
Seriously. How do you plan on enforcing this? Not only is it a huge expenditure of resources to track down the number of computers used in the attacks, to track down their IP addies, to obtain the needed court orders to obtain their ISP's logs, the resources to parse those logs to find out who was logged on, and *then* go about prosecuting the offenders, what would it accomplish?
If Code Red taught us anything, it's that the dumb won't change a thing about the way they work, regardless of how much the internet community ridicules them. It's also completely nuts to punish the ISPs for this... where does it stop? I'm pretty sure that some AOL clients were responsible (and while I wouldn't complain about no AOL'ers for a while, I bet they would). How about people who buy their access directly from UUNet? Gonna block out UUNet for a month?
Even if you could implement that punishment of the ISPs, it wouldn't accomplish much. It wouldn't hurt me at all if I was blocked from direct access to the TLD servers, because inside my network I'm running a mirror. My ISP is running a mirror. I know of a dozen open DNS servers on the internet. I'm betting I could find at least one that wouldn't block me.
Seriously, though. It's great to say we should punish these people for not securing their systems, but you have to understand just how many computers would be needed for this attack. The TLD servers aren't running on 64k ISDN: they're on OC48 at least. There's 13 of them. The kind of bandwidth needed to adequately DoS them is obscene. You either do it the dumb way and use 50 computers running on the fastest connection available, or you use *hundreds* of computers, possibly thousands or tens of thousands.
Looks great on paper, but realistically there's not much point in ranting like this. Besides... if it wasn't for the article, I'm betting that most of the world wouldn't have noticed.
If you believe everything you read, you'd better not read. - Japanese proverb
The attack came in and removed some entries from bind database (we use oracle to store our bind data)..
Unbreakable.
If you can't see this, click here to enable sigs.
I only noticed it because I use my own DNS server to resolve requests; and pay close attention whenever I see any problems resolving host names (there is the possibility of it being a bug with my software).
The person who orchastrated this attack is not very familiar with DNS. Attacking the root name servers is not very effective; all the root servers do is refer people to the .com, .org, or other TLD (top-level-domain) name servers. Most DNS servers remember the list of the name servers for a given TLD for a period of two days, and do not need to contact the root servers to resolve those names. While some lesser-used country codes may have had slower resolution times, an attack on the root servers which only lasts an hour can not even be felt by the average end user.
In the case of MaraDNS, if a DOS (denial of service) is happening against the root servers, MaraDNS will be able to resolve names (albeit more slowly for lesser-used TLDs) until every single root server is sucessfully DOS'd.
- Sam
The secret to enjoying Slashdot is to realize that it should not be taken too seriously.
Why?
It's really easy to setup a system which dumps your SQL database out to a TinyDNS file. TinyDNS is provably secure software. I would expect that you would use it on the root servers, since it's designed to work at very high levels of output/uptime, and be attack resistant to the point of being attack proof.
Say what you will about D. J. Bernstein, he does have a very capable DNS solution available.
--
Internet Explorer (n): Another bug -- that is, a feature that can't be turned off -- in Windows.
Verizon gives its users 3 servers for translating numbers to names: vnsc-pri.sys.gtei.net (4.2.2.1), vnsc.bak.sys.gtei.net (4.2.2.2), vnsc-lc.sys.gtei.net (4.2.2.3), and for internal use, i-will-not-steal-service.gtei.net (4.2.2.4) Actually, an interesting note on how this is configured. Genuity (aka GTEI aka BBN Planet), who hosts these DNS resolvers, has a simple, but effective distribution system for redundancy. There are actually several servers on AS 1 that will respond as 4.2.2.1 or .2. /32 routes are sprinkled into IGP within the network to try and route requests to the "closest" server that can answer the request. If one is in trouble, simply pull the route to it, and requests route elsewhere. It's not foolproof, as a DDOS would likely come from all borders and overwhelm all of the various servers, but it's pretty effective nontheless.
RW
That's what I do with BIND9.
4711 Mission Rd. - Westwood, KS (sub. of Kansas City), Tel: (913) 432-5678
Good enough for a lot of professional athletes, and they straightened me up after my car wreck.
But I don't think they can fix uunet.
[100% ISO 646 Compliant]
SVM, ERGO MONSTRO.
A subterranean bunker is designed to withstand nuclear wars, but what do you think would happen if the nuke was inside the bunker?
Ummm... a lot more people would be safe? That is, the people who didn't fit in the bunker...
Lack of eloquence does not denote lack of intelligence, though they often coincide.
Comment removed based on user account deletion
Original Washington Post article was: "Attack On Internet Called Largest Ever"
/.
Followup article, after slashdot story, was: "Attack on Washington Post Called Largest Ever".
Ah.. behold the mighty power of
In the Portland, Ore area and like card games? Check out: http://groups.yahoo.com/group/portlandgames/
Most good routers are designed to have the ability (if you enable it) to look inside of the packets
Hmmm, last I looked at the Cisco feature set (or the like from Foundry and Nortel and what have you), it was a challenge to put in rules that
a) didn't take out significant "good" traffic, and
b) did take out significant "bad" traffic.
I agree that rate limiting ICMP traffic is an appropriate answer, especially in the light of this particular attack, but I'm appalled by the number of illitarate dorks who copy snippets titled "how to block all ICMP" from a textbook into their firewall without the slightest understanding of why ICMP was implemented in the first place.
I hate to think of what could happen if the 31334 hackers really start mixing attacks.
I positively _love_ wd40, but I will not apply it to reduce the squeeking of my cars brakes. Too many people use the Internet equivalent of WD40 on their network brakes.
Bert Driehuis -- All I asked was a friggin' rotatin' chair. Throw me a bone here, people.
A warrant
--Joey
The DNS system provides an "MX" resource-record for handling mail exchangers. Before the MX record, to send mail one would resolve the DNS using an A record, and connect to the resulting IP address. Nowadays, *@foobar.com doesn't have to always be handled by 140.186.139.224. In fact, there is a nice system set up for prioritizing mail handlers, built into DNS's MX records:
To answer your question, you can use IP addresses. But you'll be missing out on the prioritized DNS mail system. And don't worry about this being offtopic, the article isn't that all interesting anyways--I'd rather teach someone something interesting than write lame drivel about some "backbone DDoS" that's not even a backbone DDoS. Hey, its about the structure of the Internet...
"The lesson to be learned is not to take the comments on slashdot too literally." --Vinnie Falco, BearShare
Correct, I know of no DNS servers, even djbdns [cr.yp.to] DNS', which restrict queries to a limited IP range as is common with SMTP. There's not really a large risk in opening up your DNS to everyone, in fact, you there are plenty of alternate DNS root servers [jerky.net].
You don't know what you are talking about. There are two different types of DNS servers: authoritative servers and recursive resolvers. djbdns comes with tinydns, an authoritative server and dnscache, a recursive resolver. The two are completely separate. BIND includes both in the same server, which is why many people are confused into thinking they are the same thing.
tinydns does not restrict queries to only certain IP addresses. However, it can return different information depending on the source address of the query. This is usually called split horizon DNS.
dnscache does have access control. You do not want just anyone to be able to query your recursive resolvers. With dnscache, you need to explicitly allow access for IP's that can query it.
There are not risks in opening your content (authoritative) DNS servers to everyone. There are risks in opening up your resolvers to everyone.
Ethernet is a physical transport, while TCP/IP is a protocol. In fact, TCP (transmission control protocol) sits on top of IP (internet protocl). There is also UDP on top of IP (but no one says UDP/IP that I've ever heard) and ICMP on IP. UDP are short messages that are sent without creating a link, and ICMP is for things like Ping, tracerout, etc. You can create your own protocol and use it on the internet.
You can use any physical layer: ethernet, a modem, a cell phone, wifi, bluetooth, firewire, USB, power lines, etc with IP, and similarly you can use may other protocols with Ethernet or any other link Such as IPX, NetBui, Apple talk, etc.
TCP, UDP, and ICMP are tied to IP and wont work with anything else.
Then there are higher level protocols that sit on top of TCP or UDP, for example DNS sits on UDP, FTP, telnet, gnutella and others sit on TCP. Interestingly HTTP should work on other protocols as long as you can establish a link between a server and a host on it. And you have software that implements it on these other links.
There's also Ipv6, which is a newer version of IP.
Lonely?
Find love on the internet
If someone could kindly point me to the person or persons who launched this latest DDOS attack, I would certainly appreciate it. I hold the patent on Distributed Denial-Of-Service Attacks By Electronic Means, and I will get my day in court, and royalties due to me.
The chat is actually encrypted. If you gzip each comment, decrypt the result (56 bit encryption. Thank God for crypto export laws.), you'll see that they're actually exchanging compressed tcp/ip packets. They're using this IRC channel as a transport for their encrypted IRC session on another server, where they are coordinating their efforts to destroy Al Qaeda.
There are no trails. There are no trees out here.
"A subterranean bunker is designed to withstand nuclear wars, but what do you think would happen if the nuke was inside the bunker?"
I think everybody outside the bunker would be like "What the hell was that?!"
What my DNS server does is mandate an ACL (list of IPs allowed to make recursive queries; this can be set to "all hosts on the internet" if desired) if recursion (talking to other DNS servers) is enabled. Recursion takes a lot more work to do than authoritative requests; it is best to limit access to this.
Unlike Dan, I feel that a DNS server should be both recursive and authoritative because it allows one to customize the resolution of certain hostnames. The idea is similiar to /etc/hosts, but also works with applications which ignore /etc/hosts and directly perform DNS queries. For example, I was able to continue to connect to macslash.com when a squatter bought the domain and changed its official ip; I simply set up a zone for macslash.com, and made MaraDNS both recursive and authoritative.
SMTP servers have IP restrictions at the application layer because this gives people some idea why they can't send email to a given host. A firewall restriction gives a vague "connection timed out" message in the bounce email message; application-level filtering allows the bounce message to say something like "You're from a known Spam-friendly ISP; go away".
- Sam
The secret to enjoying Slashdot is to realize that it should not be taken too seriously.
They'll have to pry my nuclear weapon out of my cold dead fingers. A man has a right to protect himself. Would you want to participate in a nuclear war without a nuclear weapon? Bringing a knife to a nuclear war ain't smart.
Ask Slashdot: My bunker had a nuclear weapon which disassembled itself as designed. Should I repair the bunker the way it was? Or should I remodel to make use of the larger space which is now available? Is water cooling better than air chillers? What bunker mods are your favorites?
Only if you're running older versions of BIND. Current versions of BIND can be easily chroot jailed and run as a user that isn't root (even the old, vulnerable versions could be run as non-root - a lot of the problem is that RedHat 6 installed BIND by default running as root).
The root servers run BIND.
Oolite: Elite-like game. For Mac, Linux and Windows