DOS Attacks On DNS Provider

Greedo writes "Seems like UltraDNS was hit with a denial of service attack this weekend. Since these are the guys who are supposed to be running the .ORG DNS, and in light of recent attacks on the gTLD roots, attacks against DNS servers should be treated very seriously. What kind of protection can be had? What happens when an attack like this brings down an entire TLD? Do you want to give control of an entire gTLD to one organization? Read a follow-up discussion on comp.protoocols.dns.std."

Why attack the DNS-servers?

[10Ghz]

I mean, isn't that a bit counterproductive?

"Yes, I brought the entire DNS-system crashing down! I'm l337! Now, all I have to do is to go online and brag about my exploits... Hmmm... There seems to be something wrong with my net-connection..."

Re:Why attack the DNS-servers?

if thery're that 1337, they'll know all their favorite webpages by ip address.

Re:Why attack the DNS-servers?

Why brag about it when you can read it in every newspaper on the next day? (If the attack was large enough!)

Re:Why attack the DNS-servers?

[greechneb]

Not when you are trying to make a political statement. I don't know if anyone has claimed responsibility for this yet, or if anyone will. But it would be a great way to scare the general public. It won't necessarily be as terrifying as hijacking planes, but it can spread some fear into many people. (mainly IT types)

But as the world becomes more dependant on the internet, expect more attacks to resemble this one. Take down the infrastructure, and watch the rest tumble without it.

Plus you don't have to commit suicide to terrorize the public. - Of course that means no virgins for you by dying in a holy war...

Re:Why attack the DNS-servers?

[doomdog]

Well of course it's unproductive -- that's the hallmark of crackers, script kiddies and virus developers. These dregs of our society do these things just for the perverse pleasure of seeing how much havoc they can cause...

These people are degenerates, delighting in the misery of others. Such are not worthy of life.

Re:Why attack the DNS-servers?

[4of12]

isn't that a bit counterproductive?

Absolutely.

OTOH, if you were in the business of providing a spoofed name service, then this would be the first step in doing so.

At any rate, it sure seems like access to a critical top level DNS should be filtered to a big white list of mirror machines, which could then handle general purpose inquiries.

That, or increase the number of TLDs, but that's already an insolubly bad political problem.

Re:Why attack the DNS-servers?

[unger]

Or even more likely, IMHO, if you were a competitor of UltraDNS.

So the question to ask is, "who would benefit from the demise of UltraDNS?"

Re:Why attack the DNS-servers?

My employer, apparently, has expected something like this to occur. Starting last summer, we have been modifying all of the unix hosts on the network to hard-code in the locations of the important hosts in the network: /etc/hosts now has the mailservers, webservers, etc, for all of the local network.

The rationale behind this is simple: the dns boxes get dumb quite quickly when they lose their upstream connection. Once this happens, the dns for everything starts to fail, and even the internal hosts start having problems communicating. By using /etc/hosts and caching nameservers on all the hosts, we can delay (if not prevent) the stupidity that comes from the upstream dns being unreachable.

Re:Why attack the DNS-servers?

[Blkdeath]

But it would be a great way to scare the general public. It won't necessarily be as terrifying as hijacking planes, but it can spread some fear into many people. (mainly IT types)

Actually, the last DoS attack on the root nameservers sucked, but it didn't frighten IT people. The only people things like this frighten are Average Joe Consumer types who don't really understand how these things work. For them, the "web" is the "Internet", and anything that affects "the web" could bring down the whole Internet (as if it's just a few computers in a lab somewhere that can be shut down like shutting off a light switch).

The DNS system was designed for redundancy; if it can withstand a direct nuclear attack on 60% of its facilities (vis; 6-7 of the root servers), it can withstand a DoS attack. Considering the upstream providers of each of the root servers are responsive enough to throttle the traffic to a more reasonable level, and the caching, heirarchal nature of the DNS system (except for mickey-mouse systems who query the root nameservers only with no fallback support), it would take days to notice an outage. In that time, the root servers could set up spare boxes and have the system back up and running with relatively minimal disruption.

To truly affect the operation of "the internet" as a whole, a DDoS attack would have to be sustained for days on end.

Re:Why attack the DNS-servers?

I mean, isn't that a bit counterproductive?

"Yes, I brought the entire DNS-system crashing down! I'm l337! Now, all I have to do is to go online and brag about my exploits... Hmmm... There seems to be something wrong with my net-connection..."

Re:Why attack the DNS-servers?

[Desert+Raven]

The rationale behind this is simple: the dns boxes get dumb quite quickly when they lose their upstream connection. Once this happens, the dns for everything starts to fail, and even the internal hosts start having problems communicating.

I'd say it's your DNS administrators that are dumb. I've been maintaining DNS systems for years, and I've never had a DNS server so much as hesitate to serve authoritative addresses, no matter what was happening to the upstream connection.

Re:Why attack the DNS-servers?

[nyseal]

You're right; for Joe Consumer the 'Web' is the 'Internet', so when a DoS attack happens it does essentially shut them down. Denial of service is just that; Denial of Service.

Re:Why attack the DNS-servers?

[Leto2]

Which of course doesn't work now that all decent apache setups use vhosts for their domains.

Re:Why attack the DNS-servers?

[kraksmoka]

funny post, but on athe serious side. my bet is that a nation-state unfriendly to the west is more interested in that sort of attack, than a some suped up script kiddie cracker.

Re:Why attack the DNS-servers?

[Idarubicin]

Not when you are trying to make a political statement. I don't know if anyone has claimed responsibility for this yet, or if anyone will. But it would be a great way to scare the general public. It won't necessarily be as terrifying as hijacking planes, but it can spread some fear into many people. (mainly IT types)

Nobody has yet claimed responsibility. Makes it sound kind of noble, doesn't it? What nobody has yet done is admitted guilt. I have always taken extreme exception to the media's convention that terrorists and criminals claim responsibility for murder. It's not a prize. Confessed to slaughter or declared lack of conscience or asserted no concern for fellow human beings might be more appropriate. Criminals shouln't be allowed--or worse, invited--to claim responsibility, only admit guilt.

Re:Why attack the DNS-servers?

[CoolVibe]

No problem!

Watch and learn:

$ telnet 1.2.3.4 80
Connected to 1.2.3.4...
GET / HTTP/1.1
Host: www.somesite.org
[enter]
[enter]
[stream of html follows]

Easy no?

Re:Why attack the DNS-servers?

"Yes, I brought the WTC down! Allah is great! Now all I have to do is go back home and brag about it. Hmm... I seem to have not survived the impact."

Re:Why attack the DNS-servers?

Nope!

The internet was designed to withstand nuclear attack, the DNS system was not.

Re:Why attack the DNS-servers?

[Leto2]

Yeeeeaaaahhhh.

For some reason that doesn't seem much like 'surfing' to me...

Now, a method that a) would work and b) would prove to me that you actually more than just a lamer, is to add the hostname to your /etc/hosts file or %SystemRoot%\system32\drivers\etc\hosts file

Re:Why attack the DNS-servers?

[NMerriam]

While i agree with your sentiment, "claimed responsibility" is the most accurate phrase. Law enforcement agencies routinely deal with fasle confessions to high-profile crimes. Someone claiming that they are responsible is not the same thing as them actually confessing to being guilty, because for all we know they AREN'T guilty.

it's not just a semantic or legal issue, the simple truth is that 45 people can't all be guilty of a shooting, but 45 people can all claim responsibility, so that's all any reporter could honestly say.

Re:Why attack the DNS-servers?

[delta407]

At any rate, it sure seems like access to a critical top level DNS should be filtered to a big white list of mirror machines, which could then handle general purpose inquiries.

Sorta like section 3.3.4 of RFC 2870?

3.3.4 A 'hidden primary' server, which only allows access by the
authorized secondary root servers, MAY be used.

Besides which, a lot of the beefy top-level DNS servers are actually a bunch of identical servers behind some load balancing solution, so this makes a whole lot of sense.

Re:Why attack the DNS-servers?

I use curl "http://slashdot.org/" > /dev/brian and use my neural link to parse the html.

I really wish slashcode would clean up it's act, too.

s/act/output/ :)

Re:Why attack the DNS-servers?

[Zeinfeld]

At any rate, it sure seems like access to a critical top level DNS should be filtered to a big white list of mirror machines, which could then handle general purpose inquiries.

Does not actually help at all. Basically there is no value to the dot unless the TLDs under it are also up. If someone can take out the root they can take out dotCOM, dotNET and probably anything else they choose.

The major TLDs are replicated many times with very sophisticated and comprehensive setups that are considerably more robust than the various ad hoc proposals being made to replace them. Bernstein's suggestion of using USENET being a particularly clueless example. In the first place USENET is not even reachable as a general purpose infrastructure, secondly the architecture is exceptionally vulnerable to DoS. One compromised node could bring down the whole USENET. The only reason that people don't attack it is that it simply isn't important enough, use it to distrivbute the root zone and you make it a target.

What we should really do is can ICANN and simply open up the root zone for registrations at a reasonable rate (i.e. $500, not $50,000). The dotCOM infrastructure can easily be scaled to handle the load. The registration fee would allow for up front verification of trademark claims. There could be a rational complaints procedure based on prior review, registrations in the TLD would be subject to a 12 month public comment & objection period before being activated. Failure to complain during that comment period would result in a strong presumption in favor of the registrant. Registration of a TLD would automatically block further registrations in the other TLD zones at the option of the cc operators.

Re:Why attack the DNS-servers?

[ikkyikkyikkypikang]

You guessed it: Frank Stallone

Re:Why attack the DNS-servers?

[hesiod]

I don't think it's all malicious intentions... There are computers I have wanted to break into just to see if I could. It's about learning and trying to accomplish something (regardless of the value of actually accomplishing it).

Of course, for some crackers, (possibly most of them, I don't honestly know) it may very well be a power trip of some kind. But to call all people of a group unworthy of life? Hmmm. I think humans are unworthy of life because as a whole they seem to delight in the misery of others (or maybe just misery for me) and are degenerates... Doesn't mean I'm right (which I may be).

Re:Why attack the DNS-servers?

[doomdog]

There's a difference between breaking into something "just to see if you can" and "disabling something to cause problems for millions of people".

What if these cretins had actually succeeded? What if the DNS servers had gone offline for days and days? What if they had injected their own trojaned DNS servers (where _every_ domain name resolves to goatse.cx?)

I think you're being lenient on them because they didn't really succeed...

I will stand by my assertion that those who delight in the misery of others are not worthy of life. And no, I don't think that includes most people; many are sympathetic and the rest are just *apathetic* towards the plight of others -- which is as it should be (i.e. you mind your own business, do unto others as you would have them do unto you, etc.)...

Re:Why attack the DNS-servers?

but it can spread some fear into many people. (mainly IT types)

nah...the only person it will scare is Al Gore...he DID create the Internet after all..

ISOC?

[Karamchand]

I thought ISOC was about to run the .org TLD in cooperation with afilias? I've never heard about UltraDNS before - do you have any further links about UltraDNS managing .org?

Thank you very much!

Re:ISOC?

Afilias uses UltraDNS for their DNS Infrastructure. It was in the proposal. Here's the link to the UltraDNS press release.

http://www.ultradns.com/news/021028.html

Re:ISOC?

These are ICANN ppl. The deal was a joke.

Re:ISOC?

[Karamchand]

Thank you very much, this was exactly what I was looking for!

Good thing MS is killing DOS in december

[Streiff]

Good thing MS is killing DOS in december. It's way
too violent these days.

Re:Good thing MS is killing DOS in december

[EdMack]

DOS: Denial of service

In none-geek: bombard the server with requests... ie overloading it as such

Only connected to M$ via the fact that they both give people access to where they shouldn't.

Re:Good thing MS is killing DOS in december

you have no sense of humour at all do you?

Re:Good thing MS is killing DOS in december

[EdMack]

I do - it just requires motivation to kick in.

Re:Good thing MS is killing DOS in december

How about 'no'. You're just a dick.

Not that dangerous...

It's not that big of a deal, since most people's DNS requests never reach the TLD servers. Instead they're handled by a mirror at a lower point on the tree.

But, still, we should catch these DOSers and throw them into a federal pound-me-in-the-ass prison.

Damned arab terrorist scum! Down with Saudi Arabia!!!

Re:Not that dangerous...

[zsazsa]

It's not that big of a deal, since most people's DNS requests never reach the TLD servers. Instead they're handled by a mirror at a lower point on the tree.

The most recent attack wasn't on the root nameservers, it was on UltraDNS, which is a large-scale commercial DNS hosting provider. A lot of big sites rely on their DNS service

Re:Not that dangerous...

How about sending them to a federal pound-THEM-in-the-ass prison instead?

And here I thought...

[duck_prime]

DOS Attacks On DNS Provider

And here I thought DOS wasn't supported any more. Go fig.

Re:And here I thought...

[MarcQuadra]

Damn straight it's not supported anymore, and now it's pissed. Congress should have passed the unemployment extensions, now we're all gonna get DOSed.

.ORG TLD...

[AyeRoxor!]

Thought you would find this funny:

In IE, I entered ORG and hit enter, just to see what would happen. Although highly unlikely, they could arrange some page there. Instead, MS search brough up a list of possible alternatives. Number one on the list?

Mozilla.org

Thanks, Bill :)

Re:.ORG TLD...

Thats no big deal, if you ever run a webserver or search the registry, you would see that IE calls itself Mozilla to websites. The first thing in IE's about box thanks Mosaic.

Re:.ORG TLD...

Here in the UK I got uk.linux.org first, followed by mozilla.org and then Slashdot, which apparently 'Offers "News for nerds and stuff that matters." Visitors can find articles, memberships, code, encryption and Linux stuff.'

Succinct.

Re:.ORG TLD...

[Luke-Jr]

In Mozilla configured to use Google IFL, I get W3C if I type `org'

Re:.ORG TLD...

[devnullkac]

In IE, I entered ORG and hit enter, just to see what would happen. Number one on the list? Mozilla.org

I just tried the same thing. Number two on the list?

Slashdot

Number three?

Linux Online

Somebody at MSN likes us.

Re:.ORG TLD...

Yeah, but try the samething with "net"

Re:.ORG TLD...

[bad-badtz-maru]

MSN's search results are the standard Inktomi fare. Same stuff you see on Lycos, Hotbot, Yahoo, etc.

maru

What the?!

[dethl]

I was wondering why /. seemed a bit sluggish...

Re:What the?!

I was wondering why /. seemed a bit sluggish...

Is that really the reason? I noticed that it was running awefully slow here as I was reading the last few stories. I was thinking of posting somewhere to see if this was a problem with /. or a problem with my network here at work.

Re:What the?!

No.

Re:What the?!

[CoolVibe]

That's probably because cable & wireless (one of the hops between me (mainland europe) and /.) is dropping packets on people. My ISP (and maybe yours too) should review their peering agreement. It's been bouncing up and down here for a few days. Weird.

*sigh*

Oh the irony

[fo0bar]

The ad at the top of the /. homepage was for UltraDNS as I was reading this story. Any publicity is good publicity, I guess...

IN SOVIET RUSSIA

comrade Taco DOSes your bunghole.

So Ironic....

[b96miata]

That on my refresh which brought this story up on the home page, the banner directly above it was, for one dollar a month, the world's most reliable dns, ULTRA DNS!!! haha to them.

At least one company is riding the FUD wave

[Gothmolly]

Guardent is making a lot of noise about this sort of thing. Conspiracy theorists unite!

Re:At least one company is riding the FUD wave

Yeah, any security consulting company wants everyone to over-react to the FUD and give them more money for services that won't help (and some free marketing). Guardent (whose "experts" are VERY few) is quite happy to spread the paranoia around, as long as it makes them more money in the process.

Buyer beware: snake-oil salesmen/saleswomen abound.

Very surprising

[ekrout]

I have seen the UltraDNS ads here at Slashdot and thusly decided to read up on their techniques as well.

Basically, they urge large important Web sites to outsource its DNS needs to another company (them). Before this DOS attack on their servers, they provided near perfect stability, security, and performance. If I recall correctly, Hotmail, Forbes, and Oracle have already used the services of UltraDNS.

It's a shame that such a wonderful resource (the Internet) is so often abused by a few rowdy hackers and trolls.

Here is a whitepaper that describes their services in depth and explains the reasons for outsourcing one's DNS needs.

Re:Very surprising

[swb]

I never quite got the whole outsourced DNS thing.

Is it a question of just providing global geographic and network diversity for a site's nameservice, or is there something here that I'm missing?

If I was example.com and I had an office in two locations with a T1 in each, NY and LA and I had three NS records, ns-la.exmaple.com, ns-ny.example.com and ns.myisp.com what are they going to offer me that I don't already have?

Proprietary firewall technology? OC-192s to 10 providers? Some home-brewed nameserver software more immune to hack attacks? Some kind of latency measure that replies with better A records?

They're all nice, but they're all expensive, although maybe I'm missing out on something I should have.

Re:Very surprising

[RollingThunder]

The offer pretty much what you listed... and given the infrequent, but bloody impossible to track down "address found, but no resource of requested type available" I'm getting these days from securityfocus mailing lists, even despite a spread setup like you mention, I'm starting to think hard about it. Evidently -something- isn't right with my local setup, but I'll be damned if I can find it.

Re:Very surprising

[oliverthered]

Check that you have MX and PTR records for the mail server/s,
'address found, but no resource of requested type available'
Suggest that the name lookup worked, but there was a missing MX record (on one of the DNS servers?)

Re:Very surprising

[GigsVT]

You know, I've been hassling my email provider over those securityfocus bounces too. Same deal, no MX records found.

I'm thinking it may be on securityfocus' side after reading your post.

Re:Very surprising

[Johannes]

Disclaimer: I used to work at UltraDNS until a couple of months ago when I was laid off.

The service provides a couple of advantages:

Better latency. They use an anycast routing network which guarantees that a query to their DNS servers will be received and answered by the closest server based on the network topology. Even though there is only 2 published IP's for nameservers. There are some 16 servers scattered around the globe to answer on those IP's.

Near real time database updates. They use an Oracle advanced replication network to get updates out to the other servers in near real time.

Proprietary software. The only significant advantage here is that it's not BIND.

All in all, it's about as good as DNS will get. Do you need it for your personal domain? Hardly. Do you need it for a popular domain like slashdot.org? Probably not.

It works best for really large and really popular zones, like TLDs.

However, it's still going to be better (albeit not as significantly) for your personal domain too.

Anyway, bandwidth isn't really the issue with DNS. It's latency and availability.

The problem with your example is that chances are, your DNS server in LA will be getting queries for Europe, which isn't all that ideal. Once again, is it that important? Not really.

But it will work obviously.

Re:Very surprising

[RollingThunder]

Believe me, I've checked that out the wazoo... the problem is sporadic, and others are saying they're seeing it too, so perhaps it's not my end at all. That, or it could possibly be the PTR assignment from the upstream breaks every now and then.

Re:Very surprising

Maybe it's a problem with the expiry times?

Re:Very surprising

[Desert+Raven]

Disclaimer: I used to contract to UltraDNS as a developer.

A couple of other points to outsourcing DNS.

Systems like UltraDNS allow for large firms with multiple DNS administrators to easily maintain their DNS databases.

It also allows for small companies/individuals to have off-site DNS servers at a fairly low cost. Even if you want to maintain your own zone files in BIND, you can use systems like Ultra as secondary DNS servers.

Re:Very surprising

[Zaphon]

Disclaimer: I also used to work for UltraDNS (didn't everyone?)

Anyway, I totally agree. I actually think the product is useful. But I also agree that the target market is very small.

The amount of redundancy / network footprint they deploy is wonderful if you are a large company who has invested lots of money building a highly redundant web farm / network footprint. UltraDNS provides them with a solution that doesn't require them to have to build, deploy, and operate this piece as well.

But for the average joe user (me for example), if my DNS server is down, so is my webserver. So nothing is really lost (okay maybe an MX record, so I have a second DNS server on another machine and a backup MX host). This is plenty for me.

Re:Very surprising

[Desert+Raven]

But for the average joe user (me for example), if my DNS server is down, so is my webserver. So nothing is really lost (okay maybe an MX record, so I have a second DNS server on another machine and a backup MX host). This is plenty for me.

True, except if the outage is going to be long-term. Having off-site DNS allows you to move your site to a new location, and get it back up and running in fairly short order.

Otherwise, to move facilities/providers will take up to 72 hours for the NS change, plus the time for the NS entries to clear the cache in variuos DNS servers.

Been there, dealt with that....

Re:Very surprising

[bad-badtz-maru]

UltraDNS isn't very expensive, I use it as a secondary for a handful of domains and it's less than $100 annually.

maru

Re:Very surprising

[danpbrowning]

What are you talking about? UltraDNS.com is as cheap as dirt. I would charge my clients more money to config BIND than UltraDNS.com would charge in a year. Easy choice.

Source and motivation

[sphealey]

You are assuming that the specific attacks on the DNS servers are being carried out by kids and "young dudes" working by themselves for the thrill of it.

Whereas these attacks, as well as some of the worms that have surfaced recently, strike me more as testing of new techniques and probing of defenses by an organized group that is working on techniques to cause widespread disruption.

sPh

Re:Source and motivation

[uchian]

More to the point, we should be welcoming this kind of attack (you know what I mean), if it shows that there is a weakness in the way that a vital component of the internet works, then knowing about it early means that solutions can be fielded and tested to secure the internet against these attacks.

I am very glad that this kind of attack is being discussed in the open; rather than being hidden from public view. Much better that it discussed now rather than after somebody attempts to render the internet useless.

Re:Source and motivation

[curtisk]

well said....ppl automatically jump to the "it's just a bunch of script-kiddies" mentality....there may a HELL of a wake-up call some day....

Re:Source and motivation

[stevey]

What, like Curious Yellow?

Re:Source and motivation

[FuzzyDaddy]

Whereas these attacks, as well as some of the worms that have surfaced recently, strike me more as testing of new techniques and probing of defenses by an organized group that is working on techniques to cause widespread disruption.

Frightening as it is, I would agree with you. It seems that bragging rights would be much better for taking down amazon, yahoo, msn, or some other big name company. Attacks on infrastructure components which are not widely known to the public at large do strike me as a probe to see where the vulnerabilities of the network lie.

After this period of explosive internet growth, we need to start addressing the vulnerabilies of the network. Whether the network can still withstand a massive physical attack or not, we know it is vulnerable to network attacks. I had a friend who used to work for MIT Lincoln Labs, he told me there were at least a dozen ways to take down the internet.

Re:Source and motivation

[kir]

I had a friend who used to work for MIT Lincoln Labs, he told me there were at least a dozen ways to take down the internet.

I had a friend who worked for Dunkin Dounuts that told me the same thing.

Re:Source and motivation

[Nicolay77]

Well this is exactly the plot of the Uplink game.

And man, that is a very good game.

All the protection *I* need...

is the following line in my hosts

66.35.250.150 slashdot.org :)

Re:All the protection *I* need...

Out of all the different sites on the net, slashdot is the only place you ever go to? How...sad.

Re:All the protection *I* need...

[Strog]

Might I suggest you add google to your hosts. You are going to need the cache to read any articles once you get here. :)

Re:All the protection *I* need...

[Captain+Large+Face]

I'd get rid of the smiley if I were you.

Re:Shameless plug for UltraDNS

[Gothmolly]

Then there's ZoneEdit, which is Free-as-in-beer for the first 5 zones. w00t!

From the author of qmail comes....

[livio]

DJBDNS!

Very stable, performs really, really well on old machines we have here, makes my admin live plenty easy, and never had any security problems with it.

Enough said ;-)

Re:From the author of qmail comes....

[dbretton]

From the DJBDNS page...

Denial-of-service attacks. (BIND 9's fragility makes denial of service completely trivial; but an attacker can easily take down the Domain Name System without using any of BIND's bugs. The DNS architecture needs to be decentralized.)

Seems to me like DJBDNS wouldn't help a lick!

-D

Re:From the author of qmail comes....

[ipjohnson]

you can still DOS the box ...

Just beacuse the software package is secure doesn't mean its immune to DOS attacks. Further more you still have to worry about other packages on the box and the OS itself.

Don't get me wrong DJBDNS is a good step in the right direction but its not the magic bullet.

Re:From the author of qmail comes....

[dohcvtec]

Enough said
Not really... what are you trying to say? Can DJBDNS prevent thousands of trojaned Windows systems from pinging it incessantly? I didn't think so, and you had no point.

not just UltraDNS - others too

[martin]

Seems this was as distrubuted DDoS (DDDOS - sounds like a stemmer:-), many people got this..

http://www.merit.edu/mail.archives/nanog/msg0534 9. html

Re:not just UltraDNS - others too

[self+assembled+struc]

in other words, you mean a DDoS.

being the the first D in that means "Distributed."

so it's a Distributed Denial of Service attack.

Re:not just UltraDNS - others too

[Dannon]

DoS: Denial of Service
DDoS: Distributed Denial of Service
DDDoS: Distributed Distributed Denial of Service? Brought to you by the Department of Redundancy Dept.? Or just a very, -very- distributed attack?

Don't mind me, I'm just easily amused. :)

Re:not just UltraDNS - others too

[martin]

OK then MDDOS

Multiple Distributed Denial of Service

ie attacking more than one site with the same 'attack'

Re:not just UltraDNS - others too

[Captain+Large+Face]

I thought DDoS was distributed denial of service? What the fuck is DDD?

Re:not just UltraDNS - others too

[TheKey]

Distributed Denial of Distribution. It's just a virus that blocks all incoming and outgoing data on the box it's on and then tries to distribute itself.

Should be?

[kaosrain]

Since these are the guys who are supposed to be running the .ORG DNS, and in light of recent attacks on the gTLD roots, attacks against DNS servers should be treated very seriously.

Should be? They are. The FBI and the Department of Homeland Security are already investigating this.

Progress?

[registered_user]

I think the orignal concept of the web got lost somewhere. I was under the impression that the Internet itself was designed [by Al Gore :)] to not have a "control center." So that it could function even if most of it was destroyed. But now the internet has been altered into a network that relies on a few DNS servers. Why? So my bookmarks don't have to keep track of IPs? That seems silly. I am also pretty certain that my email address will cease to function without DNS servers as well. So without DNS I can neither access web pages nor email. This is somehow progress?

Re:Progress?

[zmalone]

I realize that this is probably a troll, but if you really are clueless, I guess I'll fill you in. DNS does not replace the IP system, it expands upon it. If the DNS heirarchy were to disappear there would be no negative effect upon the internet, you would just loose the ability to use symbollical names. If you really want to remove that "weak" link, your welcome to use IPs, and if the DNS fails, you can continue operating as normal. I personally link missing net access every once in a while is far less bothersome then memorizing IP addresses or adding them to my hosts file.

Re:Progress?

[Bizaff]

I agree that DNS is not supposed to replace IP, but what I think registered_user was saying is that everyone's address book says person@host.name, not person@127.0.0.1. Losing the use of symbolic names IS disasterous. It won't stop you from getting where you know the IP, but how many IP's do people know off the top of their heads?

If DNS goes away, how is that mail going to get routed? How will people browse all the other sites people only know by name? Sure, you can have an updated /etc/hosts, but I know I don't want to maintain one for every site I visit.

Sure, you have the redundancy of secondary DNS servers.. but what if someone takes most of the root servers down, and compromises the others to start giving out the wrong IP's? Ok, this is a little contrived, but I see what registered_user is getting at. We ARE awfully dependent on DNS.

I'm jus sayin!

Re:Progress?

[jafiwam]

Smaller web sites tend to be multi-homed on the same IP, using the HTTP host-header to specify what virtual web to use for any given request.

So using the IP of a smaller site is likely to get a "Default" install page for the web server software, or to the hosting company's own web site. (Using a http://###.###.###.### request to an IP is one of the tricks that can be used to track down who is hosting some site you don't like, spammers or whatever.)

The only way to visit one of those without the DNS system would be to use a hosts file on the local machine so the HTTP header comes into the web server correctly. DNS servers are left out of the loop entirely in that case.

For small web sites, "no DNS" means "not on the net". (Big web sites probably have only one IP, so the IP address would work just fine in a browser, but how much database driven stuff looks at the URL to make sense about what to do...)

DNS and IP are complimentary system for allowing data transfer. DNS has a very different function; routing meaningful traffic (not just packets, but web sites and other services) to people, that sits over the IP stuff, which just cares about getting packets from one place to another.

Re:Progress?

When Doug Engelbart created the ARPAnet NIC (Network Information Center) at the Stanford Research Institute in 1967, DNS did not exist. The network was small enough that the users and servers generally knew how to get around from service to service and interact with each other without the benefit of a global directory structure. As the network grew in size, it became apparent that such a service would be important, but due to scale reasons it was never quite taken to its conclusion. Instead, in 1971, Peggy Karp conceived of "host mnemonics," or more simply, Internet names.

The Internet Request for Comments (or RFC) documents are the written definitions of the protocols and policies of the Internet. Building on the concepts contained in RFC 226, Karp created a lookup table that mapped all of the network resources in one text-formatted file. Called HOSTS.TXT, the table contained all of the hostnames and their related IP addresses. Operators would install this file on their local server, which would then gain the capability to perform the requisite lookups locally and enable the computer to find resources out on the larger network without a lot of overhead. Whenever an operator added a new machine to the network, he or she would complete an email template with the appropriate information and send it off to the appropriate people at Stanford Research Institute. They would then compile all of the changes, include them in the next release of HOSTS.TXT and store the new file on a globally available FTP server. Operators would retrieve the updated versions on a regular basis and install them on their local servers. The first version of this table was distributed in 1972. This arrangement worked well for a number of years, but it suffered from one systemic problem -- it wasn't scalable. Ultimately, ARPAnet's success was the lookup service's undoing, and engineers concluded that a new structure would have to replace HOSTS.TXT.

It's not a problem

[Ted_Green]

If you're using an alternative root server.

And in all honesty, I would say that if the "offical" root servers can't protect themselves, they really have no business being root servers (TLD or otherwise) in the first place.

Re:It's not a problem

Except that the official root servers can protect themselves, as evidenced by the recent DOS attacks that basically went unnoticed to 95+% of people using the 'net at the time.

They are redundant, they aren't even always needed thanks to caching. DNS is pretty damn solid.

But, of course, /. being what it is, any comment that beats down on 'The Establishment' (RIAA, MPAA, DoJ, Verisign, ICANN, etc.) whilst promoting some alternative, gets Score:5 instantly. Even if the post is dead wrong.

Re:It's not a problem

[Ted_Green]

Dead wrong about what?

If you're using an alternative root server and somone brings down the "offical" root servers you shouldn't have to worry about it.

I really don't know what your problem is, as you're defending an Establishment that wasn't attacked.
If a root server is incapable of protecting itself, there's no reason why it should be a root server.
I really don't care wheter or not 95% of the people didn't nottice it as the 5% of the net users who did is really quite a large amount.

This statment has nothing to do with DNS, it has to do with how trustwority a rootserver should be.

Re:It's not a problem

[timeOday]

Did they fail to protect themselves? Because as with the previous DNS attacks, I was using the Internet as ususal throughout the whole thing and never even noticed.

Raising the question, how many of us actually noticed this before reading about it?

Re:It's not a problem

[sharph]

I have noticed.
My web site (sharph.net) uses the DNS services of hn.org. hn.org is sharph.net's nameserver. (Well was, until Sunday when I switched to UltraDNS.net.)

When you go to access sharph.net, it gets pointed to hn.org, which points it to my IP address. Over the weekend because the nameservers couldn't resolve hn.org, sharph.net wouldn't work.

You most likely won't notice it because all the frequently used domains are cached somewhere between you and UltraDNS.

Re:It's not a problem

[bad-badtz-maru]

How exactly do you protect against an attack whose "payload" is sheer data volume? Make sure your pipe is bigger than the aggregate bandwidth available to every previously compromised host on the internet? How feasible is that? Aside from that, the attack wasn't even against a root server, it was against a DNS provider.

maru

Re:It's not a problem

[Puppet+Master]

They may not have failed to protect themselves, in fact I think they did a good job.
However, I did notice some slow downs while visiting some web sites.. Others were completely gone.

I even remember my boss coming in and asking if something was wrong with our server.
I told him that the root servers were being attacked. He told me to stop the attackers... :)

Re:Shameless plug for UltraDNS

[nochops]

I've been using UltraDNS for more than 2 years now, and I'm also nothing but happy with them.

You're right about their ease of use, it's definitely a strong point.

I've never had any issues with them, and come to think of it, I dodn't have any problems this weekend either. In fact, I got -more- spam than usual, so I'm going to assume that if the spammers didn't have a problem resolving my domain name, neither did anyone else.

Is it realistic?

[Itsik]

I truly question whether it is realistic to bring the entire system down. There are so many servers around the world that offer a redundant service to those servers that it would be hard to actually "feel" that the root DNS server is no longer available. Which gives whoever quite a bit of time to be able to bring the affected system back up.

Bringing down the TLD?

[Alethes]

How badly can attacking the root DNS servers affect the Internet experience since DNS is so decentralized? If the root server is down, that doesn't prevent the thousands of immediate DNS servers from being able to resolve domain names for the users, right? It seems like it'd only be able to prevent the propogation of new domain names. What gives?

Re:Bringing down the TLD?

[Shimbo]

How badly can attacking the root DNS servers affect the Internet experience since DNS is so decentralized?

DNS isn't really that decentralized. OK, you don't need access to the root zone itself that often. It's the big TLDs like .com and .org that are the big problem. And yes, if you have a good infrastructure it will be cached somewhere upstream. However, some proportion of these will time out if the DDOS is sustained for any length of time.

For DHCP say, you refresh before the timeout, so there is a minimum downtime of your DHCP server before the clients lease times out altogether. AFAIK, for DNS when the TTL expires that's it; so some sites will start dropping out the cache as soon as authorative DNS becomes unavailable.

DOS

[utahjazz]

Well at least we can all breathe a sigh of relief when Microsoft retires DOS at the end of the year.

Re:DOS

No, actually we can't. Darn. And now it is free too... no MS tax, no "sell us your soul" EULAs, nothing.

Re:DOS

Redundant=3, Funny=1, Total=4

Isn't it a bit hypocritical to moderate something as redundant 3 times?

DNS Servers

[sjanich]

It is more then just a few servers.

Generally each "server" has multiple seperate internet connections. The server it self is usally a set of two or machines acting as one. The servers are distributed around the internet. They are not concentrated in one place eigther geographically, or network topographically.

Re:Maybe not a DoS?

[cmdr_beeftaco]

I use to work for a large internet company in Virginia we use to do these types of things all the time. It is a dirty little secret of the hosting community that large amounts of funds are currently being channeled to companies that suffer attacks large scale attacks to strengthen their infrastructure. I know from personal experince that these government kickbacks are sometimes abused by receiptants.
Not only are the hosting companies after the anti-terror funds. The sysadmin's orchastrate these 'attacks' to gain 'relations' with the investigating FBI Special Agents. If you have not seen the women agents in the FBI's Computer Crimes Division do yourself a huge favor. Most of these 'attacks' orginated from internal addresses and it was typically on one of the sysadmin's birthday treats. I personally of gotten '7-digits' from these agents on numerous occasions and one of these lucky agents will be the mother of my children.

another DoS attack

not very nice to post the link to their site. Now not only they had to endure a DDoS ping flood attack, they'll have to deal with the ./ effect!

artaxerxes

Re:another DoS attack

not very nice to post the link to their site. Now not only they had to endure a DDoS ping flood attack, they'll have to deal with the ./ effect!

This joke is getting very old, much like the CowboyNeal poll option.

Re:this is terrorism

[cmdr_beeftaco]

You are from Europe aren't you?

everydns

[Wakkow]

Otherwise, you can use everydns.net for free which runs a nice djbdns setup behind a very clean interface and only asks for donations.

Re:everydns

[sharph]

EveryDNS.net is good. I use it. But it won't help the situation because when you do to lookup a .org domain it queries the UltraDNS servers, then they send you over to everydns.net which handles it from there.

Actually, you are right in a way. I used to use hn.org for hosting the nameservers for my domain, and it didn't work this weekend because it wouldn't resolve hn.org.

Re:everydns

no, hn.org runs on a cable modem.

everydns.net runs on real servers.

It makes a big difference.

Re:everydns

[sharph]

Whoa. You're right.

[sharp@endor sharp]$ host hn.org
hn.org has address 24.97.1.167
[sharp@endor sharp]$ host 24.97.1.167
167.1.97.24.in-addr.arpa domain name pointer rrcs-nys-24-97-1-167.biz.rr.com.

And rr.com is of course roadrunner.

Not decentralized

[meldir]

DNS is decentralized, in the sense that no server holds all information, but servers only hold information for a certain part of the domain-space. However, *no server can cache all information*, and to answer queries, these servers must ask other servers. And to know which servers are authoritive for a certain domain, you'll have to ask the root servers. This makes DNS pretty centralized in the end. And vulnerable.

Re:Not decentralized

[T-Ranger]

But there is not one root server, there are a bunch of them. Geographicly and networkly distributed.

What kind of protection can be had?

RAI-DNS?

SURPRISE GIRLS! KEITAROU'S SPECIAL BED TREATMENT

[Keitarou]

Hi Girls!

I'm pleased to anounce that starting from today, you can have sex with me!
That's right!
You can sleep with me, the sex god of the 198th century! It is no longer a dream!
Finally you can have the option of having hot, sweaty and sticky sex with a real man, not those wimpy side-sticking showbots who can tell between a clit and a skin-flap. Finally, you can moan to the night, because you'll have the best treatment. With me.

So don't wait till you die! Dial now and have an hot orgasm.

There's something at internettrafficreport.com

[Jugalator]

Look at this, especially that huge packet loss spike at 11/24...

Seems suspicious, although that site hasn't put up any news about it like they did with the major DNS attack a copule of weeks ago.

Dan Bernstein

[tuxlove]

Reading that Usenet thread was ugly. Dan Bernstein has the unsurpassed ability to present (often) good ideas while being a complete prick.

Dan, you want people to take you more seriously, try being human once in a while. You don't need to prove just how damn intelligent you are by beating other people over the head with their own "ignorance". You might want to work on your own ignorance in the social skills department first.

That said, transmitting the entire root zone over Usenet and other means sounds like a good suggestion. I hope you can start sounding like less of a lunatic so people will listen to the idea.

Re:Dan Bernstein

[SiliconEntity]

I met Bernstein briefly, and he seemed like a nice guy in person. He's relatively young, 30-ish, and soft spoken. But online he comes off as some kind of know-it-all curmudgeon.

Personally I liked the suggestion in the Usenet thread to return expired DNS cache data when the authoritative servers are unreachable, at least as an option. 99% of the time when you can't do a host lookup, the old cached data would still be right. All the DNS purists hated the idea of using expired data, like it's unclean or something. But if it's all you've got, isn't it better to use old information than to give up on letting the net work at all?

Re:Dan Bernstein

[efflux]

I'm not familiar with the person in question, but I know the attitude, and I agree whole-heartedly. It's made it so that I can't stand to use UseNet, no matter what the group. You *will* run into freaks like these, and there is no use in trying to present an argument or to extract an argument out of these people so that you can understand the issue at hand. These attitudes destroy academia and investigative thinking.

I had even ran into an individual IRL who had this genius complex as he was trying to sell me on an Open Source project he was working on. He was so unbearable I don't want to work with.

To people with such complexes, I suggest you have them read Nietzsche. He has a lot to say about "the cult of the genius". Though I disagree with him on many counts and feel he suffered from the same delusions he denounced, I have to agree with his reasoning in this matter.

He may have mentioned this in serveral of his writings, but in particular, I am referencing _Human, all too Human_.

Re:Dan Bernstein

[Old+Wolf]

Heh. Bernstein is cool. Although he uses dubious (IMHO) code practises, such as having entire functions with one-character names and all variables with one-character names, and calling _exit(), his code makes small executables (probably the lack of long debug symbols eh?) and doesnt have security holes.

Also he's prepared to tell dicks that they are dicks - something that is unfortunately rare these days.

Re:Dan Bernstein

Also he's prepared to tell dicks that they are dicks - something that is unfortunately rare these days.

He's also willing to tell people that aren't dicks that they are.

ISP's responsibility.

[jwdeff]

All ISP's should have access lists on their routers allowing traffic out only if the source address is within their network. Directed Broadcasts should be turned off to limit smurf attacks. This itself would cut the problem ten fold.

Re:ISP's responsibility.

[Sloppy]

I can think of situations where someone might have a slow link for upload (e.g. 56k modem on phone line) but a completely different link for faster downloading (e.g. satallite dish).

Re:ISP's responsibility.

Exactly. Even at the small ISP I work for, probably 2% of the customers use asymetric routing like that. That's 2% we know about. There's probably more now that VPN's are becoming more popular.

Re:ISP's responsibility.

We tried that, but after having a bunch of customers scream at us, we turned it off less than two hours later. You forget that many legitimate services use asymetric routing.

Re:ISP's responsibility.

[jwdeff]

Excellent point, although I still think it is a necessary security policy.

If a customer needs to allow source address's outside the network, simply update the access list. Just remember, you're doing the world a favor.

If you are offering a service to businesses, it would be good policy to notify them before making major configuration changes.

When I had my first job as a network engineer, I discovered that our email server was an open relay. I changed that, only to discover a (large) number of our customers who we did not provide bandwidth for used us as their SMTP relay. I then allowed the entire range (if it was assigned dynamically) of IPs of the ISPs they used (hell if i'm going to talk everyone through changing their SMTP server setting), and had future customers set it up right.

BTW, (to the best of my knowledge) asymetric routing is any routing that may not take the same path to and from the destination. This applies to the majority of routing these days, not just that with a different specified source address than actual source address.

Re:SURPRISE GIRLS! KEITAROU'S SPECIAL BED TREATMEN

[jwdeff]

While I was reading about DOS attacks and the need for distributed DNS, I never thought I'd come across a post like this.

Let's help ddosing UltraDNS

[dark-br]

So it have been DDosed? Let's givem some help /.'ing them too!

DOS attacks on gTLD servers

Do you want to give control of an entire gTLD to one organization?

Er... wtf do you think is going on right now? It doesn't matter if one organization or ten organizations control a gTLD, a DDOS attack against the root servers is still going to have the same effect. DNS is a creaky old beast that was designed when the internet was a safe (or safer) place... legacy crap that isn't going to go away for a while since -everything- uses it.

Nukes and Freenet

[0x0d0a]

For them, the "web" is the "Internet", and anything that affects "the web" could bring down the whole Internet

Just one thought -- does Freenet use DNS at all? I *think* it doesn't. Because if not, it provides an existing, easy-to-migrate-to solution in case of such a catastrophic event. Just kick over to Freenet, no DNS required.

The DNS system...can withstand a direct nuclear attack on 60% of its facilities

As opposed to, say, those pesky indirect nuclear attacks? :-)

Re:Nukes and Freenet

[delta407]

Freenet currently uses DNS for nodes configured to do so (namely dynamic DNS types). But, with recent discussion on freenet-devl, either address resolution keys will be implemented (meaning DNS-like resolution in Freenet) or IP address discovery will be integrated into the announcement protocol, negating the need for DNS either way.

So, bottom line is: Freenet relies on DNS some of the time right now, but will not by the 0.5.1 release which is due shortly. In the case of DNS failure, however, the current infrastructure would still work -- heck, Freenet 0.3 would still work. (Sorta...)

Alternative DNS providers

[Istealmymusic]

Hammernode is quite good.

Re:Alternative DNS providers

Hammernode is good. I used it for a while and love it. They are having trouble getting it to scale well and the database is locked in at 20k accounts and you can't make a new one until there are deletes. By all means, support it but it is no replacement for a large commercial DNS provider.

Re:Alternative DNS providers

So it is. Too bad it was knocked ass up by this very incident, being a .org and all.

Time for a new model

[laigle]

Given these attacks, maybe it's time to shift the DNS model to something more distributed. Say a P2P network of all the DNS servers, which would feature client side intelligent load balancing (ie it only queries past your ISP's DNS when it needs to). It wouldn't take a whole lot, since it only needs to be capable of a very minute series of transactions. You could throw in CRC codes and a verification system if people wanted to be extra paranoid about it.

Of course, ultimately you have to have some sort of root server. But in a distributed model, they could be essentially insulated from DOS attacks, because they just need to get the master list out to a few systems for it to propagate all over. There could be a redundant distribution mechanism whereby the root servers send the list out through normal channels, but also send it to some randomly selected servers by phone call as a backup. At that stage hosing the root servers (or more accurately their connections, I doubt anyone is gonna ping one of those things to lockup) would not only be difficult and dangerous, but pointless. You cut off its connection via the internet, but the list still gets out and immediately spreads to so many DNS servers you couldn't possibly shut them all down, and you would have to shut down most of the world's DNS servers to have any impact on users.

Ultimately it wouldn't change things too much, since we're already pretty insulated from these attacks. But it does have a nice "just in case" factor to prevent some megaworm or Y2k-style OS-pervasive glitch from knocking us on our butts. And it would take the wind out of the sails for a bunch of the script kiddies (and the odd genuine hacker) out there trying to crash the net, which is almost worht it in and of itself.

Re:Time for a new model

[MavEtJu]

Say a P2P network of all the DNS servers, which would feature client side intelligent load balancing (ie it only queries past your ISP's DNS when it needs to).

Set your nameserver to forward all your request to your ISP's DNS instead of having a .-hinted-zone.

Of course, ultimately you have to have some sort of root server. But in a distributed model, they could be essentially insulated from DOS attacks, because they just need to get the master list out to a few systems for it to propagate all over.

Isn't that what we have now?

Re:Time for a new model

[Sloppy]

(ie it only queries past your ISP's DNS when it needs to)

Thanks to caching, this is pretty much what we have right now. That probably explains why most people never notice these outages.

The skript k1dDi3 conspiracy

[0x0d0a]

Now the skript kiddies are in with the government on the Conspiracy!

There is an elegant solution

[lazlo]

There is an elegant solution that seems tailor-made for this particular problem (i.e., massive bandwidth DDOS of a small number of servers serving a stateless udp-based service) It's called anycast, and it's being used successfully now. An excellent example of its use is the AS112 project

Here's a quick overview I found: http://www.pch.net/documents/tutorials/ipv4-anycas t/ipv4-anycast.ppt

Now if we can just get all or most of the root-servers and gtld-servers moved to anycast, then there should be at least minor performance gains, and fairly large stability/resilience-to-DOS gains.

Re:There is an elegant solution

[ahpeterson]

Interesting that you should mention anycast. UltraDNS has actually been using anycast ever since the system was initially brought online (early 1999).

The Department of What?

That's a damn good trick for a Department which has been in existence for 20 minutes, has no headquarters, and largely exists only on paper.

http://www.cnn.com/2002/ALLPOLITICS/11/25/homela nd .security/index.html

Re:The Department of What?

[SEWilco]

That's a damn good trick for a Department which has been in existence for 20 minutes, has no headquarters, and largely exists only on paper.

Surely a brand new agency is operating on Internet time. Don't you know how long 20 minutes is to a computer? :-)

(A government agency operating efficiently and quickly? I don't know whether to be more stunned than afraid.)

Re:SURPRISE GIRLS! KEITAROU'S SPECIAL BED TREATMEN

[CableModemSniper]

You must be new here. Welcome to slashdot!

Re:SecurityFocus mailinglists goof ups

[defender]

The problem is not on your end, it's on SecurityFocus's end. I've been having the same problems for a couple of months now, and in spite of assurances from "Dan Bertrand" "Senior IT Manager, Symantec Corporation", it hasn't stopped. He cited either a firewall issue (they don't operate it themselves anymore) or a bandwith issue. I don't buy either of them, I think it's their postfix + DNS setup. Somehow postfix is fed info that your domain does exist, but that there a no valid MX (or A ?) records. If there was a firewall issue, their resolvers should timeout, and their mailsetup should requeue.

Why lifetime penalty is feasible

[Loco3KGT]

This is why lifetime in prison is possible for hackers. Stuff like this can be issues of "national security". If online businses went out for any noticeable amount of time, the U.S. GNP could see a noticable impact.

Re:Why lifetime penalty is feasible

[Lord+Apathy]

No, this isn't a cause for lifetime imprisonment. More likely a cause for a few swift wacks with a bamboo cain or a cat 'o' nine tails. These are just nusance attacks and nothing more.

Doh!

[spruce]

So as the battle weary sys admins from UltraDNS finally get back home from fighting a DDOS attack....

Phone rings.

"Bob, the web server is under attack again, and this one's coming from all around the globe. Game over man, game over."

Slashdot's a bitch.

Re:SecurityFocus mailinglists goof ups

[RollingThunder]

Hmm... that would certainly explain why I'm not able to find a single damn thing wrong. :) Thanks for that cross-reference data point!

Why allow ping?

[phorm]

Why would they allow pinging anyways? Really, as a root DNS server, one would think that All they should allow are DNS queries and related. I suppose pinging might suck bandwidth, but just ignoring the pings helps on the server end?

Re:Why allow ping?

[dohcvtec]

Why would they allow pinging anyways?
Right, some high profile sites do just that. www.microsoft.com, for example, does not reply to ICMP echo-requests. It goes along with the idea of only allowing what's absolutely necessary, in terms of daemons and open ports.
I suppose pinging might suck bandwidth
Yeah, even if they decide not to respond to the pings, the ICMP traffic is still coming down the wire. In that case, the traffic can be filtered upstream. However, from what I read, it sounds like this attack was not echo requests, but apparently syn packets. Whether they were TCP or UDP and what port is unknown, but if they were UDP port 53, there wouldn't be much anybody could do to separate DDOS traffic from legitimate traffic.

Re:Why allow ping?

[psamuels]

from what I read, it sounds like this attack was not echo requests, but apparently syn packets. Whether they were TCP or UDP and what port is unknown

SYN is specific to TCP - it doesn't exist in UDP. SYN flooding is where you send SYN packets to open a bunch of TCP connections, but then neglect them - forcing the other end to allocate lots of resources to your nonexistent connections, which won't time out for quite awhile. UDP doesn't have the notion of a "connection", so you can't SYN-flood it.

DNS does use TCP for certain longer queries, so it's hard to just turn it off. Now, it may be that the root servers can get away with not using TCP if they don't allow things like zone transfers or other long queries. I dunno, I'm not a DNS expert or anything.

Counter-Hacking

There are some companies developing software, that upon an attack by zombied machines, the server will find the hole, and counter-hack, and completly diable the machine from continuing the DoS attack. Very interesting idea, and finally a way to fight back against the hoards of script-kiddie hackers that are responsible for most DoS attacks.

Re:Counter-Hacking

[liquidsin]

Good luck with that once the newer trojans lock down the machines holes and install sshd to allow remote instruction.

Um, does the fact that I just suggested this make me a terrorist?

OMG! The Weekly World News was right!

[RobertB-DC]

Yep, the Weekly World News, home of Bat Boy and "Iraqi Submarines Prowling Lake Michigan", has a giant headline in the issue I just saw at the checkout stand: TERRORIST PLOT TO BLOW UP INTERNET ON 1-11!"

The subheads are:
* Computer virus will destroy US economy!
* The US Military will be paralyzed!
* Electricity, food and water supplies vanish!

Clearly, we're ignoring these attacks at our own peril, when as technical a publication as the Weekly World News has picked up the story.

(Back to reality, I literally burst out laughing and almost dropped my Mountain Dew when I saw that headline. Blow up "The Internet". Sounds like my daughter's friends... they come over and ask if her computer "has the Internet on it". No, it doesn't, but it has *access* to the Internet. "Oh, you mean AOL?" Grrr...)

Re:OMG! The Weekly World News was right!

[sphealey]

That's a good one!

But I especially like this part:

"Iraqi Submarines Prowling Lake Michigan"

Lake Michigan is of course so thick with Coast Guard (and Chicago Fire Dept, and Milwaukee Fire Dept etc.) helicopers and ships rescuing newbie and ocean sailors who think that [lake] == [easy sailing] that a submarine would be probably be run into the bottom in a matter of minutes!

sPh

Re:OMG! The Weekly World News was right!

[Xtraneous]

Those submarines are sure going to have an interesting time going up-stream undetected, though 4-5 sets of rapids, a 140 (IIRC) foot raise in water level, and Niagra Falls!

Re:OMG! The Weekly World News was right!

[Puppet+Master]

I saw that headline.... and I too cracked up laughing. The lady in front of me at the grocery store, told me to heed the words strongly. She was sure it could happen.

I told her to go back to isle 3 and buy a clue or two...

As I've said before, you can lead a Lama to clues, but you can't make them think!

The Edge of the Internet

Can someone explain exactly what 'the edge' refers to?

Re:The Edge of the Internet

[SEWilco]

Can someone explain exactly what 'the edge' refers to?

If you visualize the Internet as a graph where lines represent each communication link, each computer has various numbers of lines to its neighbors.

Usually the systems which have the most connections are shown on such a graph as being deep inside the web. Those which have only one connection, such as home computers and others which use one ISP, tend to be a frilly edge all around the web.

"Securing the edge" means protecting against misbehavior of servers around the edge, particularly servers other than communication devices inside ISPs. A common example is ingress filtering, where an ISP rejects packets from customers when the origin address (the computer's IP address) is not one of the ISP's addresses; this shouldn't happen because the ISP knows the proper addresses of its customers. Ingress filtering keeps "the edge" from sending in garbage.

Ha!

[gt25500]

And you all thought DOS was dead!
Err.. Oh, heh... Denial of Service.....
*exits quietly*

If the root servers can't protect themselves... who CAN protect themselves?

Re:Very surprising (NOT)

The service provides a couple of *supposed* advantages:

> Better latency. They use an anycast routing network which guarantees that a query to their DNS servers will be received and answered by the closest server based on the network topology. Even though there is only 2 published IP's for nameservers. There are some 16 servers scattered around the globe to answer on those IP's.

Yeah, but that's how DNS already works - caching servers choose the DNS server that responds the fastest to DNS requests. Also anycast networks have 1-5 minute delay to fail over to another network in the event of an outage. And there's no failover in the event of a brownout. Since DNS load-balancing operates at the application layer, caching servers can heavily optimize their requests.

> Near real time database updates. They use an Oracle advanced replication network to get updates out to the other servers in near real time.

Nearly all DNS software does this now. See BIND's : ndc reload "zone", and "notify" commands.

> Proprietary software. The only significant advantage here is that it's not BIND.

BIND has been attacked and repaired over and over. It has thousands of eyeballs on it, and hundreds of contributors from major firms. UltraDNS has never been a serious target, like say other big companies with proprietary non-Apache software. Experience shows that proprietary software is significantly less secure than open-source. Wait until some former disgruntled employee publishes the source, and see what happens. Oh wait, you *are* a former employee.

> The problem with your example is that chances are, your DNS server in LA will be getting queries for Europe, which isn't all that ideal. Once again, is it that important? Not really.

Except that right after the DNS gets hit from Europe, the website gets hit from Europe too, and really, there's where you will see issues (if any). As a percentage of time, "DNS hits" consume less than 1% of the time spent on a given web session. If you improve this by 20%, you've sped up your site but less than 1/5th of 1%.

Finally, if you decide to get a "replicated site" in Europe, just put a DNS server there too, and the euro traffic will, likely, hit it first.

Even better, turn off round-robin and zone replication, and have the euro server deliver the euro A-record first (same pattern with the others). Modern browsers will then fail-over in the presence of multiple A-records.

The worst thing about outsourcing, especially DNS, is that you are combining your site with 10,000 other sites on a single network. This creates a more attractive target to hackers.

The best thing about outsourcing is that they "do it for you". Which is really why anyone does it.

hmm

[exspecto]

yesterday my internet connection kept "dropping" and then coming back. i use cable internet, but it seemed like a DNS problem because i could still ping ip addresses, just not hostnames. i wonder if this was a symptom of the DOS?

It's a good warning

[Ted_Green]

I don't know much about the UltraDNS stuff.. as for the other thing:

7 or the 13 servers went down for a bit. And because of caching and redundancy this wasn't really a notticable thing.
It might be, however if a million windows boxes were comenced such an attack over days.

When it comes right down to it, I think the root operators are doing a pretty good job all things considered. (they're allready approaching ways in which to protect themselves)

However, if this had been an attack on verisign's .com zone file then I suspect a rather large number of users would have had experienced some rather large problems.

Their was a lot of force behind the blow, but the punch wasn't aimed well.

What's bothersome is that if this was used by somone who knew what they were doing. (That's assuming it was an attack and not a warning, or a test of some sort)

I find it funny....

[illumina+us]

That UltraDNS is advertising itself as the most reliable DNS, and yet, it got attacked with a DoS? Reliable indeed....

central control

[robbo]

Do you want to give control of an entire gTLD to one organization?

Hmm.. trolling for ICANN haters? I see no particular security problem with a central authority managing a TLD, provided that their backup servers are distributed widely in both the geographical and topological senses. We shouldn't confuse this particular issue with that of whether a central authority like ICANN should have the right to control who can and cannot create new TLD's.

I always thought ...

[Snoopy77]

that a DOS attack was when you went and installed MS-DOS on a computer rendering it inoperable.

Solution!

[nrd907s]

It'd be quite easy to stop all of these ddos attacks....quit linking to other sites from slashdot

Re:Very surprising (NOT)

"Experience shows that proprietary software is significantly less secure than open-source."

BIND is an exception to this. BIND has an idiotic security record, bloat, and misdesign. Security hole monster. We all know it. Yet you are trying to make believe otherwise.

Turing of the internet

[beta21]

Actually thats pretty easy, you can turn it off at Turn off the Internet

Get over yourself.

You're either an engineer or a groupie. If Dan Bernstein's right, it doesn't matter if he's being a prick or a saint.

What in the world makes you think people doing real work need to meet your subjective "social" expectations?

Re:Get over yourself.

What in the world makes you think people doing real work need to meet your subjective "social" expectations?

I don't think the original poster was worried about whether DB can pick up chicks. :) Being "social" in this case seems to mean "don't be an arrogant asshole gratuituously". I.e., save it for when it's necessary and don't beat on people during the course of a civil discussion.

Like it or not, part of getting "real work" done involves social skills. Just being right is *not* enough much of the time. Some of the greatest minds in history have failed to be heard because of their inability to gain the acceptance of others. Many more lesser minds have been successful for just the opposite reason.

Tracing Packets?

Is anyone implementing probabilistic packet marking?

Probabilistic packet marking is an idea to trace packets by coding trace info in unused header bits. Part of the trace info goes in each packet, so one needs many packets to get all the label. The info is placed in a small percentage of packets, so some packets contain info from earlier routers. A victim site will have many packets, so can assemble info for many routers through which the packets passed.

Has this been implemented yet?

DDOS on ROOT SERVERS vs ISP Routers

Hi People,

I'm probably out of the hot-zone by now since the Backbone-ISP i worked for has gone bankrupt.

This is my experience however.

DDOS attacks cannot be stopped as long as the routers on the backbone are not set-up to do so.

Yeah, you read it right the first time. And we were not the only network to run without any specific setup to dynamically counter attacks.
Sure, there are preferences to configure a router so it can packet-filter and rate-limit DDOS-like traffic (very elaborate ones even) but some ISP rather dont do this since it would fry their precious machinery, and no this is not Microsoft equipement we're talking about here.

Bottom line i got on the root-dns-attack story is that the attackers stopped just-in-time not to choke these servers. Five minutes more and they would have gone belly up. But that might have been a story by itself.

Banner Irony

I loaded this page and got a banner for "World's most Reliable DNS - UltraDNS - Bulletproof". Seriously. This is one of the things real editors at real news sources try to avoid :)

Maybe that's why the weird addresses

[billstewart]

It's possible that the weird x.x.0.0 addresses were a programming bug (forgot to run a loop?), but my initial guess was that it was trying to trigger the old-style directed broadcasts (remember when all-zeros was the broadcast instead of all-ones?), guessing that many people have the sense to block all-ones directed broadcast.

How?

[Dog+and+Pony]

Just kick over to Freenet, no DNS required.

Where am I gonna download a client without DNS? ;-)

Re:How?

[UnknownQ]

http://152.2.210.121/sourceforge/freenet/freenet-0 .5.0.7.tar.gz

Re:How?

It is then official. Some people just can't get a joke, and never ever will.

The point wasn't that, the point was that when the DNS servers are down, it is too late.

Any stupid moron can get a IP-#. I hear your teacher calling, kid. Go try trolling som karma out of her instead.

Sheesh. Some people. Blargh.

Comment removed

[account_deleted]

Comment removed based on user account deletion

How to ensure free speech forever

[0x0d0a]

Get one of the Freenet guys (or, if an EFF guy is willing to help out again, one of them) to point out that Freenet is the *ideal* protection against terrorist attacks on the information infrastructure of the United States.

Consider all the "security" grants that are being thrown left and right at companies. They're lapping up all those tax dollars in the form of goverment contracts. If Freenet can grab just one, that would fund development for a long, long time. Lots of improvements, and I'd have a hard time imagining a more worthy cause than a more robust, secure, attack-resistant, private system that makes for more efficient transfers over the network.

The overwhelming majority of my university's CS research funding comes from the Department of Defense. Freenet couldn't snag just a few of that flood of dollars going to organizations aroudn the country?

Re:How to ensure free speech forever

[delta407]

Yes, the Freenet crew is well aware that their project can and will survive the eventual massive infrastructure failure. It's a fully distributed, highly adaptive network that's not tethered to any method of communication -- there's experiments with FNP (Freenet Native Protocol) over ham radio, for instance. And, of course, you could always light up private fiber or communicate via Iridium or some other satellite network.

Unfortunately, Freenet is currently being used by a large number of child pornographers and could also easily be used (if it's not already) by people opposed to the DoD, so they would much rather not attract attention from the government...

This is different - needs broader support.

[billstewart]

4of12's suggestion for whitelisting is different from the RFC2870 advice. The RFC essentially permits the machines in root-servers.org to have a hidden master, but it doesn't apply to non-rootservers, such as the DNS servers at big ISPs, which is where most people get their DNS from. In fact, it forbids root-zone transfers from non-rootserver machines, though it permits the rootservers to run an FTP mirror for outsider downloads.

4of12's suggestion would let the rootservers run a server that's only accessible from known (and presumably important) addresses, such as the DNS servers for the big ISPs. That would take care of the most important uses of DNS, since most people get their DNS queries answered by their ISP's servers, either from cache or from recursive queries. Letting the big ISPs do zone transfers from a protected net would preserve that. (Without zone transfers, an obvious attack is for the zombies to look for bogus000001.com, bogus000002.com, etc.)

Beyond that, DNS queries and zone transfers aren't the only way to send the information around. DNS A-record data compresses well (Unfortunately, DNSSEC data doesn't, and it's much bulkier.) And everybody wants the same data, so multicasting can be an efficient way to transmit it (using your favorite reliable-multicast application.) A back-of-the-envelope guess is that the dot-com namespace would compress to somewhere between 100-300MB, which would take 10-30kbps to transmit it in a day - and most of it has a TTL that's much longer, so you could handle it efficiently with incremental updates. Another alternative to multicast would be a peer-to-peer app that's designed for handling big files, like BitTorrent. (BitTorrent's designed more for static content rather than dynamic, so you'd need some file naming scheme for fetching today's version.)

I still wonder....

[hta]

is there any information on whether the DDOS attack on UltraDNS actually affected service?
The UltraDNS infrastructure has 16 or so machines on the same IP number. So it's harder to hit all of them. And it's not BIND, so it may be harder to bring down. (not sure it matters - the root DDOS didn't crash BIND either).
And of course UltraDNS is typically not serving all of the secondaries for a zone.
If anyone has real info....

Re:I still wonder....

Just because UltraDNS use's anycast, does not alleviate the problem, instead it just hides the machines true IP's. For example, it's pretty well assumed that any attack of sufficient size to take down a network of this size is going to have machines located geographically everywhere, and hence they all are attacking an anycast IP, so the machines will attack the closest BGP located server. So unless they manage to actually crash the box, and take down it's BGP session, the advertisement for that box will continue to be given, and people will still try to send packets to this severly flooded box. Now if they do manage to crash the box, you will actually see a very rapid domino effect, as the traffic quickly shifts (I see someone say 1-5 minutes to converge, in practice that's the extreme HIGH end of it, it's more likely in a matter of a few seconds if you have multiple boxes on the same provider) to the next box, and so on and so on, building up and up as each box falls down.

Grab a copy of all root DNS references

[bigberk]

In the following file you will find listed the IP addresses for all root servers. In case all DNS goes to hell, you can use this to look up any host name, be it COM/NET/ORG, any country, etc.

ftp://rs.internic.net/domain/root.zone.gz

The case for kids.

[mindstrm]

Why kids, why not organized adults with financial resources?
The answer: WHY

Kids.. it's fun, it's destructive, it's a sense of power.. the reasons go on. I shouldn't have to explain them.. go back, I'm sure many of you can understand.

Adults.. and I'm not talking about big kids who never grew up here... need a finanical reason to do this. Could organized, intelligent hackers with financial backing to some serious damange to the internet? You better believe it. What would they have to gain? Not much. Prison. Hatred. Being labeled as terrorists, maybe killed.

What are you going to do? Hold the Interent for ransom? I doubt it.

That's why this stuff is chiefly done by kids, not grownups.

Another DoS attack

[NiTr|c]

So, ultra DNS gets DoSed, then it get slashdotted too? They're having a great day!

Re:.ORG TLD... [OT]

On the other hand, see what happens if you type in just "CNN".

On IE on my mac, i get cnn.com.

On a Windows 98 computer i tried this on a couple weeks ago, it took me to a "search page" listing a number of sites. The top one, seperated from the others with a big screenshot of the front page and the words "featured link", was MSN.com.

I think CNN was on the list, only further down, but still, what the hell??

Last Post!

[alpg]

> Yeah, Linus is in the US.
>
> His source trees are in Finland.

OK, someone give him access -fast- ...... ;-)
-- babydr@nwrain.net, because of problems with the kernel

- this post brought to you by the Automated Last Post Generator...