Slashdot Mirror

← Back to Stories (view on slashdot.org)

DOS Attacks On DNS Provider

Posted by ryuzaki0 on from the going-after-the-big-boys dept.

Greedo writes "Seems like UltraDNS was hit with a denial of service attack this weekend. Since these are the guys who are supposed to be running the .ORG DNS, and in light of recent attacks on the gTLD roots, attacks against DNS servers should be treated very seriously. What kind of protection can be had? What happens when an attack like this brings down an entire TLD? Do you want to give control of an entire gTLD to one organization? Read a follow-up discussion on comp.protoocols.dns.std."

19 of 224 comments (clear)

  1. Not that dangerous... by Anonymous Coward · · Score: 3, Informative

    It's not that big of a deal, since most people's DNS requests never reach the TLD servers. Instead they're handled by a mirror at a lower point on the tree.

    But, still, we should catch these DOSers and throw them into a federal pound-me-in-the-ass prison.

    Damned arab terrorist scum! Down with Saudi Arabia!!!

    1. Re:Not that dangerous... by zsazsa · · Score: 3, Informative

      It's not that big of a deal, since most people's DNS requests never reach the TLD servers. Instead they're handled by a mirror at a lower point on the tree.

      The most recent attack wasn't on the root nameservers, it was on UltraDNS, which is a large-scale commercial DNS hosting provider. A lot of big sites rely on their DNS service

  2. IN SOVIET RUSSIA by Anonymous Coward · · Score: 0, Informative

    comrade Taco DOSes your bunghole.

  3. Very surprising by ekrout · · Score: 5, Informative

    I have seen the UltraDNS ads here at Slashdot and thusly decided to read up on their techniques as well.

    Basically, they urge large important Web sites to outsource its DNS needs to another company (them). Before this DOS attack on their servers, they provided near perfect stability, security, and performance. If I recall correctly, Hotmail, Forbes, and Oracle have already used the services of UltraDNS.

    It's a shame that such a wonderful resource (the Internet) is so often abused by a few rowdy hackers and trolls.

    Here is a whitepaper that describes their services in depth and explains the reasons for outsourcing one's DNS needs.

    --

    If you celebrate Xmas, befriend me (538
    1. Re:Very surprising by Johannes · · Score: 5, Informative

      Disclaimer: I used to work at UltraDNS until a couple of months ago when I was laid off.

      The service provides a couple of advantages:

      Better latency. They use an anycast routing network which guarantees that a query to their DNS servers will be received and answered by the closest server based on the network topology. Even though there is only 2 published IP's for nameservers. There are some 16 servers scattered around the globe to answer on those IP's.

      Near real time database updates. They use an Oracle advanced replication network to get updates out to the other servers in near real time.

      Proprietary software. The only significant advantage here is that it's not BIND.

      All in all, it's about as good as DNS will get. Do you need it for your personal domain? Hardly. Do you need it for a popular domain like slashdot.org? Probably not.

      It works best for really large and really popular zones, like TLDs.

      However, it's still going to be better (albeit not as significantly) for your personal domain too.

      Anyway, bandwidth isn't really the issue with DNS. It's latency and availability.

      The problem with your example is that chances are, your DNS server in LA will be getting queries for Europe, which isn't all that ideal. Once again, is it that important? Not really.

      But it will work obviously.

  4. Re:Shameless plug for UltraDNS by Gothmolly · · Score: 3, Informative

    Then there's ZoneEdit, which is Free-as-in-beer for the first 5 zones. w00t!

    --
    I want to delete my account but Slashdot doesn't allow it.
  5. not just UltraDNS - others too by martin · · Score: 4, Informative


    Seems this was as distrubuted DDoS (DDDOS - sounds like a stemmer:-), many people got this..

    http://www.merit.edu/mail.archives/nanog/msg0534 9. html

  6. Re:ISOC? by Anonymous Coward · · Score: 4, Informative

    Afilias uses UltraDNS for their DNS Infrastructure. It was in the proposal. Here's the link to the UltraDNS press release.

    http://www.ultradns.com/news/021028.html

  7. DNS Servers by sjanich · · Score: 4, Informative

    It is more then just a few servers.

    Generally each "server" has multiple seperate internet connections. The server it self is usally a set of two or machines acting as one. The servers are distributed around the internet. They are not concentrated in one place eigther geographically, or network topographically.

  8. Re:From the author of qmail comes.... by dbretton · · Score: 5, Informative

    From the DJBDNS page...

    Denial-of-service attacks. (BIND 9's fragility makes denial of service completely trivial; but an attacker can easily take down the Domain Name System without using any of BIND's bugs. The DNS architecture needs to be decentralized.)

    Seems to me like DJBDNS wouldn't help a lick!

    -D

  9. Re:Why attack the DNS-servers? by Anonymous Coward · · Score: 3, Informative

    My employer, apparently, has expected something like this to occur. Starting last summer, we have been modifying all of the unix hosts on the network to hard-code in the locations of the important hosts in the network: /etc/hosts now has the mailservers, webservers, etc, for all of the local network.

    The rationale behind this is simple: the dns boxes get dumb quite quickly when they lose their upstream connection. Once this happens, the dns for everything starts to fail, and even the internal hosts start having problems communicating. By using /etc/hosts and caching nameservers on all the hosts, we can delay (if not prevent) the stupidity that comes from the upstream dns being unreachable.

  10. Not decentralized by meldir · · Score: 2, Informative

    DNS is decentralized, in the sense that no server holds all information, but servers only hold information for a certain part of the domain-space. However, *no server can cache all information*, and to answer queries, these servers must ask other servers. And to know which servers are authoritive for a certain domain, you'll have to ask the root servers. This makes DNS pretty centralized in the end. And vulnerable.

  11. There's something at internettrafficreport.com by Jugalator · · Score: 5, Informative

    Look at this, especially that huge packet loss spike at 11/24...

    Seems suspicious, although that site hasn't put up any news about it like they did with the major DNS attack a copule of weeks ago.

    --
    Beware: In C++, your friends can see your privates!
  12. Re:Why attack the DNS-servers? by Leto2 · · Score: 2, Informative

    Which of course doesn't work now that all decent apache setups use vhosts for their domains.

    --
    <grub> Reading /. at -1 is like driving through Cracktown in a convertible that is stuck in 1st
  13. Re:All the protection *I* need... by Strog · · Score: 2, Informative

    Might I suggest you add google to your hosts. You are going to need the cache to read any articles once you get here. :)

  14. Re:Why attack the DNS-servers? by CoolVibe · · Score: 3, Informative
    No problem!

    Watch and learn:

    $ telnet 1.2.3.4 80
    Connected to 1.2.3.4...
    GET / HTTP/1.1
    Host: www.somesite.org
    [enter]
    [enter]
    [stream of html follows]

    Easy no?

  15. Re:Why attack the DNS-servers? by delta407 · · Score: 3, Informative
    At any rate, it sure seems like access to a critical top level DNS should be filtered to a big white list of mirror machines, which could then handle general purpose inquiries.
    Sorta like section 3.3.4 of RFC 2870?
    3.3.4 A 'hidden primary' server, which only allows access by the
    authorized secondary root servers, MAY be used.
    Besides which, a lot of the beefy top-level DNS servers are actually a bunch of identical servers behind some load balancing solution, so this makes a whole lot of sense.
  16. Re:The Edge of the Internet by SEWilco · · Score: 4, Informative
    Can someone explain exactly what 'the edge' refers to?

    If you visualize the Internet as a graph where lines represent each communication link, each computer has various numbers of lines to its neighbors.

    Usually the systems which have the most connections are shown on such a graph as being deep inside the web. Those which have only one connection, such as home computers and others which use one ISP, tend to be a frilly edge all around the web.

    "Securing the edge" means protecting against misbehavior of servers around the edge, particularly servers other than communication devices inside ISPs. A common example is ingress filtering, where an ISP rejects packets from customers when the origin address (the computer's IP address) is not one of the ISP's addresses; this shouldn't happen because the ISP knows the proper addresses of its customers. Ingress filtering keeps "the edge" from sending in garbage.

  17. Re:ISP's responsibility. by Anonymous Coward · · Score: 1, Informative

    We tried that, but after having a bunch of customers scream at us, we turned it off less than two hours later. You forget that many legitimate services use asymetric routing.