Slashdot Mirror

← Back to Stories (view on slashdot.org)

DOS Attacks On DNS Provider

Posted by ryuzaki0 on from the going-after-the-big-boys dept.

Greedo writes "Seems like UltraDNS was hit with a denial of service attack this weekend. Since these are the guys who are supposed to be running the .ORG DNS, and in light of recent attacks on the gTLD roots, attacks against DNS servers should be treated very seriously. What kind of protection can be had? What happens when an attack like this brings down an entire TLD? Do you want to give control of an entire gTLD to one organization? Read a follow-up discussion on comp.protoocols.dns.std."

8 of 224 comments (clear)

  1. Very surprising by ekrout · · Score: 5, Informative

    I have seen the UltraDNS ads here at Slashdot and thusly decided to read up on their techniques as well.

    Basically, they urge large important Web sites to outsource its DNS needs to another company (them). Before this DOS attack on their servers, they provided near perfect stability, security, and performance. If I recall correctly, Hotmail, Forbes, and Oracle have already used the services of UltraDNS.

    It's a shame that such a wonderful resource (the Internet) is so often abused by a few rowdy hackers and trolls.

    Here is a whitepaper that describes their services in depth and explains the reasons for outsourcing one's DNS needs.

    --

    If you celebrate Xmas, befriend me (538
    1. Re:Very surprising by Johannes · · Score: 5, Informative

      Disclaimer: I used to work at UltraDNS until a couple of months ago when I was laid off.

      The service provides a couple of advantages:

      Better latency. They use an anycast routing network which guarantees that a query to their DNS servers will be received and answered by the closest server based on the network topology. Even though there is only 2 published IP's for nameservers. There are some 16 servers scattered around the globe to answer on those IP's.

      Near real time database updates. They use an Oracle advanced replication network to get updates out to the other servers in near real time.

      Proprietary software. The only significant advantage here is that it's not BIND.

      All in all, it's about as good as DNS will get. Do you need it for your personal domain? Hardly. Do you need it for a popular domain like slashdot.org? Probably not.

      It works best for really large and really popular zones, like TLDs.

      However, it's still going to be better (albeit not as significantly) for your personal domain too.

      Anyway, bandwidth isn't really the issue with DNS. It's latency and availability.

      The problem with your example is that chances are, your DNS server in LA will be getting queries for Europe, which isn't all that ideal. Once again, is it that important? Not really.

      But it will work obviously.

  2. not just UltraDNS - others too by martin · · Score: 4, Informative


    Seems this was as distrubuted DDoS (DDDOS - sounds like a stemmer:-), many people got this..

    http://www.merit.edu/mail.archives/nanog/msg0534 9. html

  3. Re:ISOC? by Anonymous Coward · · Score: 4, Informative

    Afilias uses UltraDNS for their DNS Infrastructure. It was in the proposal. Here's the link to the UltraDNS press release.

    http://www.ultradns.com/news/021028.html

  4. DNS Servers by sjanich · · Score: 4, Informative

    It is more then just a few servers.

    Generally each "server" has multiple seperate internet connections. The server it self is usally a set of two or machines acting as one. The servers are distributed around the internet. They are not concentrated in one place eigther geographically, or network topographically.

  5. Re:From the author of qmail comes.... by dbretton · · Score: 5, Informative

    From the DJBDNS page...

    Denial-of-service attacks. (BIND 9's fragility makes denial of service completely trivial; but an attacker can easily take down the Domain Name System without using any of BIND's bugs. The DNS architecture needs to be decentralized.)

    Seems to me like DJBDNS wouldn't help a lick!

    -D

  6. There's something at internettrafficreport.com by Jugalator · · Score: 5, Informative

    Look at this, especially that huge packet loss spike at 11/24...

    Seems suspicious, although that site hasn't put up any news about it like they did with the major DNS attack a copule of weeks ago.

    --
    Beware: In C++, your friends can see your privates!
  7. Re:The Edge of the Internet by SEWilco · · Score: 4, Informative
    Can someone explain exactly what 'the edge' refers to?

    If you visualize the Internet as a graph where lines represent each communication link, each computer has various numbers of lines to its neighbors.

    Usually the systems which have the most connections are shown on such a graph as being deep inside the web. Those which have only one connection, such as home computers and others which use one ISP, tend to be a frilly edge all around the web.

    "Securing the edge" means protecting against misbehavior of servers around the edge, particularly servers other than communication devices inside ISPs. A common example is ingress filtering, where an ISP rejects packets from customers when the origin address (the computer's IP address) is not one of the ISP's addresses; this shouldn't happen because the ISP knows the proper addresses of its customers. Ingress filtering keeps "the edge" from sending in garbage.