Slashdot Mirror
DOS Attacks On DNS Provider
Greedo writes "Seems like UltraDNS was hit with a denial of service attack this weekend. Since these are the guys who are supposed to be running the .ORG DNS, and in light of recent attacks on the gTLD roots, attacks against DNS servers should be treated very seriously. What kind of protection can be had? What happens when an attack like this brings down an entire TLD? Do you want to give control of an entire gTLD to one organization? Read a follow-up discussion on comp.protoocols.dns.std."
Well of course it's unproductive -- that's the hallmark of crackers, script kiddies and virus developers. These dregs of our society do these things just for the perverse pleasure of seeing how much havoc they can cause...
These people are degenerates, delighting in the misery of others. Such are not worthy of life.
isn't that a bit counterproductive?
Absolutely.
OTOH, if you were in the business of providing a spoofed name service, then this would be the first step in doing so.
At any rate, it sure seems like access to a critical top level DNS should be filtered to a big white list of mirror machines, which could then handle general purpose inquiries.
That, or increase the number of TLDs, but that's already an insolubly bad political problem.
"Provided by the management for your protection."
If you're using an alternative root server.
And in all honesty, I would say that if the "offical" root servers can't protect themselves, they really have no business being root servers (TLD or otherwise) in the first place.
How badly can attacking the root DNS servers affect the Internet experience since DNS is so decentralized? If the root server is down, that doesn't prevent the thousands of immediate DNS servers from being able to resolve domain names for the users, right? It seems like it'd only be able to prevent the propogation of new domain names. What gives?
Enough said
Not really... what are you trying to say? Can DJBDNS prevent thousands of trojaned Windows systems from pinging it incessantly? I didn't think so, and you had no point.
-- Never hit a man with glasses. Hit him with a baseball bat.
I never quite got the whole outsourced DNS thing.
Is it a question of just providing global geographic and network diversity for a site's nameservice, or is there something here that I'm missing?
If I was example.com and I had an office in two locations with a T1 in each, NY and LA and I had three NS records, ns-la.exmaple.com, ns-ny.example.com and ns.myisp.com what are they going to offer me that I don't already have?
Proprietary firewall technology? OC-192s to 10 providers? Some home-brewed nameserver software more immune to hack attacks? Some kind of latency measure that replies with better A records?
They're all nice, but they're all expensive, although maybe I'm missing out on something I should have.
The DNS system was designed for redundancy; if it can withstand a direct nuclear attack on 60% of its facilities (vis; 6-7 of the root servers), it can withstand a DoS attack. Considering the upstream providers of each of the root servers are responsive enough to throttle the traffic to a more reasonable level, and the caching, heirarchal nature of the DNS system (except for mickey-mouse systems who query the root nameservers only with no fallback support), it would take days to notice an outage. In that time, the root servers could set up spare boxes and have the system back up and running with relatively minimal disruption.
To truly affect the operation of "the internet" as a whole, a DDoS attack would have to be sustained for days on end.
BD Phone Home!
Shameless plug. Like you weren't expecting it.
More to the point, we should be welcoming this kind of attack (you know what I mean), if it shows that there is a weakness in the way that a vital component of the internet works, then knowing about it early means that solutions can be fielded and tested to secure the internet against these attacks.
I am very glad that this kind of attack is being discussed in the open; rather than being hidden from public view. Much better that it discussed now rather than after somebody attempts to render the internet useless.
I realize that this is probably a troll, but if you really are clueless, I guess I'll fill you in. DNS does not replace the IP system, it expands upon it. If the DNS heirarchy were to disappear there would be no negative effect upon the internet, you would just loose the ability to use symbollical names. If you really want to remove that "weak" link, your welcome to use IPs, and if the DNS fails, you can continue operating as normal. I personally link missing net access every once in a while is far less bothersome then memorizing IP addresses or adding them to my hosts file.
Reading that Usenet thread was ugly. Dan Bernstein has the unsurpassed ability to present (often) good ideas while being a complete prick.
Dan, you want people to take you more seriously, try being human once in a while. You don't need to prove just how damn intelligent you are by beating other people over the head with their own "ignorance". You might want to work on your own ignorance in the social skills department first.
That said, transmitting the entire root zone over Usenet and other means sounds like a good suggestion. I hope you can start sounding like less of a lunatic so people will listen to the idea.
well said....ppl automatically jump to the "it's just a bunch of script-kiddies" mentality....there may a HELL of a wake-up call some day....
Sehr geehrter Toilettenbenutzer!
All ISP's should have access lists on their routers allowing traffic out only if the source address is within their network. Directed Broadcasts should be turned off to limit smurf attacks. This itself would cut the problem ten fold.
For them, the "web" is the "Internet", and anything that affects "the web" could bring down the whole Internet
:-)
Just one thought -- does Freenet use DNS at all? I *think* it doesn't. Because if not, it provides an existing, easy-to-migrate-to solution in case of such a catastrophic event. Just kick over to Freenet, no DNS required.
The DNS system...can withstand a direct nuclear attack on 60% of its facilities
As opposed to, say, those pesky indirect nuclear attacks?
May we never see th
Nobody has yet claimed responsibility. Makes it sound kind of noble, doesn't it? What nobody has yet done is admitted guilt. I have always taken extreme exception to the media's convention that terrorists and criminals claim responsibility for murder. It's not a prize. Confessed to slaughter or declared lack of conscience or asserted no concern for fellow human beings might be more appropriate. Criminals shouln't be allowed--or worse, invited--to claim responsibility, only admit guilt.
~Idarubicin
Frightening as it is, I would agree with you. It seems that bragging rights would be much better for taking down amazon, yahoo, msn, or some other big name company. Attacks on infrastructure components which are not widely known to the public at large do strike me as a probe to see where the vulnerabilities of the network lie.
After this period of explosive internet growth, we need to start addressing the vulnerabilies of the network. Whether the network can still withstand a massive physical attack or not, we know it is vulnerable to network attacks. I had a friend who used to work for MIT Lincoln Labs, he told me there were at least a dozen ways to take down the internet.
It's not wasting time, I'm educating myself.
Say a P2P network of all the DNS servers, which would feature client side intelligent load balancing (ie it only queries past your ISP's DNS when it needs to).
.-hinted-zone.
Set your nameserver to forward all your request to your ISP's DNS instead of having a
Of course, ultimately you have to have some sort of root server. But in a distributed model, they could be essentially insulated from DOS attacks, because they just need to get the master list out to a few systems for it to propagate all over.
Isn't that what we have now?
bash$