Slashdot Mirror

← Back to Stories (view on slashdot.org)

DOS Attacks On DNS Provider

Posted by ryuzaki0 on from the going-after-the-big-boys dept.

Greedo writes "Seems like UltraDNS was hit with a denial of service attack this weekend. Since these are the guys who are supposed to be running the .ORG DNS, and in light of recent attacks on the gTLD roots, attacks against DNS servers should be treated very seriously. What kind of protection can be had? What happens when an attack like this brings down an entire TLD? Do you want to give control of an entire gTLD to one organization? Read a follow-up discussion on comp.protoocols.dns.std."

9 of 224 comments (clear)

  1. Re:Why attack the DNS-servers? by 4of12 · · Score: 5, Insightful

    isn't that a bit counterproductive?

    Absolutely.

    OTOH, if you were in the business of providing a spoofed name service, then this would be the first step in doing so.

    At any rate, it sure seems like access to a critical top level DNS should be filtered to a big white list of mirror machines, which could then handle general purpose inquiries.

    That, or increase the number of TLDs, but that's already an insolubly bad political problem.

    --
    "Provided by the management for your protection."
  2. It's not a problem by Ted_Green · · Score: 5, Insightful

    If you're using an alternative root server.

    And in all honesty, I would say that if the "offical" root servers can't protect themselves, they really have no business being root servers (TLD or otherwise) in the first place.

  3. Re:From the author of qmail comes.... by dohcvtec · · Score: 5, Insightful

    Enough said
    Not really... what are you trying to say? Can DJBDNS prevent thousands of trojaned Windows systems from pinging it incessantly? I didn't think so, and you had no point.

    --
    -- Never hit a man with glasses. Hit him with a baseball bat.
  4. Re:Why attack the DNS-servers? by Blkdeath · · Score: 5, Insightful
    But it would be a great way to scare the general public. It won't necessarily be as terrifying as hijacking planes, but it can spread some fear into many people. (mainly IT types)
    Actually, the last DoS attack on the root nameservers sucked, but it didn't frighten IT people. The only people things like this frighten are Average Joe Consumer types who don't really understand how these things work. For them, the "web" is the "Internet", and anything that affects "the web" could bring down the whole Internet (as if it's just a few computers in a lab somewhere that can be shut down like shutting off a light switch).

    The DNS system was designed for redundancy; if it can withstand a direct nuclear attack on 60% of its facilities (vis; 6-7 of the root servers), it can withstand a DoS attack. Considering the upstream providers of each of the root servers are responsive enough to throttle the traffic to a more reasonable level, and the caching, heirarchal nature of the DNS system (except for mickey-mouse systems who query the root nameservers only with no fallback support), it would take days to notice an outage. In that time, the root servers could set up spare boxes and have the system back up and running with relatively minimal disruption.

    To truly affect the operation of "the internet" as a whole, a DDoS attack would have to be sustained for days on end.

    --
    BD Phone Home!

    Shameless plug. Like you weren't expecting it.

  5. Dan Bernstein by tuxlove · · Score: 4, Insightful

    Reading that Usenet thread was ugly. Dan Bernstein has the unsurpassed ability to present (often) good ideas while being a complete prick.

    Dan, you want people to take you more seriously, try being human once in a while. You don't need to prove just how damn intelligent you are by beating other people over the head with their own "ignorance". You might want to work on your own ignorance in the social skills department first.

    That said, transmitting the entire root zone over Usenet and other means sounds like a good suggestion. I hope you can start sounding like less of a lunatic so people will listen to the idea.

  6. Re:Source and motivation by curtisk · · Score: 5, Insightful

    well said....ppl automatically jump to the "it's just a bunch of script-kiddies" mentality....there may a HELL of a wake-up call some day....

    --

    Sehr geehrter Toilettenbenutzer!

  7. ISP's responsibility. by jwdeff · · Score: 4, Insightful

    All ISP's should have access lists on their routers allowing traffic out only if the source address is within their network. Directed Broadcasts should be turned off to limit smurf attacks. This itself would cut the problem ten fold.

  8. Nukes and Freenet by 0x0d0a · · Score: 5, Insightful

    For them, the "web" is the "Internet", and anything that affects "the web" could bring down the whole Internet

    Just one thought -- does Freenet use DNS at all? I *think* it doesn't. Because if not, it provides an existing, easy-to-migrate-to solution in case of such a catastrophic event. Just kick over to Freenet, no DNS required.

    The DNS system...can withstand a direct nuclear attack on 60% of its facilities

    As opposed to, say, those pesky indirect nuclear attacks? :-)

    --
    May we never see th
  9. Re:Why attack the DNS-servers? by Idarubicin · · Score: 4, Insightful
    Not when you are trying to make a political statement. I don't know if anyone has claimed responsibility for this yet, or if anyone will. But it would be a great way to scare the general public. It won't necessarily be as terrifying as hijacking planes, but it can spread some fear into many people. (mainly IT types)

    Nobody has yet claimed responsibility. Makes it sound kind of noble, doesn't it? What nobody has yet done is admitted guilt. I have always taken extreme exception to the media's convention that terrorists and criminals claim responsibility for murder. It's not a prize. Confessed to slaughter or declared lack of conscience or asserted no concern for fellow human beings might be more appropriate. Criminals shouln't be allowed--or worse, invited--to claim responsibility, only admit guilt.

    --
    ~Idarubicin