DOS Attacks On DNS Provider

Greedo writes "Seems like UltraDNS was hit with a denial of service attack this weekend. Since these are the guys who are supposed to be running the .ORG DNS, and in light of recent attacks on the gTLD roots, attacks against DNS servers should be treated very seriously. What kind of protection can be had? What happens when an attack like this brings down an entire TLD? Do you want to give control of an entire gTLD to one organization? Read a follow-up discussion on comp.protoocols.dns.std."

Re:Why attack the DNS-servers?

[4of12]

isn't that a bit counterproductive?

Absolutely.

OTOH, if you were in the business of providing a spoofed name service, then this would be the first step in doing so.

At any rate, it sure seems like access to a critical top level DNS should be filtered to a big white list of mirror machines, which could then handle general purpose inquiries.

That, or increase the number of TLDs, but that's already an insolubly bad political problem.

It's not a problem

[Ted_Green]

If you're using an alternative root server.

And in all honesty, I would say that if the "offical" root servers can't protect themselves, they really have no business being root servers (TLD or otherwise) in the first place.

Re:From the author of qmail comes....

[dohcvtec]

Enough said
Not really... what are you trying to say? Can DJBDNS prevent thousands of trojaned Windows systems from pinging it incessantly? I didn't think so, and you had no point.

Re:Why attack the DNS-servers?

[Blkdeath]

But it would be a great way to scare the general public. It won't necessarily be as terrifying as hijacking planes, but it can spread some fear into many people. (mainly IT types)

Actually, the last DoS attack on the root nameservers sucked, but it didn't frighten IT people. The only people things like this frighten are Average Joe Consumer types who don't really understand how these things work. For them, the "web" is the "Internet", and anything that affects "the web" could bring down the whole Internet (as if it's just a few computers in a lab somewhere that can be shut down like shutting off a light switch).

The DNS system was designed for redundancy; if it can withstand a direct nuclear attack on 60% of its facilities (vis; 6-7 of the root servers), it can withstand a DoS attack. Considering the upstream providers of each of the root servers are responsive enough to throttle the traffic to a more reasonable level, and the caching, heirarchal nature of the DNS system (except for mickey-mouse systems who query the root nameservers only with no fallback support), it would take days to notice an outage. In that time, the root servers could set up spare boxes and have the system back up and running with relatively minimal disruption.

To truly affect the operation of "the internet" as a whole, a DDoS attack would have to be sustained for days on end.

Re:Source and motivation

[curtisk]

well said....ppl automatically jump to the "it's just a bunch of script-kiddies" mentality....there may a HELL of a wake-up call some day....

Nukes and Freenet

[0x0d0a]

For them, the "web" is the "Internet", and anything that affects "the web" could bring down the whole Internet

Just one thought -- does Freenet use DNS at all? I *think* it doesn't. Because if not, it provides an existing, easy-to-migrate-to solution in case of such a catastrophic event. Just kick over to Freenet, no DNS required.

The DNS system...can withstand a direct nuclear attack on 60% of its facilities

As opposed to, say, those pesky indirect nuclear attacks? :-)