Slashdot Mirror

← Back to Stories (view on slashdot.org)

DOS Attacks On DNS Provider

Posted by ryuzaki0 on from the going-after-the-big-boys dept.

Greedo writes "Seems like UltraDNS was hit with a denial of service attack this weekend. Since these are the guys who are supposed to be running the .ORG DNS, and in light of recent attacks on the gTLD roots, attacks against DNS servers should be treated very seriously. What kind of protection can be had? What happens when an attack like this brings down an entire TLD? Do you want to give control of an entire gTLD to one organization? Read a follow-up discussion on comp.protoocols.dns.std."

17 of 224 comments (clear)

  1. Re:Why attack the DNS-servers? by Anonymous Coward · · Score: 1, Interesting

    Why brag about it when you can read it in every newspaper on the next day? (If the attack was large enough!)

  2. Re:Why attack the DNS-servers? by greechneb · · Score: 4, Interesting

    Not when you are trying to make a political statement. I don't know if anyone has claimed responsibility for this yet, or if anyone will. But it would be a great way to scare the general public. It won't necessarily be as terrifying as hijacking planes, but it can spread some fear into many people. (mainly IT types)

    But as the world becomes more dependant on the internet, expect more attacks to resemble this one. Take down the infrastructure, and watch the rest tumble without it.

    Plus you don't have to commit suicide to terrorize the public. - Of course that means no virgins for you by dying in a holy war...

  3. Source and motivation by sphealey · · Score: 5, Interesting
    You are assuming that the specific attacks on the DNS servers are being carried out by kids and "young dudes" working by themselves for the thrill of it.

    Whereas these attacks, as well as some of the worms that have surfaced recently, strike me more as testing of new techniques and probing of defenses by an organized group that is working on techniques to cause widespread disruption.

    sPh

  4. From the author of qmail comes.... by livio · · Score: 1, Interesting
    DJBDNS!

    Very stable, performs really, really well on old machines we have here, makes my admin live plenty easy, and never had any security problems with it.

    Enough said ;-)

  5. Progress? by registered_user · · Score: 2, Interesting

    I think the orignal concept of the web got lost somewhere. I was under the impression that the Internet itself was designed [by Al Gore :)] to not have a "control center." So that it could function even if most of it was destroyed. But now the internet has been altered into a network that relies on a few DNS servers. Why? So my bookmarks don't have to keep track of IPs? That seems silly. I am also pretty certain that my email address will cease to function without DNS servers as well. So without DNS I can neither access web pages nor email. This is somehow progress?

    1. Re:Progress? by Bizaff · · Score: 2, Interesting

      I agree that DNS is not supposed to replace IP, but what I think registered_user was saying is that everyone's address book says person@host.name, not person@127.0.0.1. Losing the use of symbolic names IS disasterous. It won't stop you from getting where you know the IP, but how many IP's do people know off the top of their heads?

      If DNS goes away, how is that mail going to get routed? How will people browse all the other sites people only know by name? Sure, you can have an updated /etc/hosts, but I know I don't want to maintain one for every site I visit.

      Sure, you have the redundancy of secondary DNS servers.. but what if someone takes most of the root servers down, and compromises the others to start giving out the wrong IP's? Ok, this is a little contrived, but I see what registered_user is getting at. We ARE awfully dependent on DNS.

      I'm jus sayin!

    2. Re:Progress? by jafiwam · · Score: 2, Interesting

      Smaller web sites tend to be multi-homed on the same IP, using the HTTP host-header to specify what virtual web to use for any given request.

      So using the IP of a smaller site is likely to get a "Default" install page for the web server software, or to the hosting company's own web site. (Using a http://###.###.###.### request to an IP is one of the tricks that can be used to track down who is hosting some site you don't like, spammers or whatever.)

      The only way to visit one of those without the DNS system would be to use a hosts file on the local machine so the HTTP header comes into the web server correctly. DNS servers are left out of the loop entirely in that case.

      For small web sites, "no DNS" means "not on the net". (Big web sites probably have only one IP, so the IP address would work just fine in a browser, but how much database driven stuff looks at the URL to make sense about what to do...)

      DNS and IP are complimentary system for allowing data transfer. DNS has a very different function; routing meaningful traffic (not just packets, but web sites and other services) to people, that sits over the IP stuff, which just cares about getting packets from one place to another.

  6. Re:Shameless plug for UltraDNS by nochops · · Score: 4, Interesting

    I've been using UltraDNS for more than 2 years now, and I'm also nothing but happy with them.

    You're right about their ease of use, it's definitely a strong point.

    I've never had any issues with them, and come to think of it, I dodn't have any problems this weekend either. In fact, I got -more- spam than usual, so I'm going to assume that if the spammers didn't have a problem resolving my domain name, neither did anyone else.

    --
    "A terrorist is someone who has a bomb but doesn't have an air force." -William Blum
  7. Is it realistic? by Itsik · · Score: 3, Interesting

    I truly question whether it is realistic to bring the entire system down. There are so many servers around the world that offer a redundant service to those servers that it would be hard to actually "feel" that the root DNS server is no longer available. Which gives whoever quite a bit of time to be able to bring the affected system back up.

  8. everydns by Wakkow · · Score: 4, Interesting

    Otherwise, you can use everydns.net for free which runs a nice djbdns setup behind a very clean interface and only asks for donations.

  9. Re:Why attack the DNS-servers? by unger · · Score: 3, Interesting

    Or even more likely, IMHO, if you were a competitor of UltraDNS.

    So the question to ask is, "who would benefit from the demise of UltraDNS?"

  10. Time for a new model by laigle · · Score: 5, Interesting

    Given these attacks, maybe it's time to shift the DNS model to something more distributed. Say a P2P network of all the DNS servers, which would feature client side intelligent load balancing (ie it only queries past your ISP's DNS when it needs to). It wouldn't take a whole lot, since it only needs to be capable of a very minute series of transactions. You could throw in CRC codes and a verification system if people wanted to be extra paranoid about it.

    Of course, ultimately you have to have some sort of root server. But in a distributed model, they could be essentially insulated from DOS attacks, because they just need to get the master list out to a few systems for it to propagate all over. There could be a redundant distribution mechanism whereby the root servers send the list out through normal channels, but also send it to some randomly selected servers by phone call as a backup. At that stage hosing the root servers (or more accurately their connections, I doubt anyone is gonna ping one of those things to lockup) would not only be difficult and dangerous, but pointless. You cut off its connection via the internet, but the list still gets out and immediately spreads to so many DNS servers you couldn't possibly shut them all down, and you would have to shut down most of the world's DNS servers to have any impact on users.

    Ultimately it wouldn't change things too much, since we're already pretty insulated from these attacks. But it does have a nice "just in case" factor to prevent some megaworm or Y2k-style OS-pervasive glitch from knocking us on our butts. And it would take the wind out of the sails for a bunch of the script kiddies (and the odd genuine hacker) out there trying to crash the net, which is almost worht it in and of itself.

  11. There is an elegant solution by lazlo · · Score: 5, Interesting
    There is an elegant solution that seems tailor-made for this particular problem (i.e., massive bandwidth DDOS of a small number of servers serving a stateless udp-based service) It's called anycast, and it's being used successfully now. An excellent example of its use is the AS112 project

    Here's a quick overview I found: http://www.pch.net/documents/tutorials/ipv4-anycas t/ipv4-anycast.ppt

    Now if we can just get all or most of the root-servers and gtld-servers moved to anycast, then there should be at least minor performance gains, and fairly large stability/resilience-to-DOS gains.

    --
    Pound! Bang! Bin! Bash! is this a shell script or a Batman comic?
    1. Re:There is an elegant solution by ahpeterson · · Score: 3, Interesting

      Interesting that you should mention anycast. UltraDNS has actually been using anycast ever since the system was initially brought online (early 1999).

  12. Re:Why attack the DNS-servers? by Desert+Raven · · Score: 4, Interesting

    The rationale behind this is simple: the dns boxes get dumb quite quickly when they lose their upstream connection. Once this happens, the dns for everything starts to fail, and even the internal hosts start having problems communicating.

    I'd say it's your DNS administrators that are dumb. I've been maintaining DNS systems for years, and I've never had a DNS server so much as hesitate to serve authoritative addresses, no matter what was happening to the upstream connection.

  13. Counter-Hacking by Anonymous Coward · · Score: 1, Interesting

    There are some companies developing software, that upon an attack by zombied machines, the server will find the hole, and counter-hack, and completly diable the machine from continuing the DoS attack. Very interesting idea, and finally a way to fight back against the hoards of script-kiddie hackers that are responsible for most DoS attacks.

  14. Re:Dan Bernstein by SiliconEntity · · Score: 4, Interesting

    I met Bernstein briefly, and he seemed like a nice guy in person. He's relatively young, 30-ish, and soft spoken. But online he comes off as some kind of know-it-all curmudgeon.

    Personally I liked the suggestion in the Usenet thread to return expired DNS cache data when the authoritative servers are unreachable, at least as an option. 99% of the time when you can't do a host lookup, the old cached data would still be right. All the DNS purists hated the idea of using expired data, like it's unclean or something. But if it's all you've got, isn't it better to use old information than to give up on letting the net work at all?