Slashdot Mirror
DOS Attacks On DNS Provider
Greedo writes "Seems like UltraDNS was hit with a denial of service attack this weekend. Since these are the guys who are supposed to be running the .ORG DNS, and in light of recent attacks on the gTLD roots, attacks against DNS servers should be treated very seriously. What kind of protection can be had? What happens when an attack like this brings down an entire TLD? Do you want to give control of an entire gTLD to one organization? Read a follow-up discussion on comp.protoocols.dns.std."
I mean, isn't that a bit counterproductive?
"Yes, I brought the entire DNS-system crashing down! I'm l337! Now, all I have to do is to go online and brag about my exploits... Hmmm... There seems to be something wrong with my net-connection..."
Lesbian Nazi Hookers Abducted by UFOs and Forced Into Weight Loss Programs - -all next week on Town Talk.
Good thing MS is killing DOS in december. It's way
too violent these days.
It's not that big of a deal, since most people's DNS requests never reach the TLD servers. Instead they're handled by a mirror at a lower point on the tree.
But, still, we should catch these DOSers and throw them into a federal pound-me-in-the-ass prison.
Damned arab terrorist scum! Down with Saudi Arabia!!!
Thought you would find this funny:
:)
In IE, I entered ORG and hit enter, just to see what would happen. Although highly unlikely, they could arrange some page there. Instead, MS search brough up a list of possible alternatives. Number one on the list?
Mozilla.org
Thanks, Bill
The ad at the top of the /. homepage was for UltraDNS as I was reading this story. Any publicity is good publicity, I guess...
Guardent is making a lot of noise about this sort of thing. Conspiracy theorists unite!
I want to delete my account but Slashdot doesn't allow it.
I have seen the UltraDNS ads here at Slashdot and thusly decided to read up on their techniques as well.
Basically, they urge large important Web sites to outsource its DNS needs to another company (them). Before this DOS attack on their servers, they provided near perfect stability, security, and performance. If I recall correctly, Hotmail, Forbes, and Oracle have already used the services of UltraDNS.
It's a shame that such a wonderful resource (the Internet) is so often abused by a few rowdy hackers and trolls.
Here is a whitepaper that describes their services in depth and explains the reasons for outsourcing one's DNS needs.
If you celebrate Xmas, befriend me (538
Whereas these attacks, as well as some of the worms that have surfaced recently, strike me more as testing of new techniques and probing of defenses by an organized group that is working on techniques to cause widespread disruption.
sPh
is the following line in my hosts
:)
66.35.250.150 slashdot.org
Then there's ZoneEdit, which is Free-as-in-beer for the first 5 zones. w00t!
I want to delete my account but Slashdot doesn't allow it.
Seems this was as distrubuted DDoS (DDDOS - sounds like a stemmer:-), many people got this..
http://www.merit.edu/mail.archives/nanog/msg053
Since these are the guys who are supposed to be running the .ORG DNS, and in light of recent attacks on the gTLD roots, attacks against DNS servers should be treated very seriously.
Should be? They are. The FBI and the Department of Homeland Security are already investigating this.
I think the orignal concept of the web got lost somewhere. I was under the impression that the Internet itself was designed [by Al Gore :)] to not have a "control center." So that it could function even if most of it was destroyed. But now the internet has been altered into a network that relies on a few DNS servers. Why? So my bookmarks don't have to keep track of IPs? That seems silly. I am also pretty certain that my email address will cease to function without DNS servers as well. So without DNS I can neither access web pages nor email. This is somehow progress?
If you're using an alternative root server.
And in all honesty, I would say that if the "offical" root servers can't protect themselves, they really have no business being root servers (TLD or otherwise) in the first place.
I've been using UltraDNS for more than 2 years now, and I'm also nothing but happy with them.
You're right about their ease of use, it's definitely a strong point.
I've never had any issues with them, and come to think of it, I dodn't have any problems this weekend either. In fact, I got -more- spam than usual, so I'm going to assume that if the spammers didn't have a problem resolving my domain name, neither did anyone else.
"A terrorist is someone who has a bomb but doesn't have an air force." -William Blum
Afilias uses UltraDNS for their DNS Infrastructure. It was in the proposal. Here's the link to the UltraDNS press release.
http://www.ultradns.com/news/021028.html
I truly question whether it is realistic to bring the entire system down. There are so many servers around the world that offer a redundant service to those servers that it would be hard to actually "feel" that the root DNS server is no longer available. Which gives whoever quite a bit of time to be able to bring the affected system back up.
How badly can attacking the root DNS servers affect the Internet experience since DNS is so decentralized? If the root server is down, that doesn't prevent the thousands of immediate DNS servers from being able to resolve domain names for the users, right? It seems like it'd only be able to prevent the propogation of new domain names. What gives?
It is more then just a few servers.
Generally each "server" has multiple seperate internet connections. The server it self is usally a set of two or machines acting as one. The servers are distributed around the internet. They are not concentrated in one place eigther geographically, or network topographically.
I use to work for a large internet company in Virginia we use to do these types of things all the time. It is a dirty little secret of the hosting community that large amounts of funds are currently being channeled to companies that suffer attacks large scale attacks to strengthen their infrastructure. I know from personal experince that these government kickbacks are sometimes abused by receiptants.
Not only are the hosting companies after the anti-terror funds. The sysadmin's orchastrate these 'attacks' to gain 'relations' with the investigating FBI Special Agents. If you have not seen the women agents in the FBI's Computer Crimes Division do yourself a huge favor. Most of these 'attacks' orginated from internal addresses and it was typically on one of the sysadmin's birthday treats. I personally of gotten '7-digits' from these agents on numerous occasions and one of these lucky agents will be the mother of my children.
From the DJBDNS page...
Denial-of-service attacks. (BIND 9's fragility makes denial of service completely trivial; but an attacker can easily take down the Domain Name System without using any of BIND's bugs. The DNS architecture needs to be decentralized.)
Seems to me like DJBDNS wouldn't help a lick!
-D
not very nice to post the link to their site. Now not only they had to endure a DDoS ping flood attack, they'll have to deal with the ./ effect!
artaxerxes
Otherwise, you can use everydns.net for free which runs a nice djbdns setup behind a very clean interface and only asks for donations.
Enough said
Not really... what are you trying to say? Can DJBDNS prevent thousands of trojaned Windows systems from pinging it incessantly? I didn't think so, and you had no point.
-- Never hit a man with glasses. Hit him with a baseball bat.
DNS is decentralized, in the sense that no server holds all information, but servers only hold information for a certain part of the domain-space. However, *no server can cache all information*, and to answer queries, these servers must ask other servers. And to know which servers are authoritive for a certain domain, you'll have to ask the root servers. This makes DNS pretty centralized in the end. And vulnerable.
Look at this, especially that huge packet loss spike at 11/24...
Seems suspicious, although that site hasn't put up any news about it like they did with the major DNS attack a copule of weeks ago.
Beware: In C++, your friends can see your privates!
Reading that Usenet thread was ugly. Dan Bernstein has the unsurpassed ability to present (often) good ideas while being a complete prick.
Dan, you want people to take you more seriously, try being human once in a while. You don't need to prove just how damn intelligent you are by beating other people over the head with their own "ignorance". You might want to work on your own ignorance in the social skills department first.
That said, transmitting the entire root zone over Usenet and other means sounds like a good suggestion. I hope you can start sounding like less of a lunatic so people will listen to the idea.
All ISP's should have access lists on their routers allowing traffic out only if the source address is within their network. Directed Broadcasts should be turned off to limit smurf attacks. This itself would cut the problem ten fold.
While I was reading about DOS attacks and the need for distributed DNS, I never thought I'd come across a post like this.
For them, the "web" is the "Internet", and anything that affects "the web" could bring down the whole Internet
:-)
Just one thought -- does Freenet use DNS at all? I *think* it doesn't. Because if not, it provides an existing, easy-to-migrate-to solution in case of such a catastrophic event. Just kick over to Freenet, no DNS required.
The DNS system...can withstand a direct nuclear attack on 60% of its facilities
As opposed to, say, those pesky indirect nuclear attacks?
May we never see th
Hammernode is quite good.
"The lesson to be learned is not to take the comments on slashdot too literally." --Vinnie Falco, BearShare
Given these attacks, maybe it's time to shift the DNS model to something more distributed. Say a P2P network of all the DNS servers, which would feature client side intelligent load balancing (ie it only queries past your ISP's DNS when it needs to). It wouldn't take a whole lot, since it only needs to be capable of a very minute series of transactions. You could throw in CRC codes and a verification system if people wanted to be extra paranoid about it.
Of course, ultimately you have to have some sort of root server. But in a distributed model, they could be essentially insulated from DOS attacks, because they just need to get the master list out to a few systems for it to propagate all over. There could be a redundant distribution mechanism whereby the root servers send the list out through normal channels, but also send it to some randomly selected servers by phone call as a backup. At that stage hosing the root servers (or more accurately their connections, I doubt anyone is gonna ping one of those things to lockup) would not only be difficult and dangerous, but pointless. You cut off its connection via the internet, but the list still gets out and immediately spreads to so many DNS servers you couldn't possibly shut them all down, and you would have to shut down most of the world's DNS servers to have any impact on users.
Ultimately it wouldn't change things too much, since we're already pretty insulated from these attacks. But it does have a nice "just in case" factor to prevent some megaworm or Y2k-style OS-pervasive glitch from knocking us on our butts. And it would take the wind out of the sails for a bunch of the script kiddies (and the odd genuine hacker) out there trying to crash the net, which is almost worht it in and of itself.
Now the skript kiddies are in with the government on the Conspiracy!
May we never see th
Here's a quick overview I found: http://www.pch.net/documents/tutorials/ipv4-anycas t/ipv4-anycast.ppt
Now if we can just get all or most of the root-servers and gtld-servers moved to anycast, then there should be at least minor performance gains, and fairly large stability/resilience-to-DOS gains.
Pound! Bang! Bin! Bash! is this a shell script or a Batman comic?
So as the battle weary sys admins from UltraDNS finally get back home from fighting a DDOS attack....
Phone rings.
"Bob, the web server is under attack again, and this one's coming from all around the globe. Game over man, game over."
Slashdot's a bitch.
Why would they allow pinging anyways? Really, as a root DNS server, one would think that All they should allow are DNS queries and related. I suppose pinging might suck bandwidth, but just ignoring the pings helps on the server end?
Yep, the Weekly World News, home of Bat Boy and "Iraqi Submarines Prowling Lake Michigan", has a giant headline in the issue I just saw at the checkout stand: TERRORIST PLOT TO BLOW UP INTERNET ON 1-11!"
The subheads are:
* Computer virus will destroy US economy!
* The US Military will be paralyzed!
* Electricity, food and water supplies vanish!
Clearly, we're ignoring these attacks at our own peril, when as technical a publication as the Weekly World News has picked up the story.
(Back to reality, I literally burst out laughing and almost dropped my Mountain Dew when I saw that headline. Blow up "The Internet". Sounds like my daughter's friends... they come over and ask if her computer "has the Internet on it". No, it doesn't, but it has *access* to the Internet. "Oh, you mean AOL?" Grrr...)
Stressed? Me? Of course not. Stress is what a rubber band feels before it breaks, silly.
I don't know much about the UltraDNS stuff.. as for the other thing:
.com zone file then I suspect a rather large number of users would have had experienced some rather large problems.
7 or the 13 servers went down for a bit. And because of caching and redundancy this wasn't really a notticable thing.
It might be, however if a million windows boxes were comenced such an attack over days.
When it comes right down to it, I think the root operators are doing a pretty good job all things considered. (they're allready approaching ways in which to protect themselves)
However, if this had been an attack on verisign's
Their was a lot of force behind the blow, but the punch wasn't aimed well.
What's bothersome is that if this was used by somone who knew what they were doing. (That's assuming it was an attack and not a warning, or a test of some sort)
Do you want to give control of an entire gTLD to one organization?
Hmm.. trolling for ICANN haters? I see no particular security problem with a central authority managing a TLD, provided that their backup servers are distributed widely in both the geographical and topological senses. We shouldn't confuse this particular issue with that of whether a central authority like ICANN should have the right to control who can and cannot create new TLD's.
So long, and thanks for all the Phish
If you visualize the Internet as a graph where lines represent each communication link, each computer has various numbers of lines to its neighbors.
Usually the systems which have the most connections are shown on such a graph as being deep inside the web. Those which have only one connection, such as home computers and others which use one ISP, tend to be a frilly edge all around the web.
"Securing the edge" means protecting against misbehavior of servers around the edge, particularly servers other than communication devices inside ISPs. A common example is ingress filtering, where an ISP rejects packets from customers when the origin address (the computer's IP address) is not one of the ISP's addresses; this shouldn't happen because the ISP knows the proper addresses of its customers. Ingress filtering keeps "the edge" from sending in garbage.
It's possible that the weird x.x.0.0 addresses were a programming bug (forgot to run a loop?), but my initial guess was that it was trying to trigger the old-style directed broadcasts (remember when all-zeros was the broadcast instead of all-ones?), guessing that many people have the sense to block all-ones directed broadcast.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
Just kick over to Freenet, no DNS required.
;-)
Where am I gonna download a client without DNS?
Good luck with that once the newer trojans lock down the machines holes and install sshd to allow remote instruction.
Um, does the fact that I just suggested this make me a terrorist?
do not read this line twice.
Get one of the Freenet guys (or, if an EFF guy is willing to help out again, one of them) to point out that Freenet is the *ideal* protection against terrorist attacks on the information infrastructure of the United States.
Consider all the "security" grants that are being thrown left and right at companies. They're lapping up all those tax dollars in the form of goverment contracts. If Freenet can grab just one, that would fund development for a long, long time. Lots of improvements, and I'd have a hard time imagining a more worthy cause than a more robust, secure, attack-resistant, private system that makes for more efficient transfers over the network.
The overwhelming majority of my university's CS research funding comes from the Department of Defense. Freenet couldn't snag just a few of that flood of dollars going to organizations aroudn the country?
May we never see th
4of12's suggestion would let the rootservers run a server that's only accessible from known (and presumably important) addresses, such as the DNS servers for the big ISPs. That would take care of the most important uses of DNS, since most people get their DNS queries answered by their ISP's servers, either from cache or from recursive queries. Letting the big ISPs do zone transfers from a protected net would preserve that. (Without zone transfers, an obvious attack is for the zombies to look for bogus000001.com, bogus000002.com, etc.)
Beyond that, DNS queries and zone transfers aren't the only way to send the information around. DNS A-record data compresses well (Unfortunately, DNSSEC data doesn't, and it's much bulkier.) And everybody wants the same data, so multicasting can be an efficient way to transmit it (using your favorite reliable-multicast application.) A back-of-the-envelope guess is that the dot-com namespace would compress to somewhere between 100-300MB, which would take 10-30kbps to transmit it in a day - and most of it has a TTL that's much longer, so you could handle it efficiently with incremental updates. Another alternative to multicast would be a peer-to-peer app that's designed for handling big files, like BitTorrent. (BitTorrent's designed more for static content rather than dynamic, so you'd need some file naming scheme for fetching today's version.)
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
is there any information on whether the DDOS attack on UltraDNS actually affected service?
The UltraDNS infrastructure has 16 or so machines on the same IP number. So it's harder to hit all of them. And it's not BIND, so it may be harder to bring down. (not sure it matters - the root DDOS didn't crash BIND either).
And of course UltraDNS is typically not serving all of the secondaries for a zone.
If anyone has real info....
Why kids, why not organized adults with financial resources?
The answer: WHY
Kids.. it's fun, it's destructive, it's a sense of power.. the reasons go on. I shouldn't have to explain them.. go back, I'm sure many of you can understand.
Adults.. and I'm not talking about big kids who never grew up here... need a finanical reason to do this. Could organized, intelligent hackers with financial backing to some serious damange to the internet? You better believe it. What would they have to gain? Not much. Prison. Hatred. Being labeled as terrorists, maybe killed.
What are you going to do? Hold the Interent for ransom? I doubt it.
That's why this stuff is chiefly done by kids, not grownups.