Slashdot Mirror
DOS Attacks On DNS Provider
Greedo writes "Seems like UltraDNS was hit with a denial of service attack this weekend. Since these are the guys who are supposed to be running the .ORG DNS, and in light of recent attacks on the gTLD roots, attacks against DNS servers should be treated very seriously. What kind of protection can be had? What happens when an attack like this brings down an entire TLD? Do you want to give control of an entire gTLD to one organization? Read a follow-up discussion on comp.protoocols.dns.std."
I mean, isn't that a bit counterproductive?
"Yes, I brought the entire DNS-system crashing down! I'm l337! Now, all I have to do is to go online and brag about my exploits... Hmmm... There seems to be something wrong with my net-connection..."
Lesbian Nazi Hookers Abducted by UFOs and Forced Into Weight Loss Programs - -all next week on Town Talk.
Good thing MS is killing DOS in december. It's way
too violent these days.
It's not that big of a deal, since most people's DNS requests never reach the TLD servers. Instead they're handled by a mirror at a lower point on the tree.
But, still, we should catch these DOSers and throw them into a federal pound-me-in-the-ass prison.
Damned arab terrorist scum! Down with Saudi Arabia!!!
Thought you would find this funny:
:)
In IE, I entered ORG and hit enter, just to see what would happen. Although highly unlikely, they could arrange some page there. Instead, MS search brough up a list of possible alternatives. Number one on the list?
Mozilla.org
Thanks, Bill
The ad at the top of the /. homepage was for UltraDNS as I was reading this story. Any publicity is good publicity, I guess...
I have seen the UltraDNS ads here at Slashdot and thusly decided to read up on their techniques as well.
Basically, they urge large important Web sites to outsource its DNS needs to another company (them). Before this DOS attack on their servers, they provided near perfect stability, security, and performance. If I recall correctly, Hotmail, Forbes, and Oracle have already used the services of UltraDNS.
It's a shame that such a wonderful resource (the Internet) is so often abused by a few rowdy hackers and trolls.
Here is a whitepaper that describes their services in depth and explains the reasons for outsourcing one's DNS needs.
If you celebrate Xmas, befriend me (538
Whereas these attacks, as well as some of the worms that have surfaced recently, strike me more as testing of new techniques and probing of defenses by an organized group that is working on techniques to cause widespread disruption.
sPh
is the following line in my hosts
:)
66.35.250.150 slashdot.org
Then there's ZoneEdit, which is Free-as-in-beer for the first 5 zones. w00t!
I want to delete my account but Slashdot doesn't allow it.
Seems this was as distrubuted DDoS (DDDOS - sounds like a stemmer:-), many people got this..
http://www.merit.edu/mail.archives/nanog/msg053
If you're using an alternative root server.
And in all honesty, I would say that if the "offical" root servers can't protect themselves, they really have no business being root servers (TLD or otherwise) in the first place.
I've been using UltraDNS for more than 2 years now, and I'm also nothing but happy with them.
You're right about their ease of use, it's definitely a strong point.
I've never had any issues with them, and come to think of it, I dodn't have any problems this weekend either. In fact, I got -more- spam than usual, so I'm going to assume that if the spammers didn't have a problem resolving my domain name, neither did anyone else.
"A terrorist is someone who has a bomb but doesn't have an air force." -William Blum
Afilias uses UltraDNS for their DNS Infrastructure. It was in the proposal. Here's the link to the UltraDNS press release.
http://www.ultradns.com/news/021028.html
I truly question whether it is realistic to bring the entire system down. There are so many servers around the world that offer a redundant service to those servers that it would be hard to actually "feel" that the root DNS server is no longer available. Which gives whoever quite a bit of time to be able to bring the affected system back up.
How badly can attacking the root DNS servers affect the Internet experience since DNS is so decentralized? If the root server is down, that doesn't prevent the thousands of immediate DNS servers from being able to resolve domain names for the users, right? It seems like it'd only be able to prevent the propogation of new domain names. What gives?
It is more then just a few servers.
Generally each "server" has multiple seperate internet connections. The server it self is usally a set of two or machines acting as one. The servers are distributed around the internet. They are not concentrated in one place eigther geographically, or network topographically.
I use to work for a large internet company in Virginia we use to do these types of things all the time. It is a dirty little secret of the hosting community that large amounts of funds are currently being channeled to companies that suffer attacks large scale attacks to strengthen their infrastructure. I know from personal experince that these government kickbacks are sometimes abused by receiptants.
Not only are the hosting companies after the anti-terror funds. The sysadmin's orchastrate these 'attacks' to gain 'relations' with the investigating FBI Special Agents. If you have not seen the women agents in the FBI's Computer Crimes Division do yourself a huge favor. Most of these 'attacks' orginated from internal addresses and it was typically on one of the sysadmin's birthday treats. I personally of gotten '7-digits' from these agents on numerous occasions and one of these lucky agents will be the mother of my children.
From the DJBDNS page...
Denial-of-service attacks. (BIND 9's fragility makes denial of service completely trivial; but an attacker can easily take down the Domain Name System without using any of BIND's bugs. The DNS architecture needs to be decentralized.)
Seems to me like DJBDNS wouldn't help a lick!
-D
Otherwise, you can use everydns.net for free which runs a nice djbdns setup behind a very clean interface and only asks for donations.
Enough said
Not really... what are you trying to say? Can DJBDNS prevent thousands of trojaned Windows systems from pinging it incessantly? I didn't think so, and you had no point.
-- Never hit a man with glasses. Hit him with a baseball bat.
I realize that this is probably a troll, but if you really are clueless, I guess I'll fill you in. DNS does not replace the IP system, it expands upon it. If the DNS heirarchy were to disappear there would be no negative effect upon the internet, you would just loose the ability to use symbollical names. If you really want to remove that "weak" link, your welcome to use IPs, and if the DNS fails, you can continue operating as normal. I personally link missing net access every once in a while is far less bothersome then memorizing IP addresses or adding them to my hosts file.
Look at this, especially that huge packet loss spike at 11/24...
Seems suspicious, although that site hasn't put up any news about it like they did with the major DNS attack a copule of weeks ago.
Beware: In C++, your friends can see your privates!
Reading that Usenet thread was ugly. Dan Bernstein has the unsurpassed ability to present (often) good ideas while being a complete prick.
Dan, you want people to take you more seriously, try being human once in a while. You don't need to prove just how damn intelligent you are by beating other people over the head with their own "ignorance". You might want to work on your own ignorance in the social skills department first.
That said, transmitting the entire root zone over Usenet and other means sounds like a good suggestion. I hope you can start sounding like less of a lunatic so people will listen to the idea.
All ISP's should have access lists on their routers allowing traffic out only if the source address is within their network. Directed Broadcasts should be turned off to limit smurf attacks. This itself would cut the problem ten fold.
For them, the "web" is the "Internet", and anything that affects "the web" could bring down the whole Internet
:-)
Just one thought -- does Freenet use DNS at all? I *think* it doesn't. Because if not, it provides an existing, easy-to-migrate-to solution in case of such a catastrophic event. Just kick over to Freenet, no DNS required.
The DNS system...can withstand a direct nuclear attack on 60% of its facilities
As opposed to, say, those pesky indirect nuclear attacks?
May we never see th
Given these attacks, maybe it's time to shift the DNS model to something more distributed. Say a P2P network of all the DNS servers, which would feature client side intelligent load balancing (ie it only queries past your ISP's DNS when it needs to). It wouldn't take a whole lot, since it only needs to be capable of a very minute series of transactions. You could throw in CRC codes and a verification system if people wanted to be extra paranoid about it.
Of course, ultimately you have to have some sort of root server. But in a distributed model, they could be essentially insulated from DOS attacks, because they just need to get the master list out to a few systems for it to propagate all over. There could be a redundant distribution mechanism whereby the root servers send the list out through normal channels, but also send it to some randomly selected servers by phone call as a backup. At that stage hosing the root servers (or more accurately their connections, I doubt anyone is gonna ping one of those things to lockup) would not only be difficult and dangerous, but pointless. You cut off its connection via the internet, but the list still gets out and immediately spreads to so many DNS servers you couldn't possibly shut them all down, and you would have to shut down most of the world's DNS servers to have any impact on users.
Ultimately it wouldn't change things too much, since we're already pretty insulated from these attacks. But it does have a nice "just in case" factor to prevent some megaworm or Y2k-style OS-pervasive glitch from knocking us on our butts. And it would take the wind out of the sails for a bunch of the script kiddies (and the odd genuine hacker) out there trying to crash the net, which is almost worht it in and of itself.
Here's a quick overview I found: http://www.pch.net/documents/tutorials/ipv4-anycas t/ipv4-anycast.ppt
Now if we can just get all or most of the root-servers and gtld-servers moved to anycast, then there should be at least minor performance gains, and fairly large stability/resilience-to-DOS gains.
Pound! Bang! Bin! Bash! is this a shell script or a Batman comic?
So as the battle weary sys admins from UltraDNS finally get back home from fighting a DDOS attack....
Phone rings.
"Bob, the web server is under attack again, and this one's coming from all around the globe. Game over man, game over."
Slashdot's a bitch.
Yep, the Weekly World News, home of Bat Boy and "Iraqi Submarines Prowling Lake Michigan", has a giant headline in the issue I just saw at the checkout stand: TERRORIST PLOT TO BLOW UP INTERNET ON 1-11!"
The subheads are:
* Computer virus will destroy US economy!
* The US Military will be paralyzed!
* Electricity, food and water supplies vanish!
Clearly, we're ignoring these attacks at our own peril, when as technical a publication as the Weekly World News has picked up the story.
(Back to reality, I literally burst out laughing and almost dropped my Mountain Dew when I saw that headline. Blow up "The Internet". Sounds like my daughter's friends... they come over and ask if her computer "has the Internet on it". No, it doesn't, but it has *access* to the Internet. "Oh, you mean AOL?" Grrr...)
Stressed? Me? Of course not. Stress is what a rubber band feels before it breaks, silly.
If you visualize the Internet as a graph where lines represent each communication link, each computer has various numbers of lines to its neighbors.
Usually the systems which have the most connections are shown on such a graph as being deep inside the web. Those which have only one connection, such as home computers and others which use one ISP, tend to be a frilly edge all around the web.
"Securing the edge" means protecting against misbehavior of servers around the edge, particularly servers other than communication devices inside ISPs. A common example is ingress filtering, where an ISP rejects packets from customers when the origin address (the computer's IP address) is not one of the ISP's addresses; this shouldn't happen because the ISP knows the proper addresses of its customers. Ingress filtering keeps "the edge" from sending in garbage.