Slashdot Mirror

← Back to Stories (view on slashdot.org)

DOS Attacks On DNS Provider

Posted by ryuzaki0 on from the going-after-the-big-boys dept.

Greedo writes "Seems like UltraDNS was hit with a denial of service attack this weekend. Since these are the guys who are supposed to be running the .ORG DNS, and in light of recent attacks on the gTLD roots, attacks against DNS servers should be treated very seriously. What kind of protection can be had? What happens when an attack like this brings down an entire TLD? Do you want to give control of an entire gTLD to one organization? Read a follow-up discussion on comp.protoocols.dns.std."

32 of 224 comments (clear)

  1. Why attack the DNS-servers? by 10Ghz · · Score: 5, Funny

    I mean, isn't that a bit counterproductive?

    "Yes, I brought the entire DNS-system crashing down! I'm l337! Now, all I have to do is to go online and brag about my exploits... Hmmm... There seems to be something wrong with my net-connection..."

    --
    Lesbian Nazi Hookers Abducted by UFOs and Forced Into Weight Loss Programs - -all next week on Town Talk.
    1. Re:Why attack the DNS-servers? by greechneb · · Score: 4, Interesting

      Not when you are trying to make a political statement. I don't know if anyone has claimed responsibility for this yet, or if anyone will. But it would be a great way to scare the general public. It won't necessarily be as terrifying as hijacking planes, but it can spread some fear into many people. (mainly IT types)

      But as the world becomes more dependant on the internet, expect more attacks to resemble this one. Take down the infrastructure, and watch the rest tumble without it.

      Plus you don't have to commit suicide to terrorize the public. - Of course that means no virgins for you by dying in a holy war...

    2. Re:Why attack the DNS-servers? by 4of12 · · Score: 5, Insightful

      isn't that a bit counterproductive?

      Absolutely.

      OTOH, if you were in the business of providing a spoofed name service, then this would be the first step in doing so.

      At any rate, it sure seems like access to a critical top level DNS should be filtered to a big white list of mirror machines, which could then handle general purpose inquiries.

      That, or increase the number of TLDs, but that's already an insolubly bad political problem.

      --
      "Provided by the management for your protection."
    3. Re:Why attack the DNS-servers? by Blkdeath · · Score: 5, Insightful
      But it would be a great way to scare the general public. It won't necessarily be as terrifying as hijacking planes, but it can spread some fear into many people. (mainly IT types)
      Actually, the last DoS attack on the root nameservers sucked, but it didn't frighten IT people. The only people things like this frighten are Average Joe Consumer types who don't really understand how these things work. For them, the "web" is the "Internet", and anything that affects "the web" could bring down the whole Internet (as if it's just a few computers in a lab somewhere that can be shut down like shutting off a light switch).

      The DNS system was designed for redundancy; if it can withstand a direct nuclear attack on 60% of its facilities (vis; 6-7 of the root servers), it can withstand a DoS attack. Considering the upstream providers of each of the root servers are responsive enough to throttle the traffic to a more reasonable level, and the caching, heirarchal nature of the DNS system (except for mickey-mouse systems who query the root nameservers only with no fallback support), it would take days to notice an outage. In that time, the root servers could set up spare boxes and have the system back up and running with relatively minimal disruption.

      To truly affect the operation of "the internet" as a whole, a DDoS attack would have to be sustained for days on end.

      --
      BD Phone Home!

      Shameless plug. Like you weren't expecting it.

    4. Re:Why attack the DNS-servers? by Desert+Raven · · Score: 4, Interesting

      The rationale behind this is simple: the dns boxes get dumb quite quickly when they lose their upstream connection. Once this happens, the dns for everything starts to fail, and even the internal hosts start having problems communicating.

      I'd say it's your DNS administrators that are dumb. I've been maintaining DNS systems for years, and I've never had a DNS server so much as hesitate to serve authoritative addresses, no matter what was happening to the upstream connection.

    5. Re:Why attack the DNS-servers? by Idarubicin · · Score: 4, Insightful
      Not when you are trying to make a political statement. I don't know if anyone has claimed responsibility for this yet, or if anyone will. But it would be a great way to scare the general public. It won't necessarily be as terrifying as hijacking planes, but it can spread some fear into many people. (mainly IT types)

      Nobody has yet claimed responsibility. Makes it sound kind of noble, doesn't it? What nobody has yet done is admitted guilt. I have always taken extreme exception to the media's convention that terrorists and criminals claim responsibility for murder. It's not a prize. Confessed to slaughter or declared lack of conscience or asserted no concern for fellow human beings might be more appropriate. Criminals shouln't be allowed--or worse, invited--to claim responsibility, only admit guilt.

      --
      ~Idarubicin
  2. Good thing MS is killing DOS in december by Streiff · · Score: 5, Funny

    Good thing MS is killing DOS in december. It's way
    too violent these days.

  3. .ORG TLD... by AyeRoxor! · · Score: 5, Funny

    Thought you would find this funny:

    In IE, I entered ORG and hit enter, just to see what would happen. Although highly unlikely, they could arrange some page there. Instead, MS search brough up a list of possible alternatives. Number one on the list?

    Mozilla.org

    Thanks, Bill :)

    1. Re:.ORG TLD... by devnullkac · · Score: 5, Funny
      In IE, I entered ORG and hit enter, just to see what would happen. Number one on the list? Mozilla.org

      I just tried the same thing. Number two on the list?

      Slashdot
      Number three?
      Linux Online

      Somebody at MSN likes us.

      --
      What do you mean they cut the power? How can they cut the power, man? They're animals!
  4. Oh the irony by fo0bar · · Score: 4, Funny

    The ad at the top of the /. homepage was for UltraDNS as I was reading this story. Any publicity is good publicity, I guess...

  5. Very surprising by ekrout · · Score: 5, Informative

    I have seen the UltraDNS ads here at Slashdot and thusly decided to read up on their techniques as well.

    Basically, they urge large important Web sites to outsource its DNS needs to another company (them). Before this DOS attack on their servers, they provided near perfect stability, security, and performance. If I recall correctly, Hotmail, Forbes, and Oracle have already used the services of UltraDNS.

    It's a shame that such a wonderful resource (the Internet) is so often abused by a few rowdy hackers and trolls.

    Here is a whitepaper that describes their services in depth and explains the reasons for outsourcing one's DNS needs.

    --

    If you celebrate Xmas, befriend me (538
    1. Re:Very surprising by Johannes · · Score: 5, Informative

      Disclaimer: I used to work at UltraDNS until a couple of months ago when I was laid off.

      The service provides a couple of advantages:

      Better latency. They use an anycast routing network which guarantees that a query to their DNS servers will be received and answered by the closest server based on the network topology. Even though there is only 2 published IP's for nameservers. There are some 16 servers scattered around the globe to answer on those IP's.

      Near real time database updates. They use an Oracle advanced replication network to get updates out to the other servers in near real time.

      Proprietary software. The only significant advantage here is that it's not BIND.

      All in all, it's about as good as DNS will get. Do you need it for your personal domain? Hardly. Do you need it for a popular domain like slashdot.org? Probably not.

      It works best for really large and really popular zones, like TLDs.

      However, it's still going to be better (albeit not as significantly) for your personal domain too.

      Anyway, bandwidth isn't really the issue with DNS. It's latency and availability.

      The problem with your example is that chances are, your DNS server in LA will be getting queries for Europe, which isn't all that ideal. Once again, is it that important? Not really.

      But it will work obviously.

  6. Source and motivation by sphealey · · Score: 5, Interesting
    You are assuming that the specific attacks on the DNS servers are being carried out by kids and "young dudes" working by themselves for the thrill of it.

    Whereas these attacks, as well as some of the worms that have surfaced recently, strike me more as testing of new techniques and probing of defenses by an organized group that is working on techniques to cause widespread disruption.

    sPh

    1. Re:Source and motivation by curtisk · · Score: 5, Insightful

      well said....ppl automatically jump to the "it's just a bunch of script-kiddies" mentality....there may a HELL of a wake-up call some day....

      --

      Sehr geehrter Toilettenbenutzer!

  7. All the protection *I* need... by Anonymous Coward · · Score: 4, Funny

    is the following line in my hosts

    66.35.250.150 slashdot.org :)

  8. not just UltraDNS - others too by martin · · Score: 4, Informative


    Seems this was as distrubuted DDoS (DDDOS - sounds like a stemmer:-), many people got this..

    http://www.merit.edu/mail.archives/nanog/msg0534 9. html

  9. It's not a problem by Ted_Green · · Score: 5, Insightful

    If you're using an alternative root server.

    And in all honesty, I would say that if the "offical" root servers can't protect themselves, they really have no business being root servers (TLD or otherwise) in the first place.

  10. Re:Shameless plug for UltraDNS by nochops · · Score: 4, Interesting

    I've been using UltraDNS for more than 2 years now, and I'm also nothing but happy with them.

    You're right about their ease of use, it's definitely a strong point.

    I've never had any issues with them, and come to think of it, I dodn't have any problems this weekend either. In fact, I got -more- spam than usual, so I'm going to assume that if the spammers didn't have a problem resolving my domain name, neither did anyone else.

    --
    "A terrorist is someone who has a bomb but doesn't have an air force." -William Blum
  11. Re:ISOC? by Anonymous Coward · · Score: 4, Informative

    Afilias uses UltraDNS for their DNS Infrastructure. It was in the proposal. Here's the link to the UltraDNS press release.

    http://www.ultradns.com/news/021028.html

  12. DNS Servers by sjanich · · Score: 4, Informative

    It is more then just a few servers.

    Generally each "server" has multiple seperate internet connections. The server it self is usally a set of two or machines acting as one. The servers are distributed around the internet. They are not concentrated in one place eigther geographically, or network topographically.

  13. Re:From the author of qmail comes.... by dbretton · · Score: 5, Informative

    From the DJBDNS page...

    Denial-of-service attacks. (BIND 9's fragility makes denial of service completely trivial; but an attacker can easily take down the Domain Name System without using any of BIND's bugs. The DNS architecture needs to be decentralized.)

    Seems to me like DJBDNS wouldn't help a lick!

    -D

  14. everydns by Wakkow · · Score: 4, Interesting

    Otherwise, you can use everydns.net for free which runs a nice djbdns setup behind a very clean interface and only asks for donations.

  15. Re:From the author of qmail comes.... by dohcvtec · · Score: 5, Insightful

    Enough said
    Not really... what are you trying to say? Can DJBDNS prevent thousands of trojaned Windows systems from pinging it incessantly? I didn't think so, and you had no point.

    --
    -- Never hit a man with glasses. Hit him with a baseball bat.
  16. There's something at internettrafficreport.com by Jugalator · · Score: 5, Informative

    Look at this, especially that huge packet loss spike at 11/24...

    Seems suspicious, although that site hasn't put up any news about it like they did with the major DNS attack a copule of weeks ago.

    --
    Beware: In C++, your friends can see your privates!
  17. Dan Bernstein by tuxlove · · Score: 4, Insightful

    Reading that Usenet thread was ugly. Dan Bernstein has the unsurpassed ability to present (often) good ideas while being a complete prick.

    Dan, you want people to take you more seriously, try being human once in a while. You don't need to prove just how damn intelligent you are by beating other people over the head with their own "ignorance". You might want to work on your own ignorance in the social skills department first.

    That said, transmitting the entire root zone over Usenet and other means sounds like a good suggestion. I hope you can start sounding like less of a lunatic so people will listen to the idea.

    1. Re:Dan Bernstein by SiliconEntity · · Score: 4, Interesting

      I met Bernstein briefly, and he seemed like a nice guy in person. He's relatively young, 30-ish, and soft spoken. But online he comes off as some kind of know-it-all curmudgeon.

      Personally I liked the suggestion in the Usenet thread to return expired DNS cache data when the authoritative servers are unreachable, at least as an option. 99% of the time when you can't do a host lookup, the old cached data would still be right. All the DNS purists hated the idea of using expired data, like it's unclean or something. But if it's all you've got, isn't it better to use old information than to give up on letting the net work at all?

  18. ISP's responsibility. by jwdeff · · Score: 4, Insightful

    All ISP's should have access lists on their routers allowing traffic out only if the source address is within their network. Directed Broadcasts should be turned off to limit smurf attacks. This itself would cut the problem ten fold.

  19. Nukes and Freenet by 0x0d0a · · Score: 5, Insightful

    For them, the "web" is the "Internet", and anything that affects "the web" could bring down the whole Internet

    Just one thought -- does Freenet use DNS at all? I *think* it doesn't. Because if not, it provides an existing, easy-to-migrate-to solution in case of such a catastrophic event. Just kick over to Freenet, no DNS required.

    The DNS system...can withstand a direct nuclear attack on 60% of its facilities

    As opposed to, say, those pesky indirect nuclear attacks? :-)

    --
    May we never see th
  20. Time for a new model by laigle · · Score: 5, Interesting

    Given these attacks, maybe it's time to shift the DNS model to something more distributed. Say a P2P network of all the DNS servers, which would feature client side intelligent load balancing (ie it only queries past your ISP's DNS when it needs to). It wouldn't take a whole lot, since it only needs to be capable of a very minute series of transactions. You could throw in CRC codes and a verification system if people wanted to be extra paranoid about it.

    Of course, ultimately you have to have some sort of root server. But in a distributed model, they could be essentially insulated from DOS attacks, because they just need to get the master list out to a few systems for it to propagate all over. There could be a redundant distribution mechanism whereby the root servers send the list out through normal channels, but also send it to some randomly selected servers by phone call as a backup. At that stage hosing the root servers (or more accurately their connections, I doubt anyone is gonna ping one of those things to lockup) would not only be difficult and dangerous, but pointless. You cut off its connection via the internet, but the list still gets out and immediately spreads to so many DNS servers you couldn't possibly shut them all down, and you would have to shut down most of the world's DNS servers to have any impact on users.

    Ultimately it wouldn't change things too much, since we're already pretty insulated from these attacks. But it does have a nice "just in case" factor to prevent some megaworm or Y2k-style OS-pervasive glitch from knocking us on our butts. And it would take the wind out of the sails for a bunch of the script kiddies (and the odd genuine hacker) out there trying to crash the net, which is almost worht it in and of itself.

  21. There is an elegant solution by lazlo · · Score: 5, Interesting
    There is an elegant solution that seems tailor-made for this particular problem (i.e., massive bandwidth DDOS of a small number of servers serving a stateless udp-based service) It's called anycast, and it's being used successfully now. An excellent example of its use is the AS112 project

    Here's a quick overview I found: http://www.pch.net/documents/tutorials/ipv4-anycas t/ipv4-anycast.ppt

    Now if we can just get all or most of the root-servers and gtld-servers moved to anycast, then there should be at least minor performance gains, and fairly large stability/resilience-to-DOS gains.

    --
    Pound! Bang! Bin! Bash! is this a shell script or a Batman comic?
  22. Doh! by spruce · · Score: 5, Funny

    So as the battle weary sys admins from UltraDNS finally get back home from fighting a DDOS attack....

    Phone rings.

    "Bob, the web server is under attack again, and this one's coming from all around the globe. Game over man, game over."

    Slashdot's a bitch.

  23. Re:The Edge of the Internet by SEWilco · · Score: 4, Informative
    Can someone explain exactly what 'the edge' refers to?

    If you visualize the Internet as a graph where lines represent each communication link, each computer has various numbers of lines to its neighbors.

    Usually the systems which have the most connections are shown on such a graph as being deep inside the web. Those which have only one connection, such as home computers and others which use one ISP, tend to be a frilly edge all around the web.

    "Securing the edge" means protecting against misbehavior of servers around the edge, particularly servers other than communication devices inside ISPs. A common example is ingress filtering, where an ISP rejects packets from customers when the origin address (the computer's IP address) is not one of the ISP's addresses; this shouldn't happen because the ISP knows the proper addresses of its customers. Ingress filtering keeps "the edge" from sending in garbage.