DOS Attacks On DNS Provider

← Back to Stories (view on slashdot.org)

Posted by ryuzaki0 on Monday November 25, 2002 @05:15AM from the going-after-the-big-boys dept.

Greedo writes "Seems like UltraDNS was hit with a denial of service attack this weekend. Since these are the guys who are supposed to be running the .ORG DNS, and in light of recent attacks on the gTLD roots, attacks against DNS servers should be treated very seriously. What kind of protection can be had? What happens when an attack like this brings down an entire TLD? Do you want to give control of an entire gTLD to one organization? Read a follow-up discussion on comp.protoocols.dns.std."

18 of 224 comments (clear)

Why attack the DNS-servers? by 10Ghz · 2002-11-25 05:18 · Score: 5, Funny

I mean, isn't that a bit counterproductive?

"Yes, I brought the entire DNS-system crashing down! I'm l337! Now, all I have to do is to go online and brag about my exploits... Hmmm... There seems to be something wrong with my net-connection..."

--
Lesbian Nazi Hookers Abducted by UFOs and Forced Into Weight Loss Programs - -all next week on Town Talk.
1. Re:Why attack the DNS-servers? by 4of12 · 2002-11-25 05:33 · Score: 5, Insightful
  
  isn't that a bit counterproductive?
  
  Absolutely.
  
  OTOH, if you were in the business of providing a spoofed name service, then this would be the first step in doing so.
  
  At any rate, it sure seems like access to a critical top level DNS should be filtered to a big white list of mirror machines, which could then handle general purpose inquiries.
  
  That, or increase the number of TLDs, but that's already an insolubly bad political problem.
  
  --
  "Provided by the management for your protection."
2. Re:Why attack the DNS-servers? by Blkdeath · 2002-11-25 05:55 · Score: 5, Insightful
  
  But it would be a great way to scare the general public. It won't necessarily be as terrifying as hijacking planes, but it can spread some fear into many people. (mainly IT types)
  Actually, the last DoS attack on the root nameservers sucked, but it didn't frighten IT people. The only people things like this frighten are Average Joe Consumer types who don't really understand how these things work. For them, the "web" is the "Internet", and anything that affects "the web" could bring down the whole Internet (as if it's just a few computers in a lab somewhere that can be shut down like shutting off a light switch).
  The DNS system was designed for redundancy; if it can withstand a direct nuclear attack on 60% of its facilities (vis; 6-7 of the root servers), it can withstand a DoS attack. Considering the upstream providers of each of the root servers are responsive enough to throttle the traffic to a more reasonable level, and the caching, heirarchal nature of the DNS system (except for mickey-mouse systems who query the root nameservers only with no fallback support), it would take days to notice an outage. In that time, the root servers could set up spare boxes and have the system back up and running with relatively minimal disruption.
  To truly affect the operation of "the internet" as a whole, a DDoS attack would have to be sustained for days on end.
  
  --
  BD Phone Home!
  Shameless plug. Like you weren't expecting it.
Good thing MS is killing DOS in december by Streiff · 2002-11-25 05:19 · Score: 5, Funny

Good thing MS is killing DOS in december. It's way
too violent these days.
.ORG TLD... by AyeRoxor! · 2002-11-25 05:20 · Score: 5, Funny

Thought you would find this funny:

In IE, I entered ORG and hit enter, just to see what would happen. Although highly unlikely, they could arrange some page there. Instead, MS search brough up a list of possible alternatives. Number one on the list?

Mozilla.org

Thanks, Bill :)
1. Re:.ORG TLD... by devnullkac · 2002-11-25 06:17 · Score: 5, Funny
  
  In IE, I entered ORG and hit enter, just to see what would happen. Number one on the list? Mozilla.org
  
  I just tried the same thing. Number two on the list?
  Slashdot
  Number three?
  Linux Online
  
  Somebody at MSN likes us.
  
  --
  What do you mean they cut the power? How can they cut the power, man? They're animals!
Very surprising by ekrout · 2002-11-25 05:23 · Score: 5, Informative

I have seen the UltraDNS ads here at Slashdot and thusly decided to read up on their techniques as well.

Basically, they urge large important Web sites to outsource its DNS needs to another company (them). Before this DOS attack on their servers, they provided near perfect stability, security, and performance. If I recall correctly, Hotmail, Forbes, and Oracle have already used the services of UltraDNS.

It's a shame that such a wonderful resource (the Internet) is so often abused by a few rowdy hackers and trolls.

Here is a whitepaper that describes their services in depth and explains the reasons for outsourcing one's DNS needs.

--

If you celebrate Xmas, befriend me (538
1. Re:Very surprising by Johannes · 2002-11-25 06:40 · Score: 5, Informative
  
  Disclaimer: I used to work at UltraDNS until a couple of months ago when I was laid off.
  
  The service provides a couple of advantages:
  
  Better latency. They use an anycast routing network which guarantees that a query to their DNS servers will be received and answered by the closest server based on the network topology. Even though there is only 2 published IP's for nameservers. There are some 16 servers scattered around the globe to answer on those IP's.
  
  Near real time database updates. They use an Oracle advanced replication network to get updates out to the other servers in near real time.
  
  Proprietary software. The only significant advantage here is that it's not BIND.
  
  All in all, it's about as good as DNS will get. Do you need it for your personal domain? Hardly. Do you need it for a popular domain like slashdot.org? Probably not.
  
  It works best for really large and really popular zones, like TLDs.
  
  However, it's still going to be better (albeit not as significantly) for your personal domain too.
  
  Anyway, bandwidth isn't really the issue with DNS. It's latency and availability.
  
  The problem with your example is that chances are, your DNS server in LA will be getting queries for Europe, which isn't all that ideal. Once again, is it that important? Not really.
  
  But it will work obviously.
Source and motivation by sphealey · 2002-11-25 05:26 · Score: 5, Interesting

You are assuming that the specific attacks on the DNS servers are being carried out by kids and "young dudes" working by themselves for the thrill of it.
Whereas these attacks, as well as some of the worms that have surfaced recently, strike me more as testing of new techniques and probing of defenses by an organized group that is working on techniques to cause widespread disruption.
sPh
1. Re:Source and motivation by curtisk · 2002-11-25 06:08 · Score: 5, Insightful
  
  well said....ppl automatically jump to the "it's just a bunch of script-kiddies" mentality....there may a HELL of a wake-up call some day....
  
  --
  Sehr geehrter Toilettenbenutzer!
It's not a problem by Ted_Green · 2002-11-25 05:34 · Score: 5, Insightful

If you're using an alternative root server.

And in all honesty, I would say that if the "offical" root servers can't protect themselves, they really have no business being root servers (TLD or otherwise) in the first place.
Re:From the author of qmail comes.... by dbretton · 2002-11-25 05:39 · Score: 5, Informative

From the DJBDNS page...

Denial-of-service attacks. (BIND 9's fragility makes denial of service completely trivial; but an attacker can easily take down the Domain Name System without using any of BIND's bugs. The DNS architecture needs to be decentralized.)

Seems to me like DJBDNS wouldn't help a lick!

-D
Re:From the author of qmail comes.... by dohcvtec · 2002-11-25 05:48 · Score: 5, Insightful

Enough said
Not really... what are you trying to say? Can DJBDNS prevent thousands of trojaned Windows systems from pinging it incessantly? I didn't think so, and you had no point.

--
-- Never hit a man with glasses. Hit him with a baseball bat.
There's something at internettrafficreport.com by Jugalator · 2002-11-25 06:04 · Score: 5, Informative

Look at this, especially that huge packet loss spike at 11/24...

Seems suspicious, although that site hasn't put up any news about it like they did with the major DNS attack a copule of weeks ago.

--
Beware: In C++, your friends can see your privates!
Nukes and Freenet by 0x0d0a · 2002-11-25 06:22 · Score: 5, Insightful

For them, the "web" is the "Internet", and anything that affects "the web" could bring down the whole Internet

Just one thought -- does Freenet use DNS at all? I *think* it doesn't. Because if not, it provides an existing, easy-to-migrate-to solution in case of such a catastrophic event. Just kick over to Freenet, no DNS required.

The DNS system...can withstand a direct nuclear attack on 60% of its facilities

As opposed to, say, those pesky indirect nuclear attacks? :-)

--
May we never see th
Time for a new model by laigle · 2002-11-25 06:24 · Score: 5, Interesting

Given these attacks, maybe it's time to shift the DNS model to something more distributed. Say a P2P network of all the DNS servers, which would feature client side intelligent load balancing (ie it only queries past your ISP's DNS when it needs to). It wouldn't take a whole lot, since it only needs to be capable of a very minute series of transactions. You could throw in CRC codes and a verification system if people wanted to be extra paranoid about it.

Of course, ultimately you have to have some sort of root server. But in a distributed model, they could be essentially insulated from DOS attacks, because they just need to get the master list out to a few systems for it to propagate all over. There could be a redundant distribution mechanism whereby the root servers send the list out through normal channels, but also send it to some randomly selected servers by phone call as a backup. At that stage hosing the root servers (or more accurately their connections, I doubt anyone is gonna ping one of those things to lockup) would not only be difficult and dangerous, but pointless. You cut off its connection via the internet, but the list still gets out and immediately spreads to so many DNS servers you couldn't possibly shut them all down, and you would have to shut down most of the world's DNS servers to have any impact on users.

Ultimately it wouldn't change things too much, since we're already pretty insulated from these attacks. But it does have a nice "just in case" factor to prevent some megaworm or Y2k-style OS-pervasive glitch from knocking us on our butts. And it would take the wind out of the sails for a bunch of the script kiddies (and the odd genuine hacker) out there trying to crash the net, which is almost worht it in and of itself.
There is an elegant solution by lazlo · 2002-11-25 06:29 · Score: 5, Interesting

There is an elegant solution that seems tailor-made for this particular problem (i.e., massive bandwidth DDOS of a small number of servers serving a stateless udp-based service) It's called anycast, and it's being used successfully now. An excellent example of its use is the AS112 project
Here's a quick overview I found: http://www.pch.net/documents/tutorials/ipv4-anycas t/ipv4-anycast.ppt
Now if we can just get all or most of the root-servers and gtld-servers moved to anycast, then there should be at least minor performance gains, and fairly large stability/resilience-to-DOS gains.

--
Pound! Bang! Bin! Bash! is this a shell script or a Batman comic?
Doh! by spruce · 2002-11-25 06:54 · Score: 5, Funny

So as the battle weary sys admins from UltraDNS finally get back home from fighting a DDOS attack....

Phone rings.

"Bob, the web server is under attack again, and this one's coming from all around the globe. Game over man, game over."

Slashdot's a bitch.