Slashdot Mirror
More Info on the October 2002 DNS Attacks
MondoMor writes "One of the guys who invented DNS, Paul Mockapetris, has written an article at ZDnet about the October '02 DNS attacks. Quoting the article: "Unlike most DDoS attacks, which fade away gradually, the October strike on the root servers stopped abruptly after about an hour, probably to make it harder for law enforcement to trace." Interesting stuff."
First they kill 3000 people...then they deny us the Internet for a COUPLE HOURS! This time...it's PERSONAL!
I'll form my OWN solar system! With blackjack! And hookers!
The solution would be just to get rid of the ping command ;)
There are barely any decent clients, the entire back-end of DNS is horribly managed, most servers suck, and the protocol is un-Godly with horrific syntactic and semantic instructions.
Someone please invent an upgrade to this archaic system so attacks like the one featured in this article no longer happen.
SMTP should be thrown out the window too, but a replacement for that is even further away than one for DNS.
Reply or e-mail; don't vaguely moderate. Ex-O'Reilly/MIT employee, now a full-time Google employee.
As email viruses expanded from an original concept, their authors began to adapt to the strategies used both to catch them and to deal with their creations. As a result, newer viruses have been more damaging. The October attacks showed a greater level of sophistication solely because the people behind these types of attacks are aware of what's going on and pay attention in order to make them more successful. The scary part is that the longer people like this are able to elude law enforcement, the larger their attacks will eventually become. Each one is, in essence, a trial run for the next larger attack. Watching attacks like the ones that have plagued dal.net for a long time, it's easy to see how these attacks could end up causing serious problems (beyond the minor inconvenience of not being able to get to your favorite sites) in the near future.
Unfortunatley, the theives didn't wait for law enforcement officials to show up, making it much harder to identify them.
0110100100100000011000010110110100100000011000100
The Dalnet IRC network has been crippled for months due to continuing DDOS attacks. Now Dalnet is based on a small number of central IRC servers (20-30 I believe) so it isn't too far removed from the core DNS infrastructure (i.e. the root DNS servers).
Why don't Dalnet and the FBI (or whoever) get together to solve a mutual problem ?
Dalnet could get some much-needed help, and the FBI could get some much-needed experience into investigating this sort of attack. They would also be dealing with someone (or some people) who could move on to attacking bigger things.
Also if they caught the attackers, they would get some useful publicity, some justification for an increased spend on cyber-deterrence, and the deterrent effect of having the perpetrators suitably punished - as well as putting a genuine menace behind bars.
You think that just by magically inventing a replacement for a tried & true and ROBUST system like DNS is going to solve the DoS problem?
Ok, let's pretend such a magical replacement actually exists, and you have it up and running. Then, the skr1pt k1dd1es show up and start a 'trinoo' or 'tribal flood' type DoS that floods your network and slows all your servers down to a crawl. Tell me again how your magical new DNS replacement is going to deal with this situation better than the old one?
Didn't even notice the outage, none of my customers or people browing my sites indicated that they noticed either. In the nature of multiple providers and the way the DNS structure works, it would take an awfully long time for a large number of people to notice anything.
I'm sorry but that article sucked. It was like Introductory DNS and Intrusion Detection for 2nd graders.
Trace buster buster buster, so that the feds wouldn't be able to use their trace buster buster to stop them.
DNS info is cached and times out in about a week, so if you had updated just before the attack, you wouldnt notice for a week.
Well then, isn't it logical to try and rate limit/filter as close to the source as possible then? Of course this shifts responsibility...
If all ISPs were proactive in dealing with customers machines being used as zombies to launch attacks, then internet users as a whole would have less problems trying to deal with being the target of an attack.
A few logical steps:
Some ISPs may do this, I don't know, but from the articles I read about DDoS attacks it appears that most don't.
apparentlyicannwatchnew year resolution was to migrate from nuke to slash.
I'm not an expert, but as I understand it, DNS attacks are relatively benign, since DNS info is cached all over the place and doesn't change much anyway (this is essentially what the article says). Now, the author seems much more worried about attackts against Top Level Domains, because of reasons related to the nature of the information that TLD servers have, and he suggests a few techniques that they could use. What he doesn't say is what techniques the TLD's are using currently, and how secure they are.
/. know?
Does anyone out there on
"...the October strike on the root servers stopped abruptly after about an hour, probably to make it harder for law enforcement to trace."
Hrrrrmmm. That makes it look deliberate. Hrrrrmmm.
I liked his guaranted firewall, a 5 kg block of clay you stick your network cable in after cutting it into two pieces with sidecutters. I guess that would work.
Where's the dns in a box thing? I am blind I guess, not seeing it or is that another joke?
0wned!!!.
Implementation of simple egress filtering rules at border routers or at firewalls (regardless of who owns them) would dramatically decrease the efficacy of DDoS attacks.
If my organization owns the A.B.C network, there is no reason why any packets bearing a source address of anything other than A.B.C.* should be permitted to leave my network.
NAT environments can implement this by dropping packets with source addresses that do not belong to the internal network.
Of course, for this to be effective it would have be used on a broad scale, i.e. around the world...
I want to drag this out as long as possible. Bring me my protractor.
http://www.riaa.org/ nuff said.
I have a question... Why does a cache have to expire?
Why not allow the admin to specify the maximum diskspace that the cache can use up, and then only prun the records when that (possibly huge) database grows too large? In addition, DNS records should not just arbitrarily expire...
If a record has not reached it "expire" date, the cache is just fine. If a record HAS reached it's "expire", it should still remail valid UNTIL the DNS server has been able to get a valid update. Now, that would allow large DNS servers to maintain quite a bit of functionality even if all other DNS servers go down, and would do so while requiring only the most popular queries are saved on the server (so not everyone has to become a full root DNS server).
Slashdot gets worse every day... Pipedot: News for nerds, without the corporate slant
DNS caching kept most people from noticing this assault. In very rough terms, if the root servers are disrupted, only about 1 percent of the Internet should notice for every two hours the attack continues--so it would take about a week for an attack to have a full effect. In this cat-and-mouse game between the attackers and network operators, defenders count on having time to respond to an assault.
Although they could have really done a proper compare and contrast instead of giving every rating on every program 'XXXX'.
yes what the hell does this guy know about the DNS anyway!
It's difficult for any reasonable person to know where to begin solving these issues. Traditionally, nailing down machines and networks so they are more secure has been seen as the best approach, but there's little anyone can do about having bandwidth used up by unaccountable "hacked" machines, as is seemingly more and more the modus-operandi.
Attempts to trace crackers are frequently wastes of time, and stiffer penalties for hackers are compromised by the fact that it's hard to actually catch the hackers in the first place. The situation is made worse that many of the most destructive hackers do not, themselves, set up anything beyond sets of scripts distributed to and run by suckers - so-called "script kiddies".
Given that hackers usually work by taking over other machines and coopting them into damaging clusters that can cause all manner of problems, less focus than you'd expect is put onto making machines secure in the first place. The responsibility for putting a computer on the Internet is that of a system administrator, but frequently system administrators are incompetent, and will happily leave computers hooked up to the Internet without ensuring that they're "good Internet citizens". Bugs are left unpatched, if the system administrators have even taken the trouble to discover if there are any problems in the first place. This is, in some ways, the equivalent of leaving an open gun in the middle of a street - even the most pro-gun advocates would argue that such an act would be dangerously incompetent. But putting a farm of servers on the Internet, and ignoring security issues completely, has become a widespread disease.
There is a solution, and that's to make system adminstrators responsible for their own computers. An administrator should be assumed, by default, to be responsible for any damage caused by hardware under his or her control unless it can be shown that there's little the admin could reasonably have done to prevent their machine from being hijacked. Clearly, a server unpatched a few days after a bug report, or a compromise unpatched that has never been publically documented, is not the fault of an admin, but leaving a server unpatched years after a compromise has been documented and patches have been available certainly is. Unlike hackers, it is easy to discover who is responsible for a compromised computer system. So issues of accountability are not a problem here.
Couple this with suitably harsh punishments, and not only will system administrators think twice before, say, leaving IIS 4 out in the wild vulnerable to NIMDA, but hackers too - for the same reasons as they avoid attacking hospital systems, etc - will think twice about compromising someone else's system. Fines for first offenses and very minor breaches can be followed by bigger deterents. If you were going to release a DoS attack into the wild, but knew that the result would be that many, many, system administrators would be physically castrated because of your actions, would you still do it?
Of course not. But even if you were, the fact that someone has been willing to allow their system to be used to close the DNS system, or take Yahoo offline, ought to be reason enough to be willing to consider such drastic remedies. Castration may sound harsh, but compared to modern American prison conditions, it's a relatively minor penalty for the system administrator to pay, and will merely result in discomfort combined with removal from the gene-pool. At the same time, such an experience will ensure that they take better care of their systems in future, without removing someone who might have skills critical to their employer's well being from being taken out of the job market.
The assumption has always been made that incompetent system administrators deserve no blame when their systems are hijacked and used for evil. This assumption has to change, and we must be willing to force this epidemic of bad administration to be resolved. Only by securing the systems of the Internet can we achieve a secure Internet. Only by making the consequences of hacking real and brutal can we create an adequate response to the notion that hacking, per-se, is not wrong, that it causes no damage.
This quagmire of people considering system administrators the innocents in computer security when they are themselves the most responsible for problems and holes will not disappear by itself. Unless people are prepared to actually act, not just talk about it on Slashdot, nothing will ever get done. Apathy is not an option.
You can help by getting off your rear and writing to your congressman or senator [senate.gov]. Write also to Jack Valenti, the CEO and chair of the MPAA, whose address and telephone number can be found at the About the MPAA page [mpaa.org]. Write too to Bill Gates [mailto], Chief of Technologies and thus in overall charge of security systems built into operating systems like Windows NT, at Microsoft. Tell them security is an important issue, and is being compromised by a failure to make those responsible for security accountable for their failures. Tell them that only by real, brutal, justice meted out to those who are irresponsible on the Internet will hacking be dealt with. Tell them that you believe it is a reasonable response to hacking to ensure that administrators who fail time and time again are castrated, and that castration is a reasonable punishment that will ensure a minimal impact on an administrator's employer while serving as a huge deterent against hackers and against incompetence. Tell them that you appreciate the work being done to patch servers by competent administrators but that if incompetent admins are not kept accountable, you will be forced to use less and less secure and intelligently designed alternatives. Let them know that SMP may make or break whether you can efficiently deploy OpenBSD on your workstations and servers. Explain the concerns you have about freedom, openness, and choice, and how poor security harms all three. Let your legislators know that this is an issue that effects YOU directly, that YOU vote, and that your vote will be influenced, indeed dependent, on their policies concerning maladministration of computer systems connected to the public Internet.
You CAN make a difference. Don't treat voting as a right, treat it as a duty. Keep informed, keep your political representatives informed on how you feel. And, most importantly of all, vote.
KMSMA (WWBD?)
Who modded this as Interesting?
The author obviously shows, he doesn't understand what a TLD is. You can't attack a name (the TLD is part of the hostname), you can only attack servers (like those running DNS). At least the author admits, he's not an expert.
It seems to me that this is another call for more secure computers. If the "zombies" were not so easy to create, then such attacks would not be so easy to mount. I think security has gotten better, but there is still great room for improvements. I have some random thoughts that might help.
First, broadband providers should not sell bandwidth without standard firewall. I do not see such a proposition to be expensive, as a standalone unit is quite cheap, and the cost to integrate such circuitry into a DSL or cable box should be even less expensive. Broadband providers should stop their resistance to home networking and use bandwidth caps or other mechanism, if necessary.
Second, the default setting in web browsers must be more strict. Web browser should not automatically accept third party cookies or images. Web browser should not automatically pop up new windows or redirect to third party sites. Advertising should not be an issue. I know of no legitimate web site that requires third party domains. For instance /. uses "images.slashdot.org" and the New York Times uses "graphics7.nytimes.com". Of course, these default setting should be adjustable, with the appropriate message stating that web sites that use such techniques are likely to be illegitimate. I know of a few sites that require all imagers and cookies to be accepted, but I consider those to be fraudulent.
Third, email mail programs should by default render email as plain text. There should a button to allow the mail to render HTML and images. There should be a method to remember domains that will always render or never render. Again, third party domain should not render automatically. In addition, companies need to not promote HTML and image based email. Apple is particularly guilty of this. The emails they send tend to be illegible without images.
Fourth, the root must be the responsibility of the user or a third agent must have full liability for a hack. This should be basic common sense, but it apparently is not. MS wants access to the root of all Windows machines, but I do not see MS saying they will accept all responsibility for damage. Likewise, the RIAA wants access to everyone root, but again, are they going to pay for the time it takes to reinstall an OS. I think not. With privilege come responsibility. Without responsibility all you have are children playing with matches.
"She's a scientist and a lesbian. She's not going to let it slide." Orphan Black
Intrution detection systems can repress 300++ different DoS signatures and would be one of the best obstacle between from those DoS attacks.
quote:port 17 udp
The problem with DNS is that while the rest of the Internet is fairly decentralised, and that no organization has complete control over it (which is both technologically and politically sound), DNS is very centralised.
But now we have algorithms to deal with this! Distributed Hash Tabels like kademlia and are completly decentralised (every one who wanted, e.g. all (even small) ISPs could particiapte in the system), secure and do exactly what DNS does: it maps one value (e.g. a domain name) to another (e.g. an IP).
A much better solution would be some form of secure DNS. ( Quick googling turned up DNSSEC, but i dont know anything about it. )
If every DNS record was signed by some authority, every DNS server could provide trusted answers to queries. This way, every ISP could provide its own DNS server to its customers. This server could cache the root zone and maybe even all TLDs. The changes in the zone files could be distributed easily via any public service ( news, ftp, ... ) making a DOS against all distribution methods much more difficult.
Whose laws are being enforced, and upon whom?
--sdem
Every sign points to one obvious culprit: a giant rat.
Satanists get good grades too...suspiciously good grades
All lies, of course. You never have run a DNS server, and probably barely understand what DNS is.
The problem with the current ICMP standards are that it's too damn easy to spoof the original addresses, so you can send crap and nobody would know were it came from.
I was wondering - does IPv6 solve this problem (using some sort of digital signatures or another ingenious way), or sites will be still vulnureable to script kiddies?
Slashdot community, please notice: I am looking for a girlfriend.
Nave H. Weiss
And how does it distinguish a DDoS of a nameserver from /. linking to a site, causing it's DNS entry to be looked up by bazillions of people in under 7.3 seconds? There's just not much state in typical DNS traffic for an IDS to analyze. And if an IDS says something look fishy what are you supposed to do, take the nameserver offline?
End users don't need root or TLD servers; they just need to have DNS queries answered. That's why normally, they are configured to query the ISP or corporate DNS servers, which in turn do the recursive query to root, TLD, and remote DNS servers. Given that, consider the possibility of the ISP or corporate data center intercepting any queries done (as if the end user were running a recursive DNS server instead of a basic resolver) and handle them through a local cache (within the ISP or corporate data center). It won't break normal use. It won't break even if someone is running their own DNS (although they will get a cached response instead of an authoritative one). It will prevent a coordinate attack-load from the network that does this.
They talk about root and TLD servers located at major points where lots of ISPs meet, which poses a potential risk of a lot of bandwidth that can hit a DNS server. So my first thought was why not have multiple separate servers with the same IP address, each serving part of the bandwidth, much like load balancing. And then, you don't even have to have them at the exchange point, either; they can be in the ISP data center. They could be run as mimic authoritative servers if getting zone data is possible, or just intercepting and caching.
now we need to go OSS in diesel cars
Of course, unless the zombies were smart enough to know the IP range within the border router, you'd still get a metric buttload of invalid packets at the border router. Some kind of threshhold alarm might be a good idea -- but then there's the problem of locating what machine within the border is generating the packets...
In a perfect world, the best solution would be that people didn't let their machines get 0wn3d in the first place, [Insert maniacal laughter]!
Egress filtering is a good thing but it's not a complete solution. (And it's a good thing that I turned back from the Insufficient-light Side of the Hack many years ago.) Here's an explaination of a reflection attack. (Yes, that "end of the Internet" grc. :^)
One line blog. I hear that they're called Twitters now.
I guess that I shouldn't worry, unlike script-kiddie h4x0rs, Slashdot users are intelligent, wise .. , never do stupid things .. , never abuse the system .. oh shit
One line blog. I hear that they're called Twitters now.
It mentions "Rate limiting" as the way around this.
In the future, I would want to not be isolated from my friends in the Space Station.
Instead of getting giddy everytime you think you're gonna slam someone's post on a forum, look up the word 'joke', and then say "hey, he's making a joke!"
They are cyber- idiots. Talk to any ISP who has called them.
The master strokes are running kiddie porn user groups on yahoo and busting AOL users.
That's what the fruit is for. You drown them. Duh.
I hadn't read that guy's site in a while because it's too alarmist. But I read the linked GRC article and found roughly 5-15% useful text among all of that. The IRC log was priceless; ^^boss^^ was stupid if he was surprised someone could've figured that out how to locate and connect to his IRC server. (I'm not necessarily dissing Gibson with that stament, though; he's alarmist but is fairly knowledgable although he can sound fairly stupid at points, too.)
What struck me is how much his articles read like Crocodile Hunter:
CRIKEY!! I've been DDoS'ed by SCRIPT KIDDIES' WIN9x ZOMBIES!! Lucky for me they weren't Win2k or WinXP zombies or I'd be DEAD!!
[Imagine the following text centered, large, bold and in a different color]
etc., etc..
I actually enjoy Crocodile Hunter, though.
..if the flood is randomly generated queries from thousands of compromised hosts. There would be no way to separate flood traffic from legit traffic. A worm could do this, or a teenager with a lot of time on their hands.
It's easier for peons to get together a smurf list to attack the roots, but a nice set of compromised hosts issuing bogus spoofed queries would be just devastating.
The solution is not more root servers. Attackers gain compromised hosts for free, root servers must be paid for. The solution is to make some kind of massively distributed root server system.
In my tinydns logs I'm seeing bursts of TCP DNS queries to other sites like this:
...
2002-12-18 20:21:41.625850500 217.78.76.162 A www.usscplus.com (not found)
2002-12-18 20:21:41.653926500 217.78.76.162 A www.usscplus.com (not found)
2002-12-18 20:21:42.478778500 217.78.76.162 A www.usscplus.com (not found)
2002-12-18 20:21:42.539659500 217.78.76.162 A www.usscplus.com (not found)
2002-12-18 20:21:44.037762500 217.78.76.162 A www.usscplus.com (not found)
2002-12-18 20:21:44.044905500 217.78.76.162 A www.usscplus.com (not found)
2002-12-18 20:21:44.977877500 217.78.76.162 A www.usscplus.com (not found)
2002-12-18 20:21:44.981065500 217.78.76.162 A www.usscplus.com (not found)
2002-12-18 20:21:44.994964500 217.78.76.162 A www.usscplus.com (not found)
2002-12-18 20:21:45.004873500 217.78.76.162 A www.usscplus.com (not found)
2002-12-18 20:21:47.051659500 217.78.76.162 A www.usscplus.com (not found)
2002-12-18 20:21:47.052983500 217.78.76.162 A www.usscplus.com (not found)
2002-12-18 20:21:47.054331500 217.78.76.162 A www.usscplus.com (not found)
2002-12-18 20:21:47.055714500 217.78.76.162 A www.usscplus.com (not found)
2002-12-18 20:21:47.057062500 217.78.76.162 A www.usscplus.com (not found)
2002-12-18 20:21:47.058301500 217.78.76.162 A www.usscplus.com (not found)
2002-12-18 20:21:47.998308500 217.78.76.162 A www.usscplus.com (not found)
2002-12-18 20:21:48.004186500 217.78.76.162 A www.usscplus.com (not found)
2002-12-18 20:21:48.010767500 217.78.76.162 A www.usscplus.com (not found)
2002-12-18 20:21:48.012760500 217.78.76.162 A www.usscplus.com (not found)
2002-12-18 20:21:49.520383500 217.78.76.162 A www.usscplus.com (not found)
2002-12-18 20:21:49.521411500 217.78.76.162 A www.usscplus.com (not found)
2002-12-18 20:21:50.069516500 217.78.76.162 A www.usscplus.com (not found)
2002-12-18 20:21:50.134890500 217.78.76.162 A www.usscplus.com (not found)
2002-12-18 20:21:50.137645500 217.78.76.162 A www.usscplus.com (not found)
2002-12-18 20:21:50.139102500 217.78.76.162 A www.usscplus.com (not found)
2002-12-18 20:21:50.140381500 217.78.76.162 A www.usscplus.com (not found)
2002-12-18 20:21:50.141742500 217.78.76.162 A www.usscplus.com (not found)
2002-12-18 20:21:50.142980500 217.78.76.162 A www.usscplus.com (not found)
2002-12-18 20:24:31.367458500 217.78.76.162 A www.usscplus.com (not found)
(Yes, I've seen these more recently than three weeks ago...)
Very interesting. The fact that the DDOS attack stopped so suddenly would imply that the goal was not to attack -- but to test.
Now, that could be an actual government, military operation [including our own], as part of a general preparedness effort for war: when you strike, you use a combination of surprise attacks to make your main attack more effective.
Or it could be terrorists, running a weapons test in the same way.
Or it could be some grad student, testing out a theory of his. It just doesn't sound like a normal cracker.
Correct Horse Battery Staple: 72 bits of entropy. Enter "Correct H" into google. When it generates the phrase, that's
Your punishment is very simple: You are to write a functioning recursive DNS server. This server has to resolve domains well enough to give an end-user a satisfactory web surfing experience.
After doing this, you will then post an essay to Slashdot concerning your opinion of the DNS spec and well-designed it is.
You will, I assure you, have an experience akin to seeing the movie Highlander II. You hopes for DNS being a decent protocol will become, rather quickly, a big dissapointment. But don't take my word for it. Don't take Dan Bernstein's word for it. Do it yourself and become an exclusive member of the club of People Crazy Enough to Actually Write a Recursive DNS Server. After all, we all know that people who log in as anonymous cowards and flame free software developers are the best programmers that the world has; I am sure you can do this in a week. Once you do this, you too will know why a number of DNS server projects die around the point when the potential DNS implementor in question looks at how recursive resolution is actually done.
If you continue to flame free software developers after doing this, your punishment will be escalated to having to write a recursive DNS server which recursively resolves names according to RFC 1034, while not having any security problems.
If you persist in your flaming ways after doing that, your next punsihment will be to write a C++ compiler which implements everything in the C++ spec, and release said compiler under the GPL.
And, if you continue to insist on flaming free software devlopers after that...well, you won't be, by this point. You'll be too busily getting flamed by anonymous cowards on Slashdot to do any flaming yourself.
- Sam
The secret to enjoying Slashdot is to realize that it should not be taken too seriously.
Seems to me that most ISP's tend to firewall incoming maybe they should firewall outgoing as well. Might take care of all those drones out there (yes/no). Our company firewalls in and out so we cannot ping/tracert anything on the outside.
So if a thief breaks into my home (that may not be secured properly due to my own negligence) steals a gun or a knife and kills somebody with the stolen weapon, then I should be responsible for the murder?
What is next? To held people without trial in remote places without clear jurisdiction? Oh, wait... Mr Bush! Nice to talk to you.
IANAL but write like a drunk one.