Slashdot Mirror
More Info on the October 2002 DNS Attacks
MondoMor writes "One of the guys who invented DNS, Paul Mockapetris, has written an article at ZDnet about the October '02 DNS attacks. Quoting the article: "Unlike most DDoS attacks, which fade away gradually, the October strike on the root servers stopped abruptly after about an hour, probably to make it harder for law enforcement to trace." Interesting stuff."
As email viruses expanded from an original concept, their authors began to adapt to the strategies used both to catch them and to deal with their creations. As a result, newer viruses have been more damaging. The October attacks showed a greater level of sophistication solely because the people behind these types of attacks are aware of what's going on and pay attention in order to make them more successful. The scary part is that the longer people like this are able to elude law enforcement, the larger their attacks will eventually become. Each one is, in essence, a trial run for the next larger attack. Watching attacks like the ones that have plagued dal.net for a long time, it's easy to see how these attacks could end up causing serious problems (beyond the minor inconvenience of not being able to get to your favorite sites) in the near future.
The Dalnet IRC network has been crippled for months due to continuing DDOS attacks. Now Dalnet is based on a small number of central IRC servers (20-30 I believe) so it isn't too far removed from the core DNS infrastructure (i.e. the root DNS servers).
Why don't Dalnet and the FBI (or whoever) get together to solve a mutual problem ?
Dalnet could get some much-needed help, and the FBI could get some much-needed experience into investigating this sort of attack. They would also be dealing with someone (or some people) who could move on to attacking bigger things.
Also if they caught the attackers, they would get some useful publicity, some justification for an increased spend on cyber-deterrence, and the deterrent effect of having the perpetrators suitably punished - as well as putting a genuine menace behind bars.
I assume most people don't look up or down if a website isn't reachable for only an hour. Or even a day. Such short DNS outages are therefore probably not noticed.
Long outages would change the whole thing. Imagine that we could't read slashdot for a whole week!
GNU guru and mainframe hacker
apparentlyicannwatchnew year resolution was to migrate from nuke to slash.
Obviously, you have no idea what you're talking about. When people speak of a DDoS, its not ping -f. Even so, getting rid of the command wouldn't help, we could always rewrite the tcp/ip protocols. I don't know much about DDoS, but its not ping -f.
I'm not an expert, but as I understand it, DNS attacks are relatively benign, since DNS info is cached all over the place and doesn't change much anyway (this is essentially what the article says). Now, the author seems much more worried about attackts against Top Level Domains, because of reasons related to the nature of the information that TLD servers have, and he suggests a few techniques that they could use. What he doesn't say is what techniques the TLD's are using currently, and how secure they are.
/. know?
Does anyone out there on
If you want an explaination of DDoS, here isn't bad.
One line blog. I hear that they're called Twitters now.
The analogy might be more like a cereal killer who mysteriously stops after a few crimes. It would absolutely bugger up the investigation, which completely relies on further killings. Where would we be today if the Washington sniper had binned the gun, gone on holiday, and never been seen again? Would anyone have had a chance of catching him?
Get in touch with MS for the rate limit on ammounts of pings that can be sent. Get them to code into their OS some sort of rate limit for icmp-echo-reply packets, like you described. Also, make ISPs far, FAR more aggresive when dealing with this. Is a computer sending out code red/nimda attacks? Disconnect it, write letter to the owner and disconnect them permanently after a few times. Same thing for ping flooding. If it happens often, (testing network strain over the internet shouldn't happen often) engage the same procedure as with code red/nimda infected computers.
Hate me!
DNS caching kept most people from noticing this assault. In very rough terms, if the root servers are disrupted, only about 1 percent of the Internet should notice for every two hours the attack continues--so it would take about a week for an attack to have a full effect. In this cat-and-mouse game between the attackers and network operators, defenders count on having time to respond to an assault.
It seems to me that this is another call for more secure computers. If the "zombies" were not so easy to create, then such attacks would not be so easy to mount. I think security has gotten better, but there is still great room for improvements. I have some random thoughts that might help.
First, broadband providers should not sell bandwidth without standard firewall. I do not see such a proposition to be expensive, as a standalone unit is quite cheap, and the cost to integrate such circuitry into a DSL or cable box should be even less expensive. Broadband providers should stop their resistance to home networking and use bandwidth caps or other mechanism, if necessary.
Second, the default setting in web browsers must be more strict. Web browser should not automatically accept third party cookies or images. Web browser should not automatically pop up new windows or redirect to third party sites. Advertising should not be an issue. I know of no legitimate web site that requires third party domains. For instance /. uses "images.slashdot.org" and the New York Times uses "graphics7.nytimes.com". Of course, these default setting should be adjustable, with the appropriate message stating that web sites that use such techniques are likely to be illegitimate. I know of a few sites that require all imagers and cookies to be accepted, but I consider those to be fraudulent.
Third, email mail programs should by default render email as plain text. There should a button to allow the mail to render HTML and images. There should be a method to remember domains that will always render or never render. Again, third party domain should not render automatically. In addition, companies need to not promote HTML and image based email. Apple is particularly guilty of this. The emails they send tend to be illegible without images.
Fourth, the root must be the responsibility of the user or a third agent must have full liability for a hack. This should be basic common sense, but it apparently is not. MS wants access to the root of all Windows machines, but I do not see MS saying they will accept all responsibility for damage. Likewise, the RIAA wants access to everyone root, but again, are they going to pay for the time it takes to reinstall an OS. I think not. With privilege come responsibility. Without responsibility all you have are children playing with matches.
"She's a scientist and a lesbian. She's not going to let it slide." Orphan Black
The problem with DNS is that while the rest of the Internet is fairly decentralised, and that no organization has complete control over it (which is both technologically and politically sound), DNS is very centralised.
But now we have algorithms to deal with this! Distributed Hash Tabels like kademlia and are completly decentralised (every one who wanted, e.g. all (even small) ISPs could particiapte in the system), secure and do exactly what DNS does: it maps one value (e.g. a domain name) to another (e.g. an IP).
Whose laws are being enforced, and upon whom?
--sdem
Being as terrorists have some sort of political agenda, and these k1ddi3s that attacked the root servers did NOT, makes them non-terrorists. Terrorism requires a political agenda.
A better description would be anarchists. Anarchy is lawlessness and disorder as a result of governmental failure (in this case, to set up a system where the root servers are safe, but not particularly so).
But then,we can't say that, can we? Anarchy is popular here on slashdot.
~/ssh slashdot.org ssh: connect to host slashdot.org port 22: too many beers
Given that, consider the possibility of the ISP or corporate data center intercepting any queries done (as if the end user were running a recursive DNS server instead of a basic resolver) and handle them through a local cache (within the ISP or corporate data center). It won't break normal use.
Wrong. I run my own local DNS resolver, dnscache. I don't trust my ISP to manage a DNS resolver properly. What if they are running a version of BIND vulnerable to poison or other issues? What if I am testing DNS resolution and need to flush the cache? (I do this routinely.) They also don't need to see every DNS query I make. If they want to sniff and parse packets, fine, but no need to make it any easier on them.
It won't break even if someone is running their own DNS (although they will get a cached response instead of an authoritative one).
That would be possible only if they were in fact intercepting every single DNS packet and rewriting it. It would make it impossible for me to perform diagnostic queries to DNS servers. And unless they were doing some very complex packet rewriting, it would break if an authoritative server was providing different information depending on the IP address that sent the query.
If you can't even get ISPs to perform egress filtering, why would they do something as stupid and broken as this? Egress filtering would do much more to stop these types of attacks.
Besides, how does this stop me if I am the ISP? There are plenty vulnerable machines that are on much better connections than dialup or broadband.