More Info on the October 2002 DNS Attacks

← Back to Stories (view on slashdot.org)

More Info on the October 2002 DNS Attacks

Posted by ryuzaki0 on Saturday January 11, 2003 @08:32AM from the lag-time dept.

MondoMor writes "One of the guys who invented DNS, Paul Mockapetris, has written an article at ZDnet about the October '02 DNS attacks. Quoting the article: "Unlike most DDoS attacks, which fade away gradually, the October strike on the root servers stopped abruptly after about an hour, probably to make it harder for law enforcement to trace." Interesting stuff."

8 of 232 comments (clear)

Min score:

Reason:

Sort:

This is just as should be expected... by pootypeople · 2003-01-11 08:38 · Score: 5, Interesting

As email viruses expanded from an original concept, their authors began to adapt to the strategies used both to catch them and to deal with their creations. As a result, newer viruses have been more damaging. The October attacks showed a greater level of sophistication solely because the people behind these types of attacks are aware of what's going on and pay attention in order to make them more successful. The scary part is that the longer people like this are able to elude law enforcement, the larger their attacks will eventually become. Each one is, in essence, a trial run for the next larger attack. Watching attacks like the ones that have plagued dal.net for a long time, it's easy to see how these attacks could end up causing serious problems (beyond the minor inconvenience of not being able to get to your favorite sites) in the near future.
1. Re:This is just as should be expected... by afay · 2003-01-11 08:53 · Score: 5, Interesting
  
  Actually, the article says that the root DNS attacks weren't very sophisticated at all. They used simple ping flooding and apparently stopped abruptly after 1 hour (to allude law enforcement). Fortunately, to actually have an effect on a significant portion of the internet population, the attacks would have to have continued for much longer due to caching.
  
  I'm really curious how "The October attacks showed a greater level of sophistication" than past attacks? As far as I can tell the attacker just had a bunch of cracked boxes with decent pipes to the internet and started a ping -f on all of them.
  
  --
  Best slashdot comment
Dalnet DDOS Attacks by mickwd · 2003-01-11 08:46 · Score: 5, Interesting

The Dalnet IRC network has been crippled for months due to continuing DDOS attacks. Now Dalnet is based on a small number of central IRC servers (20-30 I believe) so it isn't too far removed from the core DNS infrastructure (i.e. the root DNS servers).

Why don't Dalnet and the FBI (or whoever) get together to solve a mutual problem ?

Dalnet could get some much-needed help, and the FBI could get some much-needed experience into investigating this sort of attack. They would also be dealing with someone (or some people) who could move on to attacking bigger things.

Also if they caught the attackers, they would get some useful publicity, some justification for an increased spend on cyber-deterrence, and the deterrent effect of having the perpetrators suitably punished - as well as putting a genuine menace behind bars.
1. Re:Dalnet DDOS Attacks by Martin+Blank · 2003-01-11 09:20 · Score: 4, Interesting
  
  From RFC 2870 (Root Name Server Operational Requirements), section 2.3:
  
  At any time, each server MUST be able to handle a load of
  requests for root data which is three times the measured peak of
  such requests on the most loaded server in then current normal
  conditions. This is usually expressed in requests per second.
  This is intended to ensure continued operation of root services
  should two thirds of the servers be taken out of operation,
  whether by intent, accident, or malice.
  
  With 13 current servers, this means that 8-9 servers can be taken out at one time and have negligible impact on the world's DNS queries, assuming that the outage is at a peak time and the servers are being hit very hard. Practically speaking, the existing root servers are probably built even more toughly, so the remaining 4-5 servers can probably handle shorter outages (such as that mentioned in the article) without significant effort, and even if brought down to 2-3 could probably handle things with some difficulty.
  
  According to root-servers.org, the existing servers are fairly concentrated, with only those in Stockholm, London, and Tokyo not in the United States. Perhaps three more, with one maybe in South Korea, one in Australia, and one in North Africa or the Middle East (Cairo would be ideal to cover both) would be a viable option? I realize that the last is probably going to be questionable for some, given the censorship agendas often in place in the area, but it would help to make further attacks a little more difficult, as well as adding a little prestige and maybe tech investment to the area. Just an idea.
  
  As for Dalnet, why isn't the FBI involved? (I'm not aware of current happenings on the network, as I don't use it.)
  
  --
  You can never go home again... but I guess you can shop there.
TLD Question by Farley+Mullet · 2003-01-11 09:02 · Score: 5, Interesting

I'm not an expert, but as I understand it, DNS attacks are relatively benign, since DNS info is cached all over the place and doesn't change much anyway (this is essentially what the article says). Now, the author seems much more worried about attackts against Top Level Domains, because of reasons related to the nature of the information that TLD servers have, and he suggests a few techniques that they could use. What he doesn't say is what techniques the TLD's are using currently, and how secure they are.

Does anyone out there on /. know?
For those who can't be bothered to RTFA... by nniillss · 2003-01-11 09:33 · Score: 4, Interesting

DNS caching kept most people from noticing this assault. In very rough terms, if the root servers are disrupted, only about 1 percent of the Internet should notice for every two hours the attack continues--so it would take about a week for an attack to have a full effect. In this cat-and-mouse game between the attackers and network operators, defenders count on having time to respond to an assault.
Question: by I+Am+The+Owl · 2003-01-11 10:16 · Score: 4, Interesting

the October strike on the root servers stopped abruptly after about an hour, probably to make it harder for law enforcement to trace.
Whose laws are being enforced, and upon whom?

--

--sdem
Re:Damn terrorists... by CAIMLAS · 2003-01-11 12:34 · Score: 4, Interesting

Being as terrorists have some sort of political agenda, and these k1ddi3s that attacked the root servers did NOT, makes them non-terrorists. Terrorism requires a political agenda.

A better description would be anarchists. Anarchy is lawlessness and disorder as a result of governmental failure (in this case, to set up a system where the root servers are safe, but not particularly so).

But then,we can't say that, can we? Anarchy is popular here on slashdot.

--
~/ssh slashdot.org ssh: connect to host slashdot.org port 22: too many beers