More Info on the October 2002 DNS Attacks

MondoMor writes "One of the guys who invented DNS, Paul Mockapetris, has written an article at ZDnet about the October '02 DNS attacks. Quoting the article: "Unlike most DDoS attacks, which fade away gradually, the October strike on the root servers stopped abruptly after about an hour, probably to make it harder for law enforcement to trace." Interesting stuff."

Damn terrorists...

[Quaoar]

First they kill 3000 people...then they deny us the Internet for a COUPLE HOURS! This time...it's PERSONAL!

Re:Damn terrorists...

[CAIMLAS]

Being as terrorists have some sort of political agenda, and these k1ddi3s that attacked the root servers did NOT, makes them non-terrorists. Terrorism requires a political agenda.

A better description would be anarchists. Anarchy is lawlessness and disorder as a result of governmental failure (in this case, to set up a system where the root servers are safe, but not particularly so).

But then,we can't say that, can we? Anarchy is popular here on slashdot.

Solution?

[Brain$torm]

The solution would be just to get rid of the ping command ;)

Re:Solution?

[Mattsson]

What one *should* do is to configure backbone routers to not allow more than a cerain amount of ping per second...
Noone has a legitimate need for streaming several hundereds or thousands pings per second...
Or at least put a lid on it when someone starts sending lots of pings for more than a couple of seconds...

Re:Solution?

[pla]

Or at least put a lid on it when someone starts sending lots of pings for more than a couple of seconds...

Doing so would require remembering who pinged, and when, for the last few seconds. Under normal conditions, that sounds trivial, but pings don't cause any problems under "normal" conditions. In a DDoS, you might have a million machines all pinging. How do you propose to store, look up, and update the last ping time for 100 million pings per second? A quick off-the-cuff calculation shows that *just the storage* for 10 seconds of such recording would take around 8Gb (32b IP and 32b timestamp). That doesn't include the CPU time to find matches (not that bad, since you can use the IP as an array index, but you can almost guarantee a continually invalid CPU cache) or update the list. And, that assumes you *always* dedicate that 8Gb to each server running on the machine, since otherwise the search you propose requires adding new pings to a dynamic list, making the lookup time become very very non-trivial.

More importantly, even if you *do* manage such a feat (or even get rid of ping altogether), attackers can still use other services (like, for example, DNS lookups, which I'd like to see a DNS server try to stop supporting).

Actually, it surprises me that no DDoS clients use SSH yet... Although not every machine (ie, Windows) runs an attackable server, a well-planned attack could suck up significant bandwidth, memory, *and* CPU power, all in one tidy packet.

Re:Solution?

[pla]

Also, I wonder if switching the default permissions on ping so that only root (or some other privileged user -- I don't know how/if Windows implements this these days) wouldn't be a good idea.

Windows has only the most vague concept of a "root" user, and rooting a Windows box takes about 40 lines of code (basically, the problem comes from the GUI - any program running with administrator privelage, such as a virus scanner, can spawn additional processes also running as the administrator. Making them do so requires nothing more than getting a handle to a text edit control, pasting in the desired malicious code, and using the address of the edit's buffer as a start-of-execution point. All of which *any* user can do.

Re:Solution?

[pla]

Start the antivirus UI process as part of an isolated job with limited UI privs. It'll be in a separate windowing namespace, and the shatter attack will no longer work.

Tell me, do you run *all* your programs in a private UI context? The antivirus program just makes the "classic" example. How about your usually-hidden-but-always-instantiated NVidia setup panel? Any services you run that have a control panel for configuring them (Tardis, for example)? A local web server? One of those annoying (but often necessary for proper functioning of the related device) printer or scanner control panels?

Aside from not trusting the so-called "privacy" of running something on a private desktop, you don't even need to bother breaking that layer of security. Just look for something else running as administrator... or backup... or power user... or replicator... or even "guest", which by default has an obscenely high level of privelage (relative to a Unix box, which doesn't even usually *have* an account as conceptually insecure as Window's guest account). If you've managed to configure a Windows box to have *everything* run as a specific, seperate user, in its own UI context, I tip my hat to you. I also do not envy the hell of making even trivial config changes to such systems, nor do I envy the frustration your users must feel at trying to use such a system productively. Put simply, Windows lacks the *design level* security to make it generally useable yet reasonably safe against its own users.

Finally, even if you change the default permissions on "ping" as the parent suggested, under Windows that doesn't do a damned thing to stop a trojan that *includes* its own ping program from working just fine. Remember that, in dealing with a DDoS problem, it doesn't matter if a security expert *can* lock down a given box - It only matters that 99% of the people out there won't bother to fix (or even *know about*) a given exploit allowing raw network access.

This is just as should be expected...

[pootypeople]

As email viruses expanded from an original concept, their authors began to adapt to the strategies used both to catch them and to deal with their creations. As a result, newer viruses have been more damaging. The October attacks showed a greater level of sophistication solely because the people behind these types of attacks are aware of what's going on and pay attention in order to make them more successful. The scary part is that the longer people like this are able to elude law enforcement, the larger their attacks will eventually become. Each one is, in essence, a trial run for the next larger attack. Watching attacks like the ones that have plagued dal.net for a long time, it's easy to see how these attacks could end up causing serious problems (beyond the minor inconvenience of not being able to get to your favorite sites) in the near future.

Re:This is just as should be expected...

[afay]

Actually, the article says that the root DNS attacks weren't very sophisticated at all. They used simple ping flooding and apparently stopped abruptly after 1 hour (to allude law enforcement). Fortunately, to actually have an effect on a significant portion of the internet population, the attacks would have to have continued for much longer due to caching.

I'm really curious how "The October attacks showed a greater level of sophistication" than past attacks? As far as I can tell the attacker just had a bunch of cracked boxes with decent pipes to the internet and started a ping -f on all of them.

In other news....

[Malicious]

Meanwhile, Theives broke into a local jewlery store, then left.

Unfortunatley, the theives didn't wait for law enforcement officials to show up, making it much harder to identify them.

Re:In other news....

[Jugalator]

The analogy might be more like a cereal killer who mysteriously stops after a few crimes

How is it a crime to kill cereal?

Yeah, I guess it's a bit agressive, but hardly a crime. They come up with all sorts of weight watching schemes these days and I suppose cereal killing is just one in the crowd. And just like many other such schemes, this proves that method doesn't work very well, since he suddenly stopped.

Dalnet DDOS Attacks

[mickwd]

The Dalnet IRC network has been crippled for months due to continuing DDOS attacks. Now Dalnet is based on a small number of central IRC servers (20-30 I believe) so it isn't too far removed from the core DNS infrastructure (i.e. the root DNS servers).

Why don't Dalnet and the FBI (or whoever) get together to solve a mutual problem ?

Dalnet could get some much-needed help, and the FBI could get some much-needed experience into investigating this sort of attack. They would also be dealing with someone (or some people) who could move on to attacking bigger things.

Also if they caught the attackers, they would get some useful publicity, some justification for an increased spend on cyber-deterrence, and the deterrent effect of having the perpetrators suitably punished - as well as putting a genuine menace behind bars.

Re:Dalnet DDOS Attacks

It's virtually impossible to trace it back to the originator. First off, they are using slave machines, machines belonging to common people not aware their WinBlows system got infected with a trojan, just because they haven't paid attention to the latest security hole.

M$ is just as much a part of the problem as well. With more and more cable, DSL and other "always on" connectivity available, more and more of these machines are vulnerable.

Scanners out there can easily identify and infect 1000 home user's machines, and these attacks come from them. The actual perpetrator is long gone. All they do is momentarily log in and "fire it off", then they immediately log out, and they are gone.

Tracing IPs back to the attacker is just going to identify the innocent machines or owners who are totally unaware of their activity until they either power down their machines or somehow discover it.

Re:Dalnet DDOS Attacks

[Martin+Blank]

From RFC 2870 (Root Name Server Operational Requirements), section 2.3:

At any time, each server MUST be able to handle a load of
requests for root data which is three times the measured peak of
such requests on the most loaded server in then current normal
conditions. This is usually expressed in requests per second.
This is intended to ensure continued operation of root services
should two thirds of the servers be taken out of operation,
whether by intent, accident, or malice.

With 13 current servers, this means that 8-9 servers can be taken out at one time and have negligible impact on the world's DNS queries, assuming that the outage is at a peak time and the servers are being hit very hard. Practically speaking, the existing root servers are probably built even more toughly, so the remaining 4-5 servers can probably handle shorter outages (such as that mentioned in the article) without significant effort, and even if brought down to 2-3 could probably handle things with some difficulty.

According to root-servers.org, the existing servers are fairly concentrated, with only those in Stockholm, London, and Tokyo not in the United States. Perhaps three more, with one maybe in South Korea, one in Australia, and one in North Africa or the Middle East (Cairo would be ideal to cover both) would be a viable option? I realize that the last is probably going to be questionable for some, given the censorship agendas often in place in the area, but it would help to make further attacks a little more difficult, as well as adding a little prestige and maybe tech investment to the area. Just an idea.

As for Dalnet, why isn't the FBI involved? (I'm not aware of current happenings on the network, as I don't use it.)

Re:Dalnet DDOS Attacks

[nautical9]

Although tracing back to the actual attackers can be very difficult, it can still be done with enough investigation and willpower. For an amusing tale of how a popular (although not always loved) windows security guy did just that, go here.

He basically got his hands on one of the "zombie" trojans the DDoS'ers use, reverse engineered it to find out how it works (and which IRC servers it talks to to receive its commands), wrote his own to connect to said server and waited until the attackers personally logged in. It really is a good read.

Responsibility of the ISP

[deepchasm]

The typical defense is to program routers to throw away excessive ping packets, which is called rate limiting. While this protects the server, the attack streams can still create traffic jams up to the point where they are discarded.

Well then, isn't it logical to try and rate limit/filter as close to the source as possible then? Of course this shifts responsibility...

If all ISPs were proactive in dealing with customers machines being used as zombies to launch attacks, then internet users as a whole would have less problems trying to deal with being the target of an attack.

A few logical steps:

• Filter out spoofed packets - the ISP has allocated the IPs to broadband users for goodness sake, it's much easier to filter packets when you know who's sent them than on the internet at large!
• Rate limit - no, not everything, don't go annoying the hell out of legitimate users. Something that will cut in when 100 PING packets per second go to a single host would be quite sufficient.
• Monitor for signs of trojan infection and REACT! I couldn't believe the amount of traffic I got in my web logs when Code Red was going around. How hard is it for the ISP to e-mail or ring up their customer and tell them that they're infected?

Some ISPs may do this, I don't know, but from the articles I read about DDoS attacks it appears that most don't.

TLD Question

[Farley+Mullet]

I'm not an expert, but as I understand it, DNS attacks are relatively benign, since DNS info is cached all over the place and doesn't change much anyway (this is essentially what the article says). Now, the author seems much more worried about attackts against Top Level Domains, because of reasons related to the nature of the information that TLD servers have, and he suggests a few techniques that they could use. What he doesn't say is what techniques the TLD's are using currently, and how secure they are.

Does anyone out there on /. know?

Hrrrmmm

"...the October strike on the root servers stopped abruptly after about an hour, probably to make it harder for law enforcement to trace."

Hrrrrmmm. That makes it look deliberate. Hrrrrmmm.

Egress Filtering

[sczimme]

Implementation of simple egress filtering rules at border routers or at firewalls (regardless of who owns them) would dramatically decrease the efficacy of DDoS attacks.

If my organization owns the A.B.C network, there is no reason why any packets bearing a source address of anything other than A.B.C.* should be permitted to leave my network.

NAT environments can implement this by dropping packets with source addresses that do not belong to the internal network.

Of course, for this to be effective it would have be used on a broad scale, i.e. around the world...

IDEA for DNS Survivability

[evilviper]

I have a question... Why does a cache have to expire?

Why not allow the admin to specify the maximum diskspace that the cache can use up, and then only prun the records when that (possibly huge) database grows too large? In addition, DNS records should not just arbitrarily expire...

If a record has not reached it "expire" date, the cache is just fine. If a record HAS reached it's "expire", it should still remail valid UNTIL the DNS server has been able to get a valid update. Now, that would allow large DNS servers to maintain quite a bit of functionality even if all other DNS servers go down, and would do so while requiring only the most popular queries are saved on the server (so not everyone has to become a full root DNS server).

For those who can't be bothered to RTFA...

[nniillss]

DNS caching kept most people from noticing this assault. In very rough terms, if the root servers are disrupted, only about 1 percent of the Internet should notice for every two hours the attack continues--so it would take about a week for an attack to have a full effect. In this cat-and-mouse game between the attackers and network operators, defenders count on having time to respond to an assault.

Question:

[I+Am+The+Owl]

the October strike on the root servers stopped abruptly after about an hour, probably to make it harder for law enforcement to trace.

Whose laws are being enforced, and upon whom?

Re:It would take about a week

[Martin+Blank]

In WinNT/2K/XP, you can also clear the DNS cache by using ipconfig /flushdns from the command line.

End users don't need root or TLD servers

[Skapare]

End users don't need root or TLD servers; they just need to have DNS queries answered. That's why normally, they are configured to query the ISP or corporate DNS servers, which in turn do the recursive query to root, TLD, and remote DNS servers. Given that, consider the possibility of the ISP or corporate data center intercepting any queries done (as if the end user were running a recursive DNS server instead of a basic resolver) and handle them through a local cache (within the ISP or corporate data center). It won't break normal use. It won't break even if someone is running their own DNS (although they will get a cached response instead of an authoritative one). It will prevent a coordinate attack-load from the network that does this.

They talk about root and TLD servers located at major points where lots of ISPs meet, which poses a potential risk of a lot of bandwidth that can hit a DNS server. So my first thought was why not have multiple separate servers with the same IP address, each serving part of the bandwidth, much like load balancing. And then, you don't even have to have them at the exchange point, either; they can be in the ISP data center. They could be run as mimic authoritative servers if getting zone data is possible, or just intercepting and caching.