Slashdot Mirror

← Back to Stories (view on slashdot.org)

Fort N.O.C.'s Security in Obscurity

Posted by michael on from the insider-job dept.

penciling_in writes "Brock N. Meeks of MSNBC reports on his recent visit to VeriSign's secret location: 'The unassuming building that houses the "A" root sits in a cluster of three others; the architecture looks as if it were lifted directly from a free clip art library. No signs or markers give a hint that the Internet's most precious computer is inside humming happily away in a hermetically sealed room. This building complex could be any of a 100,000 mini office parks littering middle class America.' The report goes on to say: 'Access to the Network Operations Center, the "NORAD" of the Internet's traffic monitoring, requires the electronic badge and then a double biometric hand print scan.' And here are Karl Auerbach and Robert Alberti offering their interesting analysis of this report on CircleID."

8 of 297 comments (clear)

  1. Good for verisign.. by grub · · Score: 5, Funny


    Sure, the .COM and .NET TLDs are safe from terrorists but one self-righteous bitch can take down goatse.cx

    I'm still fuming about that.

    --
    Trolling is a art,
    1. Re:Good for verisign.. by juniorkindergarten · · Score: 5, Funny

      I'm glad the goatse.cx is gone, but I had to laugh when I saw this on kuro5hin.org:

      An ode to goatse (2.73 / 19) (#59)
      by komet on Sun Jan 18th, 2004 at 05:25:25 AM EST
      (my user id @ the domain of my homepage) http://4you.ch

      To the tune of "American Pie" by Don McLean
      I can still remember how that image used to burn my eyes
      And I knew if I had my chance
      I could hide a link in a rant
      and maybe they'd be pissed off for a while.
      But January made me shiver
      with every link-troll I deliver
      Bad links on the doorstep, I couldn't take one more step.
      I can't remember if I cried
      when I heard about his orphaned site
      But something touched me deep inside
      the day the goatse died.

      So bye bye to the goatse site
      Put his fingers up his asshole and his asshole was wide.
      Yeah these old trolls were on Slashdot and K5
      Singing this will be the day the Net dies
      This will be the day the Net dies.

      --
      "Every security scheme that is based on secrets eventually fails." - Steve Jobs
  2. SiteFinder by Sparky77 · · Score: 5, Funny

    This is also the building that has the big red button labeled "Hijack Internet Traffic"

    --
    One bad monkey spoils the whole barrel.
  3. Cool... by Shoten · · Score: 5, Interesting

    It's cool to see someone write about the building you used to work in! I worked in this building, a bit more than 2 years ago. I was in Network Solutions' consulting arm, whose DC office was in that building, two floors under the NOC. The security really is as spectacular (and low-key) as you'd expect. You would NOT believe the camera surveillance they have facing outwards...you can see some of it, but you can't see some of them at all. And the cameras themselves are startlingly cool...there's a small strip mall across a major highway from the facility, with a clear line of sight. One of the security guys showed me how far the zoom worked, as he zoomed in on a guy smoking in front of a bookstore in the strip mall...about half a mile away. It was still a clear picture.

    When 9/11 happened, we were not allowed back into the building for a couple of days, but all they had to stand up as barriers were road cones. Luckily, they're finally moving to a location that isn't just obscure and secure, but armored, as I hear their Mountain View, CA location is.

    --

    For your security, this post has been encrypted with ROT-13, twice.
  4. LINUX Analogy by YukioMishima · · Score: 5, Insightful

    This story is news, but I kept expecting some point of contention in the article, rather than some musings on decorating schemes that were compared to clip art.


    I found my point here:


    The root server operators "have no contract with anyone, no guarantee of level of service, they could turn [the root servers] off tomorrow with no consequences at all because they are doing it out of the kindness of their heart," said Internet consultant Ambler. "ICANN needs contracts with the root server operators that specify minimum levels of service and minimum levels of security and the root servers need to be paid for that," he said.


    Why is it so confusing to imagine that (a) People do like to do things out of the "kindness" of their collective hearts, and (b) security is not always "secured" by either contracts or money? I understand the legal protections associated with contracts, but I think there's a chance that the root server operator system, as it stands, could alternatively be viewed as something successful - something, much like the open source software movement, that works, not because of contracts or restrictive covenants, but because people enjoy contributing to something useful for their own and others' use.

  5. nobody cared about security two years ago? by kilbo · · Score: 5, Insightful
    "But Ambler nearly chokes on the word 'defense' noting that 'up until two years ago nobody gave a rat's ass for security of the root servers because if the Internet went down it would have been an annoyance to some researchers and nerds.'"

    I guess amazon.com which went public in 1997 must have been frequented only be researches and nerds for the first 5 years of operation.

  6. Re:How much physical security is necessary? by cmowire · · Score: 5, Informative

    In Australia in the past year or two, some folks dressed up as maintenence workers and drove off with an allegedly important government server.

    So it does happen.

    I still have to test every 5-pin simplex lock for important rooms to make sure that it's not a simple combination, because when I had access to a datacenter, it was a damn simple lock.

    --
    Gentoo Sucks
  7. Wrong Architecture = More Fragile by billstewart · · Score: 5, Informative
    Anycast is a good approach for some kinds of problems, but fundamentally the A Root and the other rootservers are a more fragile environment than they should be because they're not using the hierarchichal nature of the DNS system appropriately. Last year's DDoS attack on them demonstrated some of this vulnerability. The Root Servers have three main jobs:
    • Distributing the database to major servers (at least one machine from each of the 13 often-virtual root servers, plus the master DNS servers at the Tier 1 ISPs, the CCTLD servers, and some small number of other sites
    • Answering DNS queries from the major servers
    • Answering DNS queries from any random machine on the Internet
    The system becomes performance-critical to lots of people because too many machines send queries to the root servers (or the .com and .net servers) instead of querying their ISP's DNS server, and too many small ISPs are also querying the root servers instead of their upstream's DNS server. DNS scales well because most information can live near the bottom of the net, and almost all queries can be resolved locally or nearby without have to go ask Jon Postel's ghost for the authoritative answer.

    The root zone itself is probably under 10KB of data that doesn't change every day - if you provide a separate server for zone transfers and let 1000 other DNS servers have access to it (firewalled to prevent any other IP traffic), that's about half an hour on a 56kbps modem. Remember that all it's doing is answering good questions like "Where are .com's name servers?" "Where are .za's name servers", bad questions like "Where are .example,com's name servers?", "Where is 10.in-addr.arpa?" and ugly questions like "Where is Ping of Death?". Let the major servers handle most of the work, absorb the ugly packets and do some queries for bad packets, and let the general public query those anycast machines - they should be querying their ISPs' servers, or their upstreams', which cache the real information, and even when their queries aren't bogus, they shouldn't be blocking the internet-stability-critical traffic.

    The .net, .com, and .org domains are a similar problem, except of course they aren't served by the root servers. The zones are much bigger, a few gigabytes size, but probably only 10% of it changes in any given month, or 99.9999% of the existing domains, which ought to be enough to call the Internet stable, using about 1 Mbps (10GB * 1%/day * 8 bits/byte / 24*60*60 ), and again, keep the public query traffic separate from the zone transfer traffic, and maybe offer a third set of DNS servers to answer queries from the big ISPs to handle things like newly created domain names. The reason to keep that kind of query traffic separate is to avoid attacks like "query bogus00001.com" "query bogus00002.com" ... etc.

    Obvious flame-attracting discussion points:

    • What about the Alternate Roots? They argued that there's no excuse for ICANN/versign/etc. to own the TLD space and PROFIT from selling names like *.sex. Fine - they can use my ideas for free :-)
    • DJB likes rsync+ssh better. He might be right, but I'm trying to look at the small incremental change approach.
    • This makes nic.big-ISP.net a much bigger target! It's already a target. They can apply the same approach recursively, plus their users can still query the roots, and they probably have a somewhat distributed architecture already.
    • But the Internet is supposed to be any-to-any and this sounds like hierarchical corporate hegemony! Alas, too late for that, and if a 56kbps line can handle 1000 root zone transfers in half an hour, a T1 line should be able to handle 50,000 ok. Meanwhile, even covering the top 100 ISPs covers most of the Internet's users for stability.
    --

    Bill Stewart
    New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks