Bill Cheswick On Internet Security

Franki3 invites our attention to a SecurityFocus interview with Bill Cheswick. He started the Internet Mapping Project in the 90s; you have probably seen the maps that resulted. The interview ranges over firewalling, logging, NIDS and IPS, how to fight DDoS, and the future of BGP and DNS. From the interview: "I have been impressed with the response of the network community. These problems, and others like security weaknesses, security exploits, etc., usually get dealt with in a few days. For example, the SYN packet DOS attacks in 1996 quickly brought together ad hoc teams of experts, and within a week, patches with new mitigations were appearing from the vendors. You can take the Internet down, but probably not for very long."

Root Servers

[Kadin2048]

I thought his comments about the DNS root servers were interesting.

The DNS root servers appear to be 13 hosts, but are actually many more. They have been under varying, continual, low-level attacks for many years, a process that tends to toughen the defenses and make them quite robust. A few years ago there was a strong attack on the root servers, taking 9 of the 13 down at some point. ... There are other root servers, of course. Anyone can run one, it is just a question of getting people to use it. I understand that China is proceeding with root servers of their own. DNSSEC is a way to get the right DNS answer, but its deployment has had problems for at least 10 years.

It's interesting that the system works as well as it does: one would think that with just 13 IP addresses to target, the root servers would melt from DDoS attacks far more often than they do.

Their technique of hiding many geographically-separated servers behind one IP address is interesting. For example, ISC's server at 192.5.5.241 (the "F" server) has over 40 sites, including Ottawa, Palo Alto, New York City, San Francisco, and Madrid. Given the obvious advantages of this configuration, it actually surprised me that there are root servers not doing this: VeriSign, University of Maryland, NASA, the U.S. DoD, the U.S. Army, and ICANN all seem to have single-site root servers. I wonder whether those organizations are taking the responsibility that they hold seriously enough, if cost or level of effort are what's stopping them.

Also, the number of servers that have IPv6 addresses is a bit disappointing (B, F, H, K, M), but I suppose understandable given the slow uptake of that technology. In many ways, the root DNS system is seemingly one of the oldest and least-noticed parts of the Internet's infrastructure; if the network as a whole were a city, it's the stonework aqueducts far beneath the streets, that nobody thinks about as long as the water comes out when you turn the tap.