Slashdot Mirror
DNS Root Servers Attacked
liquidat and others wrote in with the news that the DNS Root Servers were attacked overnight. It looks like the F, I, and M servers felt the attack and recovered, whereas G (US Department of Defense) and L (ICANN) did less well. Some new botnet flexing its muscle perhaps? AP coverage is here.
Oh, you're not stuck, you're just unable to let go of the onion rings.
Perhaps it is unfair of me to say so, but I get the distinct impression that large governmental organizations do not do very well in terms of security until the attack vector is pointed out to them. After that, sometimes they do very well (often using overkill methods), sometimes they do less well - but something usually has to kick the learning curve process into gear.
Besides, DNS is for wussies anyways. Real men don't need user-friendly names for their ip addresses :) But seriously, I can imagine the Web still being useful without DNS if search engines linked to IP addresses instead of hostnames. And now that email is largely a WWW service (hotmail, gmail...) a big chunk of it could survive too.
actually, there was one.
:)
i dont remember the actual day/month/year, but maybe 3 years ago: MCI updated a bunch of routers, all at the same time, and screwed it up. a lot of people in north america were without internet for up to a day. i think this qualifies as major
and consider that these so called "root servers" are actually several hundreds (thousands?) of servers, in different physical locations. i think i remember mr vixie saying F alone had around 200 machines
Other experts said the hackers appeared to disguise their origin, but vast amounts of rogue data in the attacks were traced to South Korea.
Somehow that doesn't surprise me. This is the same country that uses insane amounts of ActiveX, and has the effect of conditioning people to click "Yes" whenever any site tries to install something, right? Wouldn't be any surprise if South Korea was one big botnet.
You have tried to support your argument with faulty reasoning! Go directly to jail; do not pass Go, do not collect $200!
A few years ago the root server operators (on their own initiative and without asking for, or obtaining, permission from ICANN) took the wise step of deploying replica servers using a routing technique called "anycast". Thus under the name of, for example, f.root-servers.net there are many distinct servers geographically dispersed.
Consequently today we have more than 130 root servers scattered around the world.
That's good. It tends to localize the damage caused by attacks.
What is not good is that these root server operators, although they today operate to the highest of standards and with the highest degree of integrity, are not required to do so in the future.
For example, several root servers are operated by the US military establishment or by other branches of the US government and are thus subject to being "adjusted" according to military, political, or Atty General Alberto Gonzolez's latest desire to do data mining.
Nor are the root servers required to play fair and respond to all queries with equal dispatch or equal accuracy no matter the source or the name being queried for.
Nor are the root servers off limits for sale to companies like Microsoft or Google who could use them for commercial data mining.
Many people believe that ICANN serves as a kind of fire marshall, overseeing that the root servers are operated responsibly and that the root server operators have access to the resources they might need to recover from a natural or human disaster.
But that is not the case. ICANN has abrogated that role and has engaged itself as a protector of trademarks and US cultural values.
Over the last few thousand years we've learned that it's best for long term stability to build institutions and not depend on individual people. Today the root servers are the work of good individuals and organizations that encompass them. We really need to move to a more formalized structure that reinforces the long-term continuation of the good system we have today.
>they could have been testing how well their attack would work
Good insight, but why attack the root servers in the first place?
The days when people tried to burn down the Internet just to watch the flames dancing ended a few years ago. It's about profit now. If a crook launches a DDoS on a gambling site the day before the Super Bowl, that crook can extort money. Crooks can also make crooked money from click fraud or spam runs.
Where's the money in taking down the root DNS servers? Why would a crook throw away the black market value of a botnet to do something that wouldn't bring in loot?
I think the fact that South Korea has something like 99% of connected computers running windows makes them an easy target for infectable machines just based on sheer volume. Combine that with the outstanding penetration of very high-speed internet connectivity and just about everything in the country is running an OS with a poor history of security on a very fast connection..
1 /200701240013.html
In order to make a secure transaction over the internet in South Korea you have to be able to run IE, and ActiveX controls to establish your secure link as the result of a deal with M$ in '97 to provide an encryption and authentication mechanism for internet based transactions using the web iirc.. (OpenSSL wasn't a standard yet - that was '98)
This is the same reason the the Ministry of Information and Communication of South Korea urged its citizens not to upgrade to Vista.
http://english.chosun.com/w21data/html/news/20070
Wisest is he who knows he does not know.
It doesn't matter, it's virtually guaranteed that the path between your resolver and the root name servers involves at least *one* Cisco router.
And in the unlikely event that it doesn't, it's just as likely that the path between you and where you want your traffic to go involves at least one Cisco router. Between the two, if someone were clever, capable, and dedicated, they could disrupt enough of the Internet to make it 99% unusable.
Oh, you're not stuck, you're just unable to let go of the onion rings.
Are you kidding? I've been using Vista since RTM on my main work system and the UAC prompts are enough to either:
1: Drive one completely insane.
2: Insensitize one to the point where one clicks 'Yes' on any dialog that pops up.
3: Cause one to disable UAC prompting.
Examples:
You want to look at the event log... well you're gonna need some extra admin priviledges. Are you sure you want to look at the event log?
You want to run visual studio 2005... that complains too. Would someone please explain to me WTF running an IDE requires admin fucking rights!
Microsoft's approach of security by nagging the user to death is fundamentally flawed.
I swear, if I hadn't turned of UAC prompting, there would be a craig's list posting right now for a slighty shot-gunned compy.
A One that isn't cold, is scarcely a One at all.
Exactly, and I also get sick of "experts" ridiculing and blaming the victims of vandalisim and crime for messing up "their" playground. Nobody blames a homeowner when a thief kicks down their flimsy door and robs them, or a vandal rips up their mail and knocks down the letterbox.
As I have been doing for nearly two decades, I set up a friends PC just before christmas, and told him "just say no" to unknown applications. He had no troubles until about a week ago, he got a message from the virus scanner about a trojan and didn't understand the options so he just pulled the plug from the wall, called his bank and waited until next time he saw me.
The first thing I said to him was..."you said 'yes', didn't you?"...he complained bitterly..."No porn videos, No screensavers" I asked in a mocking accusation...."is a screen saver an application" he replied with a puzzled look. I booted it up and showed him how the scanner gets rid of the trojan and admired his new screen saver. The VS options were something like "vault" and "delete", there wasn't a "no" or "cancel" button so he panicked and enacted the "emergency procedure" I had advised previously.
The guy is not an idiot, he is middle aged but has had virtually nill exposure to PC's, until he went out and bought one. He restores antique furniture for a living, he is over the moon about ebay and other stuff to do with furniture but has ignored FPS games. Not that he doesn't like them he has a PS3 and loves it because "it doesn't do things that are not in the manual". For him the curve is still too steep (and life is too short) to learn how to install and register games with confidence.
And did you exchange a walk on part in the war for a lead role in a cage? - Pink Floyd.
And most Linux users would scream and freak if there was an automatically set-up cron job to apt-get update/upgrade once a week - but will often do so themselves.
I openly admit to being one of those.
110100 1101000 1101000 1100110 0 1101111 1101000 1100011 1
My father was a mechanical engineer, he has bought a couple of mac's on my say-so. Being an engineer he likes to pull things apart, 10 or so years after his first mac he is now 75 and no longer uses one, he has an XP AND a Linux box AND some neat video editing equipment. When he started asking me the difference between different pin standards for parrallel ports I said "I dunno Dad, RTFM". He also writes some slick kids games in Delphi for fun (solitare-yahtzee was his last one, complete with rolling dice visuals, sound effects and an installer. Naturally the code is open source.)
:)
Mum and Dad are kinda spritley for their age, Dad gave up towing their caravan all around the bush and sold it last year, they put the money towards their 3 week cruise to Antartica! I hope it's genetic.
"Anyway, since neither of them chose not to follow my advice, she gets no technical support from me."
I try to advise without prempting their choice, often I will spens a couple of hours to help kick start someone if I like the person. Regardless of what they choose, people who expect me to help are made aware of my hourly rate and lack of free time.
And did you exchange a walk on part in the war for a lead role in a cage? - Pink Floyd.
From my anecdotal experience:
4. A dismissive attitude towards computer security, safety precautions, environmental concerns, building codes, etc. I frequently hear "why bother?" as it's considered an inconvenience, likely cutting into profits, and only a dummy plays by the rules.