Slashdot Mirror
DNS Root Servers Attacked
liquidat and others wrote in with the news that the DNS Root Servers were attacked overnight. It looks like the F, I, and M servers felt the attack and recovered, whereas G (US Department of Defense) and L (ICANN) did less well. Some new botnet flexing its muscle perhaps? AP coverage is here.
Oh, you're not stuck, you're just unable to let go of the onion rings.
Oh!!! So that's what that button does.
Stupid little freaks.
RS
Shoes for Industry. Shoes for the Dead.
Um, so how many times a day do the root servers get attacked? No, wait, an hour, a minute... Like a ba-gillion? These things happen everyday, so what's new? It's not like they haven't figured out the whole failover/fault tolerance thing. You'd have to nuke 'em to get them to stop running.
It's fine they are just slashdotted, give it an hour or two and they will be running just fine again.
Perhaps it is unfair of me to say so, but I get the distinct impression that large governmental organizations do not do very well in terms of security until the attack vector is pointed out to them. After that, sometimes they do very well (often using overkill methods), sometimes they do less well - but something usually has to kick the learning curve process into gear.
Is it just me or is going after servers that people expect up to 3 business days to update not the best way to go? You would have to sustain the attack for a long time for the average joe to notice.
Not that I am complaining, one less bot net to worry about.
Good thing that they apparently never heard of routers though.
i can still visit slashdot. i think my dell pc has a back up of the internet.
Some new botnet flexing its muscle perhaps.
That was a test system for installing Windows Vista that someone forgot to unplug from the wall.
... for resolving caches.
In that case, it's GMILF. That's right, DNS is operated by a ring of hot grandmothers.
Spam would only cause it if the addresses didn't end with commonly cached TLDs. On the other hand, I keep logging in to phishing sites with the email address yeah@nice.try, so maybe a lot of other people had similar ideas and someone tried to spam the list of harvested address without any sanity checking...
I am TheRaven on Soylent News
Don't make the assumption that all DNS servers were attacked equally though.
the root servers are setup in such a way that *2/3* of them can fail, and noone would notice.
[RFC2870]
2.3 At any time, each server MUST be able to handle a load of
requests for root data which is three times the measured peak of
such requests on the most loaded server in then current normal
conditions. This is usually expressed in requests per second.
This is intended to ensure continued operation of root services
should two thirds of the servers be taken out of operation,
whether by intent, accident, or malice.
... for resolving caches that never fnord give any sort of bogus or out of date new coke results!
This flies in the face of science.
Try this MILF,G.
Mom's I'd like to fuck, Giggidy giggidy giggidy.
This attack was clearly perpetrated by none other than Glen Quagmire.
"Oh drat these computers, they're so naughty and so complex. I could pinch them."
Marvin the Martian
Mr. Bill recently said this:
9 854
"We made it way harder for guys to do exploits," said Mr. Gates. "The number [of exploits] will be way less because we've done some dramatic things [to improve security] in the code base. Apple hasn't done any of those things."
In another portion of the interview, he added, "Nowadays, security guys break the Mac every single day. Every single day, they come out with a total exploit, your machine can be taken over totally. I dare anybody to do that once a month on the Windows machine."
See article: http://www.toptechnews.com/story.xhtml?story_id=4
Microsoft needs a public shaming for the sorry state of Windows security that allows millions of these zombie machines to exist. I don't blame Joe User, sorry. No holy wars about security; statements that user should do x, y, z and be as smart as me, etc.
Windows: Defective By Design
Other experts said the hackers appeared to disguise their origin, but vast amounts of rogue data in the attacks were traced to South Korea.
Somehow that doesn't surprise me. This is the same country that uses insane amounts of ActiveX, and has the effect of conditioning people to click "Yes" whenever any site tries to install something, right? Wouldn't be any surprise if South Korea was one big botnet.
You have tried to support your argument with faulty reasoning! Go directly to jail; do not pass Go, do not collect $200!
You suggest that the Department of Defense's nameserver is badly managed, making an argument by analogy concerning "large governmental organizations". Since you haven't provided a technical argument, your accusation has no merit. Your "distinct impression" is pure speculation.
But congratulations on getting everyone riled up.
A few years ago the root server operators (on their own initiative and without asking for, or obtaining, permission from ICANN) took the wise step of deploying replica servers using a routing technique called "anycast". Thus under the name of, for example, f.root-servers.net there are many distinct servers geographically dispersed.
Consequently today we have more than 130 root servers scattered around the world.
That's good. It tends to localize the damage caused by attacks.
What is not good is that these root server operators, although they today operate to the highest of standards and with the highest degree of integrity, are not required to do so in the future.
For example, several root servers are operated by the US military establishment or by other branches of the US government and are thus subject to being "adjusted" according to military, political, or Atty General Alberto Gonzolez's latest desire to do data mining.
Nor are the root servers required to play fair and respond to all queries with equal dispatch or equal accuracy no matter the source or the name being queried for.
Nor are the root servers off limits for sale to companies like Microsoft or Google who could use them for commercial data mining.
Many people believe that ICANN serves as a kind of fire marshall, overseeing that the root servers are operated responsibly and that the root server operators have access to the resources they might need to recover from a natural or human disaster.
But that is not the case. ICANN has abrogated that role and has engaged itself as a protector of trademarks and US cultural values.
Over the last few thousand years we've learned that it's best for long term stability to build institutions and not depend on individual people. Today the root servers are the work of good individuals and organizations that encompass them. We really need to move to a more formalized structure that reinforces the long-term continuation of the good system we have today.
It's the only way to be sure.
Silly question. Why aren't there more root servers put into operation? (Honest question! I seriously don't know. Is it a technical limitation?)
>they could have been testing how well their attack would work
Good insight, but why attack the root servers in the first place?
The days when people tried to burn down the Internet just to watch the flames dancing ended a few years ago. It's about profit now. If a crook launches a DDoS on a gambling site the day before the Super Bowl, that crook can extort money. Crooks can also make crooked money from click fraud or spam runs.
Where's the money in taking down the root DNS servers? Why would a crook throw away the black market value of a botnet to do something that wouldn't bring in loot?
... gets slashdotted, what an irony.
// MD_Update(&m,buf,j);
...Botnet disabled, job done!
My little Linux and tech blog
I Like Milking Grand Fathers...
The root servers are the authoritative DNS servers for the top level domains (TLDs) - i.e. .com, .net, .edu, etc.... This has nothing to do with the "3 business day" thing you're talking about. Even the TLD servers aren't responsible for that delay. You're referring to the time it takes for non-authoritative DNS servers to clear their caches. Big difference....certainly not "insightful". /x
Or you know, you could just put up a caching DNS server, set its forwarder(s) to your dns server(s), and have yourself a party. total time to implement: not much longer than the time to build/install bind.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
As in: I've fallen and ICAAN'T get up.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
It's not like they haven't figured out the whole failover/fault tolerance thing.
That's kind of the point here, actually. Several of the root servers do not have any redundancy. You can see the list at http://www.root-servers.org/. In particular, the A, B, D, E, G, H, and L servers have only a single location a piece.
F, I, J, K, and M, on the other hand, are heavily redundant and have multiple geographic locations, routed via Anycast, so a single client only "sees" the server nearest to them. This makes them difficult to DDoS, because a zombie in S. Korea pinging the J server would be sending packets to the server in Seoul, while one in California would get the one in Mountain View.
What's odd, looking at the list, is that anyone operating something as critical to the internet infrastructure, wouldn't develop some geographic and systems redundancy; unfortunately, I suspect that the government agencies in particular tasked with these responsibilities probably don't keep it at the very top of their priority lists when allocating resources and funding.
"Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
You can see the list of sites for F here:
http://www.isc.org/index.pl?/ops/f-root/sites.php
That's about 40 locations. Now, each of which has a couple of servers, a management box, and a couple of routers, so yeah something like 200 machines total.
It's more than just an IDE. I'd hazard a guess that it's for the debugger, so you can do things like trace calls up to kernel functions, access another application's memory area, and use hardware watchpoints. Come to think of it, I wouldn't even know how you'd write a program to access the registers or memory of a process, even a child process. Did read an article on how debug.com worked, but that was a long time ago...
You like splinters in your crotch? -Jon Caldara
From RFC 2606:
(Next time, try the webserver -- that's how I learned this.)
"[Regarding the 'cloud,'] ownership was what made America different than Russia." -- Woz
Exactly, and I also get sick of "experts" ridiculing and blaming the victims of vandalisim and crime for messing up "their" playground. Nobody blames a homeowner when a thief kicks down their flimsy door and robs them, or a vandal rips up their mail and knocks down the letterbox.
As I have been doing for nearly two decades, I set up a friends PC just before christmas, and told him "just say no" to unknown applications. He had no troubles until about a week ago, he got a message from the virus scanner about a trojan and didn't understand the options so he just pulled the plug from the wall, called his bank and waited until next time he saw me.
The first thing I said to him was..."you said 'yes', didn't you?"...he complained bitterly..."No porn videos, No screensavers" I asked in a mocking accusation...."is a screen saver an application" he replied with a puzzled look. I booted it up and showed him how the scanner gets rid of the trojan and admired his new screen saver. The VS options were something like "vault" and "delete", there wasn't a "no" or "cancel" button so he panicked and enacted the "emergency procedure" I had advised previously.
The guy is not an idiot, he is middle aged but has had virtually nill exposure to PC's, until he went out and bought one. He restores antique furniture for a living, he is over the moon about ebay and other stuff to do with furniture but has ignored FPS games. Not that he doesn't like them he has a PS3 and loves it because "it doesn't do things that are not in the manual". For him the curve is still too steep (and life is too short) to learn how to install and register games with confidence.
And did you exchange a walk on part in the war for a lead role in a cage? - Pink Floyd.
Even nukes can't stop it! Or at least they shouldn't, since the internet was originally designed to run as a communications network in the event of a nuclear attack.
And the primary design feature that enabled that was removed during the rise of the ISPs.
The early internet was a NET. Redundant links everywhere. Routers all potentially knew the whole topology and could find a connection if it existed.
As the net went commercial that caused a table explosion in the routers. So BGP replaced RIP and things became less robust. Usable routes became a subset of all possible routes. Within the backbone there was still a lot of redundancy - but it wasn't quite up to the former "find a path if it exists" level.
Meanwhile, the typical host went from being something ad-hock connected to sever neighbors to being something connected solely to a single ISP - typically by a single link. The big guys might have redundant paths into their ISP's Network Operations Center. But if something took out the NOC (and often there was only one - or only one of some critical component) you were hosed. Ditto if something corrupted their databases. Even with redundant links there would only be a few, perhaps going through several single-points-of-failure - and if fully redundant still allowing a double-failure to take you down. The little guys would typically have one line (say DSL) to one box. Cut the line or crash the box - or the typically two links from it to the NOC - and you're hosed.
(Perhaps you have a dialup-backup for your DSL. Did YOU configure it to come up automagically if your main link goes down? Is it on the same phone line with the DSL? If not, does it take a different path to the central office? Or is it right up the same cable bundle on the same poles next to the same road full of the same drunk drivers or in the same underground cable running past the same backhoe...)
So the internet evolved from a nuclear-strike-survivable net to a less-robust net rooting a bunch of trees. Oops!
(And that's just for routing the packets once you've GOT the IP number. Translating names to IP numbers is a whole separate can of worms: It's what the root servers are about - which is why there are so many of them, most of them are clusters, and some are clusters that are geographically diverse. You only need to hit ONE operational root server to get started on your translation - if your answer isn't cached somewhere between you and the root, and the list is small enough to keep handy on every machine that wants to do its own nameservice.)
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
Several of the root servers do not have any redundancy.
Having multiple root servers IS the redundancy - originally, and to some extent even now. Big-time redundancy within each one is just (really strong) suspenders to supplement the belt.
A non-redundant root server is still useful - even if perhaps not always up and/or not capable of drinking as large a firehose of requests as some giant, geographically-diverse, multiple-cluster. All it takes is one response from one server to get your nameserver's search started.
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
My father was a mechanical engineer, he has bought a couple of mac's on my say-so. Being an engineer he likes to pull things apart, 10 or so years after his first mac he is now 75 and no longer uses one, he has an XP AND a Linux box AND some neat video editing equipment. When he started asking me the difference between different pin standards for parrallel ports I said "I dunno Dad, RTFM". He also writes some slick kids games in Delphi for fun (solitare-yahtzee was his last one, complete with rolling dice visuals, sound effects and an installer. Naturally the code is open source.)
:)
Mum and Dad are kinda spritley for their age, Dad gave up towing their caravan all around the bush and sold it last year, they put the money towards their 3 week cruise to Antartica! I hope it's genetic.
"Anyway, since neither of them chose not to follow my advice, she gets no technical support from me."
I try to advise without prempting their choice, often I will spens a couple of hours to help kick start someone if I like the person. Regardless of what they choose, people who expect me to help are made aware of my hourly rate and lack of free time.
And did you exchange a walk on part in the war for a lead role in a cage? - Pink Floyd.