Internet Backbone DDOS "Largest Ever"

wontonenigma writes "It seems that yesterday the root servers of the internet were attacked in a massive Distributed DoS manner. I mean jeeze, only 4 or 5 out of 13 survived according to the WashPost. Check out the orignal Washington Post Article here."

Couldn't have been that bad...

[seanadams.com]

I mean jeeze, only 4 or 5 out of 13 survived according to the WashPost.

I'd say this just goes to show how reliable the root name servers are. I didn't notice any dns problems yesterday. In fact, I don't remember any root name server problems since the infamous alternic takeover.

Re:And...

[kidlinux]

A nuclear war isn't an attack on the networks themselves. This, however, is an attack on the networks.
A subterranean bunker is designed to withstand nuclear wars, but what do you think would happen if the nuke was inside the bunker?

NIPC Ineffective

[Anonymous Coward]

I thought the purpose of the NIPC was supposed to be in place to prevent these sort of attacks. Not only were they unable to prevent this attack they were unaware of it as well.

The US FBI at its best...

Where's the Inter in the 'Net?

[Anonymous Coward]

Why on earth are "about 10" of the root servers in a single country?

Test run

[QueenOfSwords]

Well we can laugh about it now (What DOS? my instinct when I read about this was to flip the unsuccessful hax0rs the bird) but my concern is that this could be a test run for something more unpleasant.
Maybe to cause a false sense of security, maybe to analyse how those crucial networks cope with DOS attacks so as to be more successful next time.
Whether these people were Bin Laden's boys or garden variety hax0rs don't get too comfortable. The worst is yet to come.

Sophisticated?

[wsloand]

The heart of the Internet sustained its largest and most sophisticated attack ever

I've never considered DDOS all that sophisticated myself. It's seems to me that "wow a script kiddie got more systems under his control than usual" more than "a great cracker is on the loose". Though I suppose if it were a great cracker then they could have been proving themselves by predicting the attack.

And...?

[m0i]

Despite the scale of the attack, which lasted about an hour, Internet users worldwide were largely unaffected, experts said.
Indeed, no traffic slowdown, no more than usual support calls. The system works as expected, even under attack.

Worth a read: Caida DNS analysis [caida.org], and more specifically those graphs [caida.org]. It would be interesting to know which DNS sustained the attack, in regard to the graphs.

Looks worse then it is

[ehiris]

Maybe they were attacking root servers but those server failing couldn't cause all the DNS records to get lost. Some people might have had temporary problems, some might have not.

If you really want to, build your own root server [ipal.net]

Re:And for all you tech support people out there..

[stefanlasiewski]

So how often do YOU utilize the internet without using DNS? Not often, I bet.

Yeah...

[Nindalf]

...everyone knows that communication infrastructure is a meaningless luxury, especially during a war or after a huge disaster.

Re:Thats some serious DOSing

[Chromonkey]

Concentrating on just vulnerabilities in Microsoft products would be rather short sighted. Linux can be hacked as well ya know.

All administrators, no matter what system they are using, should concentrate on making their systems as secure as possible.

Re:Where's the Inter in the 'Net?

[KillerBob]

I'm not too sure I'd call the USA the most democratic nation in the world, but that's a discussion for a totally different time and place.

The Internet's roots have nothing to do with democracy. Quite the opposite, your military wanted a communications network that could survive a nuclear holocaust so that it would be the first to rebuild and conquer the world when the evil reds launched the first nuke.

Most of the TLDs are in the USA because the DNS system was created in the USA, and was largely hosted by US providers. It's too much trouble to move them, and of limited benefeit. If they ever decide to add new ones, it's likely that they'll put at least one in Japan, and probably a couple in Europe.

Even so, though, the main reason for their dispersal is to survive a nuclear attack that takes out one or two. I don't know if you've looked at a map recently, but the USA is big. It's not like all 13 of the TLD servers are located in a trailer in rural Kentucky. You'd have to carpet bomb the entire USA to be sure of taking out all 13 of them, and frankly, if somebody had the resources to turn the entire country into a self-illuminating glass-floored parking lot, the Internet would be the least of my worries.

Re:I would draw an opposite conclusion

[kashani]

The point is it didn't take anything down... nope not even close. The Washington Post could have well said "Grandma Smith sends 10 icmp packets to cable modem" and it would have been just as "damaging".

kashani

Re:Punishment options.

[KillerBob]

How do you plan on enforcing this, sir?

Seriously. How do you plan on enforcing this? Not only is it a huge expenditure of resources to track down the number of computers used in the attacks, to track down their IP addies, to obtain the needed court orders to obtain their ISP's logs, the resources to parse those logs to find out who was logged on, and *then* go about prosecuting the offenders, what would it accomplish?

If Code Red taught us anything, it's that the dumb won't change a thing about the way they work, regardless of how much the internet community ridicules them. It's also completely nuts to punish the ISPs for this... where does it stop? I'm pretty sure that some AOL clients were responsible (and while I wouldn't complain about no AOL'ers for a while, I bet they would). How about people who buy their access directly from UUNet? Gonna block out UUNet for a month?

Even if you could implement that punishment of the ISPs, it wouldn't accomplish much. It wouldn't hurt me at all if I was blocked from direct access to the TLD servers, because inside my network I'm running a mirror. My ISP is running a mirror. I know of a dozen open DNS servers on the internet. I'm betting I could find at least one that wouldn't block me.

Seriously, though. It's great to say we should punish these people for not securing their systems, but you have to understand just how many computers would be needed for this attack. The TLD servers aren't running on 64k ISDN: they're on OC48 at least. There's 13 of them. The kind of bandwidth needed to adequately DoS them is obscene. You either do it the dumb way and use 50 computers running on the fastest connection available, or you use *hundreds* of computers, possibly thousands or tens of thousands.

Looks great on paper, but realistically there's not much point in ranting like this. Besides... if it wasn't for the article, I'm betting that most of the world wouldn't have noticed.

Thoughts from a DNS implementor

[Kiwi]

I did notice that DNS resolutions were taking a little longer than usual and that there were slightly more resolving issues than normal; I also noticed that 198.41.0.4 (a.root-servers.net) was not replying to DNS queries. The OSRC [open-rsc.org] root name servers (which I normally use) were perfectly functional, however.

I only noticed it because I use my own DNS server [maradns.org] to resolve requests; and pay close attention whenever I see any problems resolving host names (there is the possibility of it being a bug with my software).

The person who orchastrated this attack is not very familiar with DNS. Attacking the root name servers is not very effective; all the root servers do is refer people to the .com, .org, or other TLD (top-level-domain) name servers. Most DNS servers remember the list of the name servers for a given TLD for a period of two days, and do not need to contact the root servers to resolve those names. While some lesser-used country codes may have had slower resolution times, an attack on the root servers which only lasts an hour can not even be felt by the average end user.

In the case of MaraDNS, if a DOS (denial of service) is happening against the root servers, MaraDNS will be able to resolve names (albeit more slowly for lesser-used TLDs) until every single root server is sucessfully DOS'd.

- Sam

Re:And...

[joshuac]

...and you will be left scratching your head when Slashdot seemingly goes offline for an extended period of time.

hint: read the last paragraph of Cmdrtaco's last journal.

just run a local DNS cache; if something is unreachable, you have the cached entry to work off of. When changes are made, you get the update automatically.

Re:al qaeda?

[baldass_newbie]

Genocide?
McCarthyism?
No race is being systematically killed that I can see.
McCarthy, though a power mad drunk and witless individual did point out the broadening influence of Communism and help to root out some very corrupt individuals. Wouldn't call him a hero. But his name has taken on a connotation that moves away from reality.
Al Qaeda is not a random group. If people, especially Americans are paranoid right now, it might have something to do with Muslims killing innocent civilians for their religious salvation.
Couple that with a sniper on the loose around the Nation's capital, and yeah, a DDOS attack on the backbone of the worldwide information structure the U.S. built, I'm thinking Terrorism is a fairly good guess.
Why? Are you from France?

How many of you are..

[Doomrat]

..memorising the slashdot servers IP address in case of total DNS meltdown? Seriously, if the DNS system was totally destroyed, would you be able to think of any IP addresses by memory to get you in contact with other net people?

Re:And...

[Proc6]

That's too general of a statement. Its like saying "Our roadways would function just fine, even if all the cars were gone." - they're intimately bound together. The "whole" of the internet does NOT function fine when DNS goes away. Im pretty sure about 95% of the worlds email and web browsing not being able to work does not constitute "the internet working fine". To your standards, as long as 2 people with registered legitamate IPs' computers are still up and connected in some closet somewhere "the internet is working fine". And again, "well no...".

"Safeguards" prevented a noticeable effect... (?)

[Anonymous Coward]

This [internettr...report.com] would indicate why many of you may not have noticed any slowdowns in response time.

Re:Preaching to the choir...

[Anonymous Coward]

Idiot.
Where do you think the machines for the DDOS attack came from.

Re:And...

[Leto2]

Most hosting services use 1 IP per apache setup and rely on the Host:-header and apache's vhosting capabilities to serve the right page.

So, yes, for most of the WWW, DNS is just as important, or maybe even more important, than IP.

But...

[WhiteDragon]

iirc, for ip addresses in email, foo@123.123.123.123 is not a valid email address, it should be foo@[123.123.123.123]

Re:And...

[erpbridge]

Yes, the Internet was designed to withstand a nuclear war on the surrounding world. However, a few things are different now than what that original design was for:

1) This was not an attack on the surrounding world. This was an attack on the network itself, from inside the network itself.

2) The Internet was designed to be able to route around problems in a specific global region (nuclear war) by having each node or site have connections to multiple other nodes, creating a redundancy that would be almost impossible to get around (at worst case, you could try to route a region through someone's 56K if that region's main providers went down). This redundancy is nowhere near what it should be.

Also, the amount of nodes is magnitudes greater than the original founders ever thought of. The number of sites when that was said was around 20-30, and it was fairly easy for most of them to connect to each other and form a semi-mesh network.

3) Dependance on centralized services. This attack was on one of the Internet's centralized services, the Alliance of 13 (DNS root servers). With a limited number of root DNS servers, it's easy to point to somewhere and say "There's the weakness, let's hit it". The root DNS servers are a balance between complexity (having more than one root server takes time to propogate complete changes amongst all of them) and redundancy (having only one or a few servers makes an even more vulnerable point than the Alliance of 13).

Another major weakness is the continental backbones (for example, North America has the East Coast, West Coast, and transcontinental backbones) and their switching stations, like MAE East and West. Imagine if someone was able to take out all of MAE East in one shot, how crippled most of the Internet would be, for at least 12-36 hours while the alternate routing was put in place.

Re:And...

[Anonymous Coward]

It's not actualy like "Our roadways would function just fine, even if all the cars were gone." It's more like saying the roadway would still work if maps and signs were gone. Just because about 95% of people can't find their way around doesn't mean their is something wrong with the roadways. You'll just have to learn where to go... the hard way, or aska friend.

Sure, let's just do that

[0x0d0a]

And by golly, we should eliminate all functionality of the Internet other than port 80 outbound (through a transparent proxy) and port 25 and 110 (only to the ISP's mail server), and DNS to the ISP's name server.

After all, 99.5% of people wouldn't notice, and who *really* cares about the remaining .5%?

I really loathe the growing trend towards firewalling everything that moves. Mail outbound, other than to the ISP's mail server. Napster. Ping packets. It's really annoying to the people who actually *do* want to use said functionality.

Internet "license"?

[msobkow]

You want full functionality? Sign off with your ISP for the appropriate connection service. If you pay for a small business link, you get the higher level access, and also take responsibility for the maintenance and security of your node. You get hacked, you participate in DDOS attacks, you should be financially responsible. If you really know your stuff to use the extra functionality, you should have no issue with taking responsibility for the risks incurred.

Don't want to pay more? Don't want to be responsible? Don't get the access.

There is no such thing as "rights" when your activities impact others. If you aren't willing to stand up and be responsible for your traffic (subnet/link/servers), then internet "society" has the responsibility to protect the rest of the community from you.

If the internet is truly as critical to business as we all hope it to be, it only stands to reason that people are going to have to get "licenses" to run full service nodes and subnets. You don't get to drive without a license to demonstrate that you at least have the education and skills to do so safely -- why would you expect to do otherwise on the 'net?

Re:And...

[Anonymous Coward]

Ok hold on here. It's both hierarchial, implying something at the top that everything is based on, and at the same time, distributed, implying that it's not dependand on some central source? Dude, you're contradicting yourself, and so you're wrong.

Umm, no. You don't know the definition of the word "distribute", therefore, you are wrong.

Main Entry: distribute Pronunciation: di-'stri-by&t, British also 'dis-tri-"byüt Function: verb Inflected Form(s): -uted; -uting Etymology: Middle English, from Latin distributus, past participle of distribuere, from dis- + tribuere to allot -- more at TRIBUTE Date: 15th century transitive senses

1 : to divide among several or many : APPORTION (distribute expenses)

2 a : to spread out so as to cover something : SCATTER b : to give out or deliver especially to members of a group (distribute newspapers) (distribute leaflets) c : to place or position so as to be properly apportioned over or throughout an area (200 pounds distributed on a 6-foot frame) d : to use (a term) so as to convey information about every member of the class named

Nothing in that definition implies what you are saying. In fact, definition 2b is the exact explanation of how DNS works. So, umm, STFU.

Re:And...

[mysticalreaper]

Hrm... Good point. I re-read the parents to remember why i got all worked up. it turns out that the first guy said 'decentralized', and it was that word i found to be wrong. When i read the response to that, he said distributed, and apparently i confused them in my own mind.

Ahh... if only slashdot would let us edit posts, but alas, we cannot. So to correct my original statement, yes, it's distributed, but no, it's not decentralized, since all information starts at the top, the same top, hence it's hierarchial nature.

Good point

[0x0d0a]

I worked in streaming media and know just how hard it can be to get through nromal corprate firewalls and it SHOULD be.

Amen.

The only reason we hear the words "web services" at *all* are because the bejeezus has been firewalled out of everything except for web access at most companies. From a technical standpoint, "web services" are a massive step backwards...we had much superior systems before we had to run all communication through http.

Web services are the ongoing rejection of developers and users of the blocking of services crossing the firewall. Eventually, everything will be tunneled over http, and we'll be back where we started (same things accessable across the firewall), abeit with a somewhat less efficient system.

"The Internet treats censorship as damage, and routes around it."
-- John Gilmore

Re:Not a myth

[commodoresloat]

Interesting. After doing some research, I hereby eat my words. The ARPA founders agree that their purpose wasn't to build a network that would survive a nuclear war. But that is what Baran designed and published, and as far as I can tell the architecture of ARPANet relied on Baran's work, and of course the mission of DARPA was to keep the US ahead of the Soviets in terms of technology, and the specific fear was of a decapitating Soviet nuclear attack. So, while I think it is wrong to say the Internet was created to survive a nuclear attack, I think calling it a "myth" and a "fable" might be a bit extreme -- it might be accurate to say that the Internet was created in part as a response to this fear. But the connection is definitely less direct than I had always thought, and it's interesting how much folks like Cerf and Taylor want to distance it from that explanation. Nonetheless, the system is designed to "operate while in tatters" - and that's a design goal of ARPANET whether or not they spoke about nuclear war.

Re:And for all you tech support people out there..

[shepd]

>I dont notice medical doctors getting bored with their patients and for a joke amputating a leg instead of an ingrowing toenail because the patient was too stupid to cut their nails correctly and wear the right footware.

But you do notice that if you constantly harm yourself after being told something is bad for you that you end up in a psychiatric ward.

Let's put it this way: If you owned a car and didn't put oil in it, blew up the engine, and were told you need to put oil in the next car, but didn't and blew that one up too, the entire world would laugh at you. Especially the mechanic. And if it were a company mechanic, and not Midas mufflers, so he isn't getting paid by the job, don't expect the car to get fixed anytime soon. In fact, expect your boss to call you an idiot.

For some reason, in the world of computers, it doesn't work like this. If you consistently break your computer in the same way in an office, the boss isn't likely to call you a moron, and you're still going to get it fixed as fast as the first time. Maybe calling that person an idiot is what needs to happen to get these users to respect their computers. Whatever is happening now sure isn't working.

Just a probing attack?

[doc_brown]

Mabey I'm just being paranoid, but to me this seems like it's a probing attack. Now that the attack is done, they know exactly what they need to do to kill the servers:

Go a little bigger and have it last 12+ hours.

Now that would start some serious problems.