Internet Backbone DDOS "Largest Ever" 791
wontonenigma writes "It seems that yesterday the root servers of the internet were attacked in a massive Distributed DoS manner. I mean jeeze, only 4 or 5 out of 13 survived according to the WashPost. Check out the orignal Washington Post Article here."
Couldn't have been that bad... (Score:4, Insightful)
I'd say this just goes to show how reliable the root name servers are. I didn't notice any dns problems yesterday. In fact, I don't remember any root name server problems since the infamous alternic takeover.
Re:And... (Score:4, Insightful)
A subterranean bunker is designed to withstand nuclear wars, but what do you think would happen if the nuke was inside the bunker?
NIPC Ineffective (Score:1, Insightful)
The US FBI at its best...
Where's the Inter in the 'Net? (Score:1, Insightful)
Test run (Score:3, Insightful)
Maybe to cause a false sense of security, maybe to analyse how those crucial networks cope with DOS attacks so as to be more successful next time.
Whether these people were Bin Laden's boys or garden variety hax0rs don't get too comfortable. The worst is yet to come.
Sophisticated? (Score:5, Insightful)
I've never considered DDOS all that sophisticated myself. It's seems to me that "wow a script kiddie got more systems under his control than usual" more than "a great cracker is on the loose". Though I suppose if it were a great cracker then they could have been proving themselves by predicting the attack.
And...? (Score:5, Insightful)
Indeed, no traffic slowdown, no more than usual support calls. The system works as expected, even under attack.
Worth a read: Caida DNS analysis [caida.org], and more specifically those graphs [caida.org]. It would be interesting to know which DNS sustained the attack, in regard to the graphs.
Looks worse then it is (Score:4, Insightful)
If you really want to, build your own root server [ipal.net]
Re:And for all you tech support people out there.. (Score:3, Insightful)
Yeah... (Score:4, Insightful)
Re:Thats some serious DOSing (Score:2, Insightful)
All administrators, no matter what system they are using, should concentrate on making their systems as secure as possible.
Re:Where's the Inter in the 'Net? (Score:5, Insightful)
The Internet's roots have nothing to do with democracy. Quite the opposite, your military wanted a communications network that could survive a nuclear holocaust so that it would be the first to rebuild and conquer the world when the evil reds launched the first nuke.
Most of the TLDs are in the USA because the DNS system was created in the USA, and was largely hosted by US providers. It's too much trouble to move them, and of limited benefeit. If they ever decide to add new ones, it's likely that they'll put at least one in Japan, and probably a couple in Europe.
Even so, though, the main reason for their dispersal is to survive a nuclear attack that takes out one or two. I don't know if you've looked at a map recently, but the USA is big. It's not like all 13 of the TLD servers are located in a trailer in rural Kentucky. You'd have to carpet bomb the entire USA to be sure of taking out all 13 of them, and frankly, if somebody had the resources to turn the entire country into a self-illuminating glass-floored parking lot, the Internet would be the least of my worries.
Re:I would draw an opposite conclusion (Score:2, Insightful)
kashani
Re:Punishment options. (Score:5, Insightful)
Seriously. How do you plan on enforcing this? Not only is it a huge expenditure of resources to track down the number of computers used in the attacks, to track down their IP addies, to obtain the needed court orders to obtain their ISP's logs, the resources to parse those logs to find out who was logged on, and *then* go about prosecuting the offenders, what would it accomplish?
If Code Red taught us anything, it's that the dumb won't change a thing about the way they work, regardless of how much the internet community ridicules them. It's also completely nuts to punish the ISPs for this... where does it stop? I'm pretty sure that some AOL clients were responsible (and while I wouldn't complain about no AOL'ers for a while, I bet they would). How about people who buy their access directly from UUNet? Gonna block out UUNet for a month?
Even if you could implement that punishment of the ISPs, it wouldn't accomplish much. It wouldn't hurt me at all if I was blocked from direct access to the TLD servers, because inside my network I'm running a mirror. My ISP is running a mirror. I know of a dozen open DNS servers on the internet. I'm betting I could find at least one that wouldn't block me.
Seriously, though. It's great to say we should punish these people for not securing their systems, but you have to understand just how many computers would be needed for this attack. The TLD servers aren't running on 64k ISDN: they're on OC48 at least. There's 13 of them. The kind of bandwidth needed to adequately DoS them is obscene. You either do it the dumb way and use 50 computers running on the fastest connection available, or you use *hundreds* of computers, possibly thousands or tens of thousands.
Looks great on paper, but realistically there's not much point in ranting like this. Besides... if it wasn't for the article, I'm betting that most of the world wouldn't have noticed.
Thoughts from a DNS implementor (Score:5, Insightful)
I only noticed it because I use my own DNS server [maradns.org] to resolve requests; and pay close attention whenever I see any problems resolving host names (there is the possibility of it being a bug with my software).
The person who orchastrated this attack is not very familiar with DNS. Attacking the root name servers is not very effective; all the root servers do is refer people to the .com, .org, or other TLD (top-level-domain) name servers. Most DNS servers remember the list of the name servers for a given TLD for a period of two days, and do not need to contact the root servers to resolve those names. While some lesser-used country codes may have had slower resolution times, an attack on the root servers which only lasts an hour can not even be felt by the average end user.
In the case of MaraDNS, if a DOS (denial of service) is happening against the root servers, MaraDNS will be able to resolve names (albeit more slowly for lesser-used TLDs) until every single root server is sucessfully DOS'd.
- Sam
Re:And... (Score:4, Insightful)
hint: read the last paragraph of Cmdrtaco's last journal.
just run a local DNS cache; if something is unreachable, you have the cached entry to work off of. When changes are made, you get the update automatically.
Re:al qaeda? (Score:2, Insightful)
McCarthyism?
No race is being systematically killed that I can see.
McCarthy, though a power mad drunk and witless individual did point out the broadening influence of Communism and help to root out some very corrupt individuals. Wouldn't call him a hero. But his name has taken on a connotation that moves away from reality.
Al Qaeda is not a random group. If people, especially Americans are paranoid right now, it might have something to do with Muslims killing innocent civilians for their religious salvation.
Couple that with a sniper on the loose around the Nation's capital, and yeah, a DDOS attack on the backbone of the worldwide information structure the U.S. built, I'm thinking Terrorism is a fairly good guess.
Why? Are you from France?
How many of you are.. (Score:3, Insightful)
Re:And... (Score:3, Insightful)
"Safeguards" prevented a noticeable effect... (?) (Score:1, Insightful)
Re:Preaching to the choir... (Score:1, Insightful)
Where do you think the machines for the DDOS attack came from.
Re:And... (Score:3, Insightful)
So, yes, for most of the WWW, DNS is just as important, or maybe even more important, than IP.
But... (Score:2, Insightful)
Re:And... (Score:5, Insightful)
1) This was not an attack on the surrounding world. This was an attack on the network itself, from inside the network itself.
2) The Internet was designed to be able to route around problems in a specific global region (nuclear war) by having each node or site have connections to multiple other nodes, creating a redundancy that would be almost impossible to get around (at worst case, you could try to route a region through someone's 56K if that region's main providers went down). This redundancy is nowhere near what it should be.
Also, the amount of nodes is magnitudes greater than the original founders ever thought of. The number of sites when that was said was around 20-30, and it was fairly easy for most of them to connect to each other and form a semi-mesh network.
3) Dependance on centralized services. This attack was on one of the Internet's centralized services, the Alliance of 13 (DNS root servers). With a limited number of root DNS servers, it's easy to point to somewhere and say "There's the weakness, let's hit it". The root DNS servers are a balance between complexity (having more than one root server takes time to propogate complete changes amongst all of them) and redundancy (having only one or a few servers makes an even more vulnerable point than the Alliance of 13).
Another major weakness is the continental backbones (for example, North America has the East Coast, West Coast, and transcontinental backbones) and their switching stations, like MAE East and West. Imagine if someone was able to take out all of MAE East in one shot, how crippled most of the Internet would be, for at least 12-36 hours while the alternate routing was put in place.
Re:And... (Score:1, Insightful)
Sure, let's just do that (Score:5, Insightful)
After all, 99.5% of people wouldn't notice, and who *really* cares about the remaining
I really loathe the growing trend towards firewalling everything that moves. Mail outbound, other than to the ISP's mail server. Napster. Ping packets. It's really annoying to the people who actually *do* want to use said functionality.
Internet "license"? (Score:5, Insightful)
You want full functionality? Sign off with your ISP for the appropriate connection service. If you pay for a small business link, you get the higher level access, and also take responsibility for the maintenance and security of your node. You get hacked, you participate in DDOS attacks, you should be financially responsible. If you really know your stuff to use the extra functionality, you should have no issue with taking responsibility for the risks incurred.
Don't want to pay more? Don't want to be responsible? Don't get the access.
There is no such thing as "rights" when your activities impact others. If you aren't willing to stand up and be responsible for your traffic (subnet/link/servers), then internet "society" has the responsibility to protect the rest of the community from you.
If the internet is truly as critical to business as we all hope it to be, it only stands to reason that people are going to have to get "licenses" to run full service nodes and subnets. You don't get to drive without a license to demonstrate that you at least have the education and skills to do so safely -- why would you expect to do otherwise on the 'net?
Re:And... (Score:1, Insightful)
Umm, no. You don't know the definition of the word "distribute", therefore, you are wrong.
Main Entry: distribute Pronunciation: di-'stri-by&t, British also 'dis-tri-"byüt Function: verb Inflected Form(s): -uted; -uting Etymology: Middle English, from Latin distributus, past participle of distribuere, from dis- + tribuere to allot -- more at TRIBUTE Date: 15th century transitive senses
1 : to divide among several or many : APPORTION (distribute expenses)
2 a : to spread out so as to cover something : SCATTER b : to give out or deliver especially to members of a group (distribute newspapers) (distribute leaflets) c : to place or position so as to be properly apportioned over or throughout an area (200 pounds distributed on a 6-foot frame) d : to use (a term) so as to convey information about every member of the class named
Nothing in that definition implies what you are saying. In fact, definition 2b is the exact explanation of how DNS works. So, umm, STFU.
Re:And... (Score:3, Insightful)
Ahh... if only slashdot would let us edit posts, but alas, we cannot. So to correct my original statement, yes, it's distributed, but no, it's not decentralized, since all information starts at the top, the same top, hence it's hierarchial nature.
Good point (Score:4, Insightful)
Amen.
The only reason we hear the words "web services" at *all* are because the bejeezus has been firewalled out of everything except for web access at most companies. From a technical standpoint, "web services" are a massive step backwards...we had much superior systems before we had to run all communication through http.
Web services are the ongoing rejection of developers and users of the blocking of services crossing the firewall. Eventually, everything will be tunneled over http, and we'll be back where we started (same things accessable across the firewall), abeit with a somewhat less efficient system.
"The Internet treats censorship as damage, and routes around it."
-- John Gilmore
Re:Not a myth (Score:3, Insightful)
Re:And for all you tech support people out there.. (Score:2, Insightful)
But you do notice that if you constantly harm yourself after being told something is bad for you that you end up in a psychiatric ward.
Let's put it this way: If you owned a car and didn't put oil in it, blew up the engine, and were told you need to put oil in the next car, but didn't and blew that one up too, the entire world would laugh at you. Especially the mechanic. And if it were a company mechanic, and not Midas mufflers, so he isn't getting paid by the job, don't expect the car to get fixed anytime soon. In fact, expect your boss to call you an idiot.
For some reason, in the world of computers, it doesn't work like this. If you consistently break your computer in the same way in an office, the boss isn't likely to call you a moron, and you're still going to get it fixed as fast as the first time. Maybe calling that person an idiot is what needs to happen to get these users to respect their computers. Whatever is happening now sure isn't working.
Just a probing attack? (Score:2, Insightful)
Go a little bigger and have it last 12+ hours.
Now that would start some serious problems.