Internet Backbone DDOS "Largest Ever" 791
wontonenigma writes "It seems that yesterday the root servers of the internet were attacked in a massive Distributed DoS manner. I mean jeeze, only 4 or 5 out of 13 survived according to the WashPost. Check out the orignal Washington Post Article here."
Well there we go! (Score:4, Interesting)
Article:
"Despite the scale of the attack, which lasted about an hour, Internet users worldwide were largely unaffected, experts said."
All I can say is that if you think of this as a test, I'm happy it passed.
(Insert joke about Beowulf cluster of DDOS attacks / the servers ability to withstand the slashdot effect.)
Why attack (Score:1, Interesting)
Also I doubt that the routers are setup to recognize any kind of attack as they are just relays between the net and the server. Possibly the attack could go on for quite some time before any one realized what was going on.
As I said I am not an expert could some-one enlighten me?
Before anybody gets their panties in a knot (Score:5, Interesting)
"when uunet or at&t takes many customers out for many hours, it's not a problem
With something like the root nameservers, if it was an important attack, you would have noticed. I run an ISP and we had zero complaints, even from the Everquest whiners who complain at the drop of a hat about anything.when an attack happens that was generally not even perceived by the users, it's a major disaster
i love the press"
Re:13 servers (Score:2, Interesting)
Preaching to the choir... (Score:3, Interesting)
I'd love to see a breakdown of what networks the attacks came from and what the OS distribution was... pie charts optional.
-B
Re:Couldn't have been that bad... (Score:4, Interesting)
Twenty minutes later, though, everything seemed fine, and the sites that wouldn't resolve earlier finally did. I wondered if something... erm.. unusual was going on, and it looks like there was...
As always, your mileage will undoubtedly vary...
Re:Couldn't have been that bad... (Score:2, Interesting)
Any other comparisons from around the world?
Re:oh my... (Score:4, Interesting)
And *nix systems are infinitely more scriptable, so I think it's more likely those were used for the attack (if I remember correctly, unsecured Linux where used for the big DDOS attacks on Yahoo and Ebay etc some years ago).
Re:And...? (Score:2, Interesting)
Re:And for all you tech support people out there.. (Score:3, Interesting)
Re:And... (Score:4, Interesting)
Re:And... (Score:2, Interesting)
The network is the computer; The services are the network; therefore, the services are the computer
Punishment options. (Score:1, Interesting)
Likewise the ISPs who carried these people should also be punished.
one possible punishment is to have your IP blacklisted for a month. Or maybe just have your Domain Name removed from the top level DNS for a month.
Sure that would suck, but punishment is supposed to suck.
Re:undisclosed location (Score:5, Interesting)
Disclaimer, I work for VeriSign. This is a personal opinion, not company policy. The details of the disaster recovery scheme are of course confidential. However I can tell people that we did think about these issues during the design. We have always known that people might think the DNS was a single physical point of failure for the internet. That is why we designed it so that it is not.
There are multiple locations. The 'A root' is NOT a single machine. There are actually multiple instances of the A root with multiple levels of hotswap capability.
Incidentally it is no accident that the VeriSign root servers stayed up. They were designed to handle loads way beyond normal load. The ATLAS cluster is reported to handle 6 billion transactions a day with a capacity very substantially in excess of that.
Even if all the A roots were physically destroyed the roots can be reconstructed at other locations. Basically all that is needed is a site with a very fast internet connection. In the case of a major terrorist attack AOL or UUNet or even an ARPAnet node could be comandered. The root could even be moved out of the country entirely, British Telecom is a VeriSign affiliate, there are also several other affiliates with nuclear hardened bunkers.
Most Americans have only been thinking about terrorism since 9-11. VeriSign security was largely designed by people who thought about terrorism professionaly, unless of course they were in charge of securing nuclear warheads.
All a terrorist could do is to kill a lot of people, there is absolutely no single point of failure. Even if the entire constellation is destroyed it would result in an outage of no more than a day given the resources that would become available in the aftermath.
Re:Well there we go! (Score:5, Interesting)
The attackers were idiots. They used ICMP echo requests (easily filterable, since the DNS servers don't _have_ to answer those) and quit after an hour. More publicity stunt than actual attempt to damage, IMNSHO.
I've been trying to publish a paper about exactly this (and how to redesign DNS to avoid the vulnerability) and I'm just pissed that they didn't tell me in advance so that I could do some measurements. :)
Re:And... (Score:4, Interesting)
Who's being paranoid? (Score:1, Interesting)
way, concern with terrorism with Genocide or
Mc Carthyism is silly. Your style of thinking
is perhaps more susceptible to some moral crime.
BTW, I live in DC. I actually do think we need
to suspend our concerns with "offending somebody"
or "behaving unpolitically correct" and crack down.
We must stand up to evil and if it means
outraging an ACLU lawyer, then so be it.
It's better to live in a free society that
must occassionaly be brutal and unfair than to lapse into
a tyranny. Witness the well meanging Russian,
French and Iranian revolutions. The war
against Terror has just begun.
The question stands: Is it a coordinated
terrorist attack?
I would draw an opposite conclusion (Score:4, Interesting)
Fine, so the attack was unintelligent. What will happen when someone attacks MAJORLY and INTELLIGENTLY?
This gets my panties in a knot. A piddly attack brought down 65% of the root name servers! A good attack would have brought them all down! That doesn't that worry you?
Re:I work for JPNIC (Score:5, Interesting)
CORPZ : MVDOMIZN HELLO TO KOTARI ON UNDERNET
Well, this shouldn't take the FBI long. A quick Google search shows that Undernet's Kotari owns the domain www.kotari.com, which he's recently taken down but still shows whois records..
Re:And for all you tech support people out there.. (Score:1, Interesting)
That's the scary part.... (Score:4, Interesting)
Running NT and BIND? (Score:5, Interesting)
It's really easy to setup a system which dumps your SQL database out to a TinyDNS file [www.fefe.de]. TinyDNS [cr.yp.to] is provably secure software. I would expect that you would use it on the root servers, since it's designed to work at very high levels of output/uptime, and be attack resistant to the point of being attack proof.
Say what you will about D. J. Bernstein [cr.yp.to], he does have a very capable DNS solution [cr.yp.to] available.
Re:And for all you tech support people out there.. (Score:3, Interesting)
The important caching (Score:4, Interesting)
For the most common 2LD names, any major ISP will have cached the addresses for them, and won't need to hit the .com server until the typical 1-week or 24-hour cache timeout periods. If your nameserver is ns.bigisp.net, somebody there will have looked up google.com in the last 2 seconds, even though nobody at your ISP has looked up really-obscure-domain.com this week - but even that one may be in the cache because some spammer was out harvesting addresses. An obvious scaling/redundancy play for the root servers and for the major ISPs would be to have them cache full copies of the root server domains to keep down the load and reduce dependency. It's not really that much data - 10 million domains averaging 30 characters for name and IP addresses is only half a CD-ROM. An interesting alternative trick would be for the Tier 1 ISPs to have some back-door access to root-level servers for recursive querying.
Comment removed (Score:5, Interesting)
Re:Caching IP in Bookmarks? (Score:3, Interesting)
At a hosting company for example, let's say they have two class Cs 1.2.3.0/24 and 4.5.6.0/24, now let's say the first one is used for webhosting and the second one is used for other company services. Okay, great, except they decide to restructure. Now www.knittingforoldladies.com used to be 1.2.3.4, and Granny bookmarked it and her browser oh-so-intelligently caches the IP. Except now the company restructures, and www.knittingforoldladies.com is now 4.5.6.7. 1.2.3.4 is now some other random customer website. Oh, crap, what happened to the knitting? Sure, the browser could check and note that the connection it has made does not respond for 'knittingforoldladies.com', but why even go that far? DNS is meant to provide access to a rapidly changeable hierarchial database of names which map to addresses. Doing bogus cacheing on the client end for any length of time is not sane.
Re:And... (Score:3, Interesting)
Um, there is if you run BIND, considering its appalling security record.
WD40 (Score:5, Interesting)
Hmmm, last I looked at the Cisco feature set (or the like from Foundry and Nortel and what have you), it was a challenge to put in rules that
a) didn't take out significant "good" traffic, and
b) did take out significant "bad" traffic.
I agree that rate limiting ICMP traffic is an appropriate answer, especially in the light of this particular attack, but I'm appalled by the number of illitarate dorks who copy snippets titled "how to block all ICMP" from a textbook into their firewall without the slightest understanding of why ICMP was implemented in the first place.
I hate to think of what could happen if the 31334 hackers really start mixing attacks.
I positively _love_ wd40, but I will not apply it to reduce the squeeking of my cars brakes. Too many people use the Internet equivalent of WD40 on their network brakes.
But not distributed enough (Score:4, Interesting)
Bullshit.
I had obvious impacts trying to resolve DNS names during the time period of the attack (Delaware AT&T), despite having a caching name server on my local net, which queries AT&T's caching (primary?) servers.
ISPs should be responsible for providing the DNS services to their customers in timely and reliable fashion, querying their backbone providers in turn. Direct queries of the root servers by subnets should be verboten and expressly blocked by the ISP firewalls. If you need to resolve an refresh, probe the ISP DNS and let their system handle the distribution. That way the root servers become repositories and key distribution points instead of failure points like yesterday.
I'm sure someone will object that they have the "right" to use whatever ports they want and that they don't want to rely on the stability of their ISP's servers, but we're talking about the infrastructure people! We have no more "right" to hit the root directly than to clamp a feed from the power company mains to the house or splice into the cable TV/broadband wiring.
If we don't protect and distribute infrastructure resources adequately, everyone is affected. And if your ISP has servers that are too unreliable for this type of filtered distribution to work, change providers!
Re:Preaching to the choir... singing here (Score:3, Interesting)
It is like the joke about 2 people running from a bear. You don't have to outrun the bear, you only have to outrun your friend.
Why bother cracking an almost insecure machine, when you have thousands of completely insecure ones to do your bidding?
Re:And... (Score:2, Interesting)
For bonus marks, think about whether a DDoS attack on 13 servers with fixed IP addresses requires DNS resolution at all, let alone before every packet is sent.
Re:Can someone tell me why... (Score:1, Interesting)
But DNS administrators vote with their hints files, and it just so happens that [a-m].root-servers.net are the most popular root servers around, probably even more popular than ever, considering they just weathered a concerted DDOS attack without most people even realizing that it was happening (can any of these "alternate root" folks claims such resiliency?)
Re:Where's the Inter in the 'Net? (Score:1, Interesting)
coming back to something.... (Score:2, Interesting)
DDOS Sophistication Varies (Score:4, Interesting)
But, yeah, some of the attacks aren't much different than using a loudspeaker to announce "Free Beer at Victim.com"
A good tech article explaining DDOS attack (Score:2, Interesting)
Zzzzz... wake me up if it's something important... (Score:2, Interesting)
Secondly, Rob Thomas has made an excellent template for securing BIND against all sorts of "stupid user tricks" which can be found here:
http://www.cymru.com/Documents/secure-bind-templat e.html [cymru.com]
Thirdly, quoting Louis Touton saying "We're not aware of any users that were in any way affected." was a serious mistake. ICANN haven't taken any notice of internet users up until now, so why should they start now?
The article went on to say "VeriSign expects that these sort of attacks will happen and VeriSign was prepared," company spokesman Brian O'Shaughnessy said. If you want a likely suspect, try this one - brought to you, of course, by Verisign:
http://www.arabtrust.com/training/courses/hacking/ index.html [arabtrust.com]
There may be much more to this (Score:3, Interesting)
Those of you who actually took the time to read my essay, "Cyberwar: How Terrorists Could Defeat the U.S., and Why They Won't [cryptogon.com]," (requires Acrobat 5 [adobe.com], not 4.) might get chill running up your backs when you read this. I'm still sticking to my original thesis, however: The Internet won't be brought down by terrorists because corporations and governments need it, and the terrorists serve the interests of corporations and governments. Regardless, I hope this DNS attack isn't a prelude to a bigger operation. Note how they say that it just ran for an hour and then stopped! Note this story [cryptogon.com], which detailed the creation of attack zombies with P2P capabilities, allowing them to be targetted at will. Also note that a top infrastructure protection analyst was just killed by the Maryland area sniper [cryptogon.com]! And within a couple of days we see the largest DDOS attack on root DNS systems ever!? (Long Pause) Keep a sharp eye out for weirdness, folks, something BIG might be coming down:
Here's what I wrote back on September 14, 2002:
Maybe the terrorists start taking out some or all of the thirteen root domain name server systems (I think there are still 13) or interrupting communications to those root servers [today's DDOS incident]. (Thankfully, a couple of these systems are located in places that have people with guns guarding them.) These root servers are used by thousands of other lower level domain name systems and receive about 300 million requests per day.
Domain name systems are used to translate human readable URLs, like www.cryptogon.com into machine usable IP addresses like 209.115.132.59. There is much concern about the root DNS systems. Many articles on this topic are easily accessible. Much of the concern, however, is focused on hackers DOSsing the root servers. Again, this misses the point.
What is the physical security like at the non-military root DNS facilities?
I've driven by one of the buildings hundreds of times because I used to live near it. It looks just like any other small office building. How long would this place hold up against a few armed terrorists who were willing to die TO BRING DOWN A ROOT DNS NODE? Think about it. The same goes for the data centers mentioned previously. Surely these places should have armed security. But even if they did, are they prepared to stop terrorists who have no intention of ever getting out alive?
Here's what just happened:
The heart of the Internet sustained its largest and most sophisticated attack ever, starting late Monday, according to officials at key online backbone organizations.
Around 5:00 p.m. EDT on Monday, a "distributed denial of service" (DDOS) attack struck the 13 "root servers" that provide the primary roadmap for almost all Internet communications. Despite the scale of the attack, which lasted about an hour, Internet users worldwide were largely unaffected, experts said.
FBI officials would not speculate on who might have planned or carried out the attack.
David Wray, a spokesman for the FBI's National Infrastructure Protection Center (NIPC), said the bureau is "aware of the reports and looking into it."
DDOS attacks overwhelm networks with an onslaught of data until they cannot be used. According to security experts, the incident probably was the result of multiple attacks, in which attackers concentrate the power of many computers against a single network to prevent it from operating.
"This was the largest and most complex DDOS attack ever against the root server system," said a source at one of the organizations responsible for operating the root servers.
Re:Running NT and BIND? (Score:2, Interesting)
You should really take a look at recent proof efforts before mouthing off like this.
If I may point you to two examples:
Another point (and this is an important one): personal experiences don't generalise
"License"? WTF are you talking about? (Score:5, Interesting)
Yes, I do. The same peer-to-peer functionality that hosts on the Internet have had forever. I got my fill of "Internet access", but not being an Internet peer when everyone was selling dialup shell accounts but not PPP.
Sign off with your ISP for the appropriate connection service.
So *I* should pay *more* for them to do *less* work?
That's as bad as the pay-extra-if-you-don't-want-your-number-listed phone company procedure.
If you pay for a small business link, you get the higher access level, and also take responsibility for the maintenance and security of your node.
I *already* take responsibility for the maintenance and security of the node. I don't need to pay any more money to take said responsibility.
You get hacked, you participate in DDoS attacks, you sould be financially responsible.
There's no legal difference between a business and a home account from a financial responsibility point of view. What are you talking about?
If you really know your stuff to use the extra functionality, you should have no issue with taking responsibility for the risks incurred.
I *don't* have an issue with that. I just don't want to pay inflated business-class prices for standard peer-to-peer access.
Don't want to pay more?
Not particularly, no.
Don't want to be responsible?
Well, I'd kind of prefer to not be responsible (
Don't get the access.
Conclusion does not follow.
There are [sic] no such thing as "rights" when your activities impact others.
You seem to have misquoted me. I did not use the word "rights" anywhere in my original post, or claim that I had any such rights (legal or ethical) whatsoever. I did say that it was *annoying* to me.
If you aren't willing to stand up and be responsible for your traffic
Where, where, did you get the impression that I said this at all?
If the internet is truly as critical to business as we all hope it to be, it only stands to reason that people are going to have to get "licenses" to run full service nodes and subnets.
That has no bearing whatsoever on my argument. I also don't think that the potentially critical relationship to business can be said to imply that one needs a license. Electricity is quite critical to US industry (hell, it's physically dangerous), yet one doesn't need a license to utilize it.
You don't get to drive without a license to demonstrate that you at least have the education and skills to do so safely -- why would you expect to do otherwise on the 'net?
Still has no bearing on my argument.
Furthermore, I'd like to point out again that screwing up while driving can easily end up with many people dead. Even with the license system, cars are the leading cause of death of teens and young adults. I don't think you can compare that at all to the Internet, where maybe someone gets a Code Red infection. The Internet is important, but not knowing what you're doing on the Internet is wildly different (at least currently) from being an active threat to the lives of others.
Read between the lines... (Score:3, Interesting)
Exactly. Unfortunately there is not much info in the article, but if you read between the lines, you get:
- the attack only lasted some hours (<6 I assume)
- if it would have lasted longer, users would have experienced problems
- 4 out of 5 root servers remained running (probably meaning they didn't crash but they still were severely congested)
This means that the only reason the internet at large did not experience serious problems is the fact that
1. DNS servers use query forwarding and caching extensively and
2. the attack lasted shorter than most cache timeouts
This leaves us with the question why it only lasted as short as it did? Did the attacker just try to make a point? And what will they do against it in the long run (if currently there isn't really much they can do at all)?
Re:And... (Score:5, Interesting)
What my DNS server does is mandate an ACL (list of IPs allowed to make recursive queries; this can be set to "all hosts on the internet" if desired) if recursion (talking to other DNS servers) is enabled. Recursion takes a lot more work to do than authoritative requests; it is best to limit access to this.
Unlike Dan, I feel that a DNS server should be both recursive and authoritative because it allows one to customize the resolution of certain hostnames. The idea is similiar to /etc/hosts, but also works with applications which ignore /etc/hosts and directly perform DNS queries. For example, I was able to continue to connect to macslash.com [slashdot.org] when a squatter bought the domain and changed its official ip; I simply set up a zone for macslash.com, and made MaraDNS both recursive and authoritative.
SMTP servers have IP restrictions at the application layer because this gives people some idea why they can't send email to a given host. A firewall restriction gives a vague "connection timed out" message in the bounce email message; application-level filtering allows the bounce message to say something like "You're from a known Spam-friendly ISP; go away".
- Sam
Duration of the Attack (Score:2, Interesting)
UUNet/MCI has known that its network has hidden vulnerabilities since July of this year when I contacted them about similar symptoms on their customers' networks, and that there was a fix. The US House and Senate Armed Services Committees were contacted over a month ago about this issue in light of the obvious national security implications. MCI's Legal Department knew, in their words, 'that their network had these problems' and that it was a matter of time before this happened but so far have refused to negotiate for my help to show them how to fix their net's probs claiming they were working on it 'internally.'