Slashdot Log In
DNS Root Servers Attacked
Posted by
kdawson
on Tue Feb 06, 2007 05:46 PM
from the flexing-muscles dept.
from the flexing-muscles dept.
liquidat and others wrote in with the news that the DNS Root Servers were attacked overnight. It looks like the F, I, and M servers felt the attack and recovered, whereas G (US Department of Defense) and L (ICANN) did less well. Some new botnet flexing its muscle perhaps? AP coverage is here.
This discussion has been archived.
No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
Thank goodness... (Score:5, Interesting)
Thank goodness... (Score:5, Funny)
(http://pyscrabble.sf.net/)
... for resolving caches.
Thank goodness... (Score:4, Funny)
(http://ziz.org/~ziz/)
Re:Ban all Microsoft Users from the Internet... (Score:5, Insightful)
Microsoft is an easy target, given the insanely large user-base. However, if those users suddenly switched to Linux, it's doubtful that their practices would stop - they'd still install whichever distribution looked the best, installed 134 unneeded services and enabled them all by default, open unsafe attachments, and never update their computer.
In every operating system I've seen yet, security is an inconvenience. While you and I think that the tradeoff is worth it, we will always be outnumbered by people who think that it isn't. People who log in as "Administrator" would just as quickly read their email and browse porn sites as "root". Sad, but true.
Re:Ban all Microsoft Users from the Internet... (Score:5, Insightful)
One of Vista's features is the way that even if you log in with admin privileges, you don't actually have them until you jump through an extra hoop, and even then I think you only have them only as long as necessary. I'm sure that if it has been implemented correctly, it will certainly shorten the amount of self-hanging rope available to the average user.
I'm also sure that there are lots of people working on a hack to disable this right now. (I've not used Vista so I may be misinformed - there may be a way to disable it easily anyway?)
And even without that, enough people are gullible enough that if a web site says that to use the available features correctly you need to "follow these simple instructions", it will be done.
Re:Ban all Microsoft Users from the Internet... (Score:5, Interesting)
1: Drive one completely insane.
2: Insensitize one to the point where one clicks 'Yes' on any dialog that pops up.
3: Cause one to disable UAC prompting.
Examples:
You want to look at the event log... well you're gonna need some extra admin priviledges. Are you sure you want to look at the event log?
You want to run visual studio 2005... that complains too. Would someone please explain to me WTF running an IDE requires admin fucking rights!
Microsoft's approach of security by nagging the user to death is fundamentally flawed.
I swear, if I hadn't turned of UAC prompting, there would be a craig's list posting right now for a slighty shot-gunned compy.
Re:Ban all Microsoft Users from the Internet... (Score:4, Informative)
When Microsoft knew they were going to release XP Pro they should have started pushing multi-user features in their developer kits. All authoring systems should have had an option to build for multi-user and all installation kits should have been set up to do the same with a radio button. I suspect that Microsoft did not bother to do this, or they charged extra for it. As it stands out of maybe twenty large and small apps on my system that I paid for recently, only the big ticket items like Mathcad and Photoshop installed and ran properly. Some open-source stuff ran pretty well, too, but they tend to avoid the registry.
In the end I gave up trying to get everything to work. I tried running a few misbehaving apps with "Run as..." but you can not drag and drop between different user areas in Windows due to their separate memory areas (the pointer is inaccessible). So Windows XP Pro turned out to be a waste of money. I feel like I paid extra to beta test Microsoft's software.
Re:Ban all Microsoft Users from the Internet... (Score:4, Informative)
Re:Ban all Microsoft Users from the Internet... (Score:4, Funny)
If that makes me think of a penis, do I necessarily have a dirty mind?
Vandals and criminals (Score:5, Interesting)
(Last Journal: Tuesday February 13 2007, @05:31PM)
As I have been doing for nearly two decades, I set up a friends PC just before christmas, and told him "just say no" to unknown applications. He had no troubles until about a week ago, he got a message from the virus scanner about a trojan and didn't understand the options so he just pulled the plug from the wall, called his bank and waited until next time he saw me.
The first thing I said to him was..."you said 'yes', didn't you?"...he complained bitterly..."No porn videos, No screensavers" I asked in a mocking accusation...."is a screen saver an application" he replied with a puzzled look. I booted it up and showed him how the scanner gets rid of the trojan and admired his new screen saver. The VS options were something like "vault" and "delete", there wasn't a "no" or "cancel" button so he panicked and enacted the "emergency procedure" I had advised previously.
The guy is not an idiot, he is middle aged but has had virtually nill exposure to PC's, until he went out and bought one. He restores antique furniture for a living, he is over the moon about ebay and other stuff to do with furniture but has ignored FPS games. Not that he doesn't like them he has a PS3 and loves it because "it doesn't do things that are not in the manual". For him the curve is still too steep (and life is too short) to learn how to install and register games with confidence.
Spam (Score:1, Funny)
Oh (Score:5, Funny)
so a lot of it was from South Korea.... (Score:4, Funny)
(Last Journal: Monday July 12 2004, @09:38PM)
Stupid little freaks.
RS
Re:so a lot of it was from South Korea.... (Score:5, Insightful)
Re:so a lot of it was from South Korea.... (Score:5, Insightful)
Re:so a lot of it was from South Korea.... (Score:5, Insightful)
- Almost a 100% windows monoculture (really), because they standardised on an ActiveX control for secure banking etc before SSL was standardised, and everything still needs it
- Dirt cheap, fast broadband
- Fairly rampant piracy, hence many unpatched machines
Put it together and you get botnet paradise.And...??? (Score:4, Insightful)
Re:nuke 'em (Score:4, Funny)
(http://tumbleweed.smugmug.com/)
Many of them aren't redundant. (Score:5, Informative)
(http://kadin.sdf-us.org/ | Last Journal: Tuesday October 16, @01:46PM)
That's kind of the point here, actually. Several of the root servers do not have any redundancy. You can see the list at http://www.root-servers.org/ [root-servers.org]. In particular, the A, B, D, E, G, H, and L servers have only a single location a piece.
F, I, J, K, and M, on the other hand, are heavily redundant and have multiple geographic locations, routed via Anycast, so a single client only "sees" the server nearest to them. This makes them difficult to DDoS, because a zombie in S. Korea pinging the J server would be sending packets to the server in Seoul, while one in California would get the one in Mountain View.
What's odd, looking at the list, is that anyone operating something as critical to the internet infrastructure, wouldn't develop some geographic and systems redundancy; unfortunately, I suspect that the government agencies in particular tasked with these responsibilities probably don't keep it at the very top of their priority lists when allocating resources and funding.
Re:And...??? (Score:5, Funny)
pH34r enters IRC channel D4 3nD 0 d4 W3r1d
pH34r: dude, like, they just totally nuked chicago
d4 b0s5: wtf?
pH34r: I ain't shittin you man, I can see teh mushyroom cloud
d4 b0s5: OMG! w3 gots to lunch our nuxzors now!
m1551l3 5i10 d00d: nuxzors ftw!
pH34r: woot!
d4 b0s5:wooot!
etc...?
Not anymore (Score:5, Informative)
(Last Journal: Friday November 02, @02:49PM)
And the primary design feature that enabled that was removed during the rise of the ISPs.
The early internet was a NET. Redundant links everywhere. Routers all potentially knew the whole topology and could find a connection if it existed.
As the net went commercial that caused a table explosion in the routers. So BGP replaced RIP and things became less robust. Usable routes became a subset of all possible routes. Within the backbone there was still a lot of redundancy - but it wasn't quite up to the former "find a path if it exists" level.
Meanwhile, the typical host went from being something ad-hock connected to sever neighbors to being something connected solely to a single ISP - typically by a single link. The big guys might have redundant paths into their ISP's Network Operations Center. But if something took out the NOC (and often there was only one - or only one of some critical component) you were hosed. Ditto if something corrupted their databases. Even with redundant links there would only be a few, perhaps going through several single-points-of-failure - and if fully redundant still allowing a double-failure to take you down. The little guys would typically have one line (say DSL) to one box. Cut the line or crash the box - or the typically two links from it to the NOC - and you're hosed.
(Perhaps you have a dialup-backup for your DSL. Did YOU configure it to come up automagically if your main link goes down? Is it on the same phone line with the DSL? If not, does it take a different path to the central office? Or is it right up the same cable bundle on the same poles next to the same road full of the same drunk drivers or in the same underground cable running past the same backhoe...)
So the internet evolved from a nuclear-strike-survivable net to a less-robust net rooting a bunch of trees. Oops!
(And that's just for routing the packets once you've GOT the IP number. Translating names to IP numbers is a whole separate can of worms: It's what the root servers are about - which is why there are so many of them, most of them are clusters, and some are clusters that are geographically diverse. You only need to hit ONE operational root server to get started on your translation - if your answer isn't cached somewhere between you and the root, and the list is small enough to keep handy on every machine that wants to do its own nameservice.)
slashdotted (Score:5, Funny)
Re:slashdotted (Score:5, Funny)
(http://blog.jrock.us/ | Last Journal: Sunday October 10 2004, @04:11AM)
It's "I", not "i". It's "Nazis" not "Nazi's".
This has been a public service announcement.
Why am I not surprised that Defense did poorly... (Score:2, Interesting)
Re:Why am I not surprised that Defense did poorly. (Score:5, Insightful)
That's a pretty bold accusation (Score:5, Insightful)
(http://www.ime.usp.br/~fr/)
But congratulations on getting everyone riled up.
and? (Score:3, Insightful)
Not that I am complaining, one less bot net to worry about.
Good thing that they apparently never heard of routers though.
Re:and? (Score:5, Insightful)
It's a dumb, brute-force type of approach. A much, MUCH more effective way would be to simply find an appropriate flaw in IOS to exploit...
steve
Re:and? (Score:4, Interesting)
Besides, DNS is for wussies anyways. Real men don't need user-friendly names for their ip addresses :) But seriously, I can imagine the Web still being useful without DNS if search engines linked to IP addresses instead of hostnames. And now that email is largely a WWW service (hotmail, gmail...) a big chunk of it could survive too.
Re:and? (Score:5, Interesting)
(Last Journal: Friday January 03 2003, @03:39PM)
i dont remember the actual day/month/year, but maybe 3 years ago: MCI updated a bunch of routers, all at the same time, and screwed it up. a lot of people in north america were without internet for up to a day. i think this qualifies as major
does that mean the internet is down? (Score:5, Funny)
(http://skynare.googlepages.com/ | Last Journal: Saturday October 21 2006, @07:07AM)
Re:does that mean the internet is down? (Score:5, Funny)
Actually, backing up the internet is a very good idea, and it isn't hard to do at all:
If you're using Windows, just drag and drop the internet (the blue "e" symbol) from your desktop onto your USB stick. Wait for the copying process to finish (with current Windows installations this will only take a few minutes). Next, confirm that you have successfully stored the internet: double-click the internet on your USB stick, and enter any address. Did it work all right? Congratulations! Now you can carry the whole web in your pocket, or give it to your friends as a gift.
Actually... (Score:5, Funny)
(http://www.creimer.ws/ | Last Journal: Friday January 26 2007, @12:40PM)
That was a test system [youtube.com] for installing Windows Vista that someone forgot to unplug from the wall.
G and L still having problems (Score:1, Funny)
Of Course! (Score:1)
Hmm...
LIG FM.
Clearly this attack was started by a terrorist radio station. Heck of a marketing ploy, that one! Quick! Where is LIG FM?! I believe i've seen things like this before [slashdot.org].
Re:Of Course! (Score:5, Funny)
Try this MILF,G.
Mom's I'd like to fuck, Giggidy giggidy giggidy.
This attack was clearly perpetrated by none other than Glen Quagmire.
move along, nothing to care about (Score:5, Informative)
(http://www.theapt.org/ | Last Journal: Tuesday August 19 2003, @11:58AM)
[RFC2870]
2.3 At any time, each server MUST be able to handle a load of
requests for root data which is three times the measured peak of
such requests on the most loaded server in then current normal
conditions. This is usually expressed in requests per second.
This is intended to ensure continued operation of root services
should two thirds of the servers be taken out of operation,
whether by intent, accident, or malice.
Re:move along, nothing to care about (Score:5, Interesting)
(Last Journal: Friday January 03 2003, @03:39PM)
F machines (Score:5, Informative)
(http://www.time-travellers.org)
http://www.isc.org/index.pl?/ops/f-root/sites.php [isc.org]
That's about 40 locations. Now, each of which has a couple of servers, a management box, and a couple of routers, so yeah something like 200 machines total.
No big deal (Score:1)
(http://www.securityzone.org/)
Media: tie attack to likely Windows botnets (Score:2, Informative)
"We made it way harder for guys to do exploits," said Mr. Gates. "The number [of exploits] will be way less because we've done some dramatic things [to improve security] in the code base. Apple hasn't done any of those things."
In another portion of the interview, he added, "Nowadays, security guys break the Mac every single day. Every single day, they come out with a total exploit, your machine can be taken over totally. I dare anybody to do that once a month on the Windows machine."
See article: http://www.toptechnews.com/story.xhtml?story_id=4
Microsoft needs a public shaming for the sorry state of Windows security that allows millions of these zombie machines to exist. I don't blame Joe User, sorry. No holy wars about security; statements that user should do x, y, z and be as smart as me, etc.
Windows: Defective By Design
South Korea, eh? (Score:5, Interesting)
(http://qstuff.blogspot.com/)
Somehow that doesn't surprise me. This is the same country that uses insane amounts of ActiveX, and has the effect of conditioning people to click "Yes" whenever any site tries to install something, right? Wouldn't be any surprise if South Korea was one big botnet.
130+ root servers (Score:3, Interesting)
(http://www.cavebear.com/)
Consequently today we have more than 130 root servers scattered around the world.
That's good. It tends to localize the damage caused by attacks.
What is not good is that these root server operators, although they today operate to the highest of standards and with the highest degree of integrity, are not required to do so in the future.
For example, several root servers are operated by the US military establishment or by other branches of the US government and are thus subject to being "adjusted" according to military, political, or Atty General Alberto Gonzolez's latest desire to do data mining.
Nor are the root servers required to play fair and respond to all queries with equal dispatch or equal accuracy no matter the source or the name being queried for.
Nor are the root servers off limits for sale to companies like Microsoft or Google who could use them for commercial data mining.
Many people believe that ICANN serves as a kind of fire marshall, overseeing that the root servers are operated responsibly and that the root server operators have access to the resources they might need to recover from a natural or human disaster.
But that is not the case. ICANN has abrogated that role and has engaged itself as a protector of trademarks and US cultural values.
Over the last few thousand years we've learned that it's best for long term stability to build institutions and not depend on individual people. Today the root servers are the work of good individuals and organizations that encompass them. We really need to move to a more formalized structure that reinforces the long-term continuation of the good system we have today.
Re:130+ root servers (Score:5, Insightful)
(http://hackish.org/)
>We really need to move to a more formalized structure that reinforces the long-term continuation of the good system we have today.
And who's going to run that formalized structure? Hrm, maybe some "good individuals and organizations" would be willing to do it?
Send the repair bill to Microsoft (Score:1, Flamebait)
(Last Journal: Thursday August 03 2006, @09:15PM)
It was like the lost chord.... (Score:2)
53 security.microsoft.com ptr
The record that cannot be resolved.
interesting timing re: DNS things (Score:2)
(http://tumbleweed.smugmug.com/)
More root servers? (Score:5, Insightful)
Re:More root servers? (Score:5, Informative)
The root DNS servers are essential to the function of the Internet, as so many protocols use DNS, either directly or indirectly. They are potential points of failure for the entire Internet. For this reason, there are 13 named root servers worldwide. There are no more root servers because a single DNS reply can only be 512 bytes long; while it is possible to fit 15 root servers in a datagram of this size, the variable size of DNS packets makes it prudent to only have 13 root servers.
Re:More root servers? (Score:4, Funny)
(http://shockandblog.com/blog)
Re:More root servers? (Score:4, Informative)
laugh (Score:1)
(http://www.theaudiorevenge.com/)
[`h4x0r15`] K R U REDDIE !?!?
[MinGaw14f] LOLZ YEE.. DOIT!!!
[`h4x0r15`] OKIES HERE I GO!!
* `h4x0r15` takes down internet
** Disconnected: []
`h4x0r15` IRL: "shit.. why the hell did i do that again?? there goes my night of watching videos on youtube and talking with my IRC buddies.."
An article on a DDoS attack (Score:3, Funny)
(http://kestas.kuliukas.com/)
Does Anybody Still Distrubute Hosts Files? (Score:1)
Perhaps auto generating DNS zone files for certain networks. Pop it into your local DNS server and you are up and running (with limitations of course). Perhaps extract the data in the DNS cache and create incomplete zone files. Should an extended outage occur, wouldn't it be useful to easily use certain communication services such as IRC? email?
You mean ICAAN't ??? (Score:2, Funny)
(http://slashdot.org/~davidwr/journal/ | Last Journal: Friday November 09, @09:19PM)
Looks like its a job for..... Letter Man! (Score:2)
(Last Journal: Tuesday April 22 2003, @12:52AM)
Stronger than silent 'E'
Able to leap capital 'T' in a single bound!
It's a word, it's a plan...it's Letterman! [wikipedia.org] (majestic three-note fanfare)
this is interesting. . . (Score:2)
(http://slashdot.org/~treeves/ | Last Journal: Friday August 25 2006, @02:51PM)
UltraDNS has been attacked before (Score:2)
(http://www.datacenterknowledge.com/)
That wasn't a DDOS. (Score:2)
Re:Team name spelling their initals in the snow (Score:2)
Re:Team name spelling their initals in the snow (Score:5, Funny)
Re:Mandatory... (Score:2)