Root Server DDoS Attack: What The Media Did Not Tell You
It's time to consider multiple root servers and an education campaign to give name server operators some options. The .com name servers are the most vulnerable. The USG root is not as vulnerable. Original story indexed at: URL: http://www.circleid.com/articles/2553.asp DDoS Attack: What The Media Did Not Tell You November 20, 2002 | By Joe Baptista On Monday, October 21, a distributed denial of service (DDOS) attack struck 9 out of the 13 root servers operated by a number of contractors on behalf of the United States Department of Commerce (USG). The next day, the Washington Post reported, The heart of the Internet sustained its largest and most sophisticated attack ever. This claim was only partially true. The classic hacker attack was indeed the largest ever witnessed in 20 years of root history -- in fact, it was the first attack against the roots. But claims that the attack was sophisticated were bogus. Most network operators were of the opinion that the attack showed a serious ignorance of the domain name system (DNS) and general network operations. A great deal more damage could have been done if the individuals responsible had targeted the DNS directly. At worst the attack was a test or probe for a potential future attack. The root servers struck by the attack assist computers in translating Internet domain names, such as www.circleid.com, to numeric equivalents used by computers. These servers provide the primary roadmap for 70% of all Internet communications. The remaining 30% of the net now uses competing root service providers who bypass the USG root system. They were not under attack. According to statements by U.S. Federal Bureau of Investigation (FBI) director Robert Mueller, the incident lasted about an hour and originated from computers in the United States and Korea. Most often, computers used in the DDOS assaults are commandeered by hackers either manually or remotely with the help of automated software tools that scan millions of computers for known security holes. These computers often belong to unsuspecting home users. An FBI spokesperson confirmed that the incident was still under investigation. Fortunately, despite its size, the attack had no impact on the Internet, and no users or computers were affected. The USG root server system contains only 258 top-level domains, of which 243 are ccTLDs (country code top-level domains) and the rest are generic top-level domains (gTLDs) like .com, .org and .net. In comparison to many Internet root server systems, the USG is the smallest. As a result of its limited size, most of the information contained in that root is cached by Internet Service Providers (ISPs) and refreshed every 48 hours. Under those circumstances, Internet users would not have noticed the one-hour attack even if all 13 roots had been successfully blocked the entire time. There simply was not enough time for the cache records at ISPs to expire long enough for anyone to notice. Petri Helenius was one of the first people to witness and report the attack in progress. He notified the networking community that the DDOS attack was not causing any serious operational problems but was slowing things down. Helenius is a telecommunications expert whose company developed the ROMmon (Robust Online Metric MONitoring) system that alerted Mr. Helenius to the intrusion. Helenius notified the North American Network Operators' Group (NANOG) by email at 21:29 UTC. I remember spending some time before sending off the email, said Helenius. And, trying to figure out specifics and failing to get further, I sent the email. The alarms went off at ROMmon at 20:46 (UTC) and the threshold for escalation was crossed at 20:49. The situation dropped below radar at 22:01. Helenius pointed out, the timestamp is a little later than the fact (attack) due to the averaging of the system that (ROMmon) does before it's happy. Paul Vixie, a root operator, confirmed to NANOG that the DDOS attack was an Internet Control Message Protocol (ICMP) request. ICMP messages are used in the processing of datagrams through which Internet systems communicate. This was the first clue to network operators that the people behind the attack had no clue as to how to effectively take out the roots. If the attackers had focused their computer power on generating bogus queries to port 53, used by roots to provide domain name service, the attack might have been successful -- provided that it was sustained for more than one hour. Vixie successfully blocked the DDOS traffic he was getting with the assistance of his backbone providers. Other operators, however, were not as successful in defending their systems against the attack. If the attackers had instead targeted the much larger databases used by the .com servers, users would have noticed the incident and it could have gotten ugly. The .com domain servers operated by VeriSign contain millions of domain names, and are queried more often than the roots. If this had
Re: Root Server DDoS Attack: What The Media Did Not Tell You
where are these statistics from - I cannot believe that more than a few percent of the net uses non-USG root. Vint At 09:10 AM 11/23/2002 -0500, Joe Baptista wrote: The root servers struck by the attack assist computers in translating Internet domain names, such as www.circleid.com, to numeric equivalents used by computers. These servers provide the primary roadmap for 70% of all Internet communications. The remaining 30% of the net now uses competing root service providers who bypass the USG root system. They were not under attack. Vint Cerf SVP Architecture Technology WorldCom 22001 Loudoun County Parkway, F2-4115 Ashburn, VA 20147 703 886 1690 (v806 1690) 703 886 0047 fax
Re: Root Server DDoS Attack: What The Media Did Not Tell You
joe, this makes no sense to me - the cacheing mechanisms are essentially doing what you suggest. That's one of the reasons the system is resilient. But you need to invalidate the cache to deal with changes to the binding of domain name and IP address. Simply mirroring everything doesn't improve things, in my estimation. In fact, trying to mirror everything everywhere has a massive update problem. Cacheing spreads the update process over time. The USG doesn't actually run the root server (although some of the root servers are in fact housed at USG supported laboratories). The Dept of Commerce in effect delegates the actual operation to the root server operators. The issue is less the size of the file than the problem of updating many copies of it reliably. The root server operators find it a challenge to assure that even the modestly sized root zone file is correctly distributed to all root servers accurately and in a timely fashion. At 09:10 AM 11/23/2002 -0500, Joe Baptista wrote: To survive a sustained DDOS attack against the roots, the best solution an ISP has is to run its own system and eliminate any dependence on the US government for basic internet services. It would also be prudent for other primary namespaces like .com. Unfortunately, though, it would require a considerable amount of resources -- the .com zone file alone is well over a gigabyte in size. But the root file is very manageable and can easily be run on an ISP's local domain name servers. Vint Cerf SVP Architecture Technology WorldCom 22001 Loudoun County Parkway, F2-4115 Ashburn, VA 20147 703 886 1690 (v806 1690) 703 886 0047 fax
Re: Root Server DDoS Attack: What The Media Did Not Tell You
Louis Touton is Vice President and General Counsel of ICANN. ICANN has had a root server advisory committee from early days, working on root server placement to improve resilience; the security and stability advisory committee was created in the wake of 9/11 and has increased the priority of root server security evaluation. At 09:10 AM 11/23/2002 -0500, Joe Baptista wrote: The attack, however, should come as no surprise to ICANN (Internet Corporation for Assigned Names and Numbers), the Department of Commerce contractor responsible for root security. Over the years, ICANN has been warned that the existing root infrastructure was vulnerable to attack, but the warnings have been largely ignored. Now, however, ICANN President Louis Touton insists that the attacks make it important to have increased focus on the need for security and stability of the Internet. ICANN's Security and Stability Advisory Committee quickly moved in to investigate the incident. The committee is expected to produce a report on securing the edge of the USG Domain Name System network. Vint Cerf SVP Architecture Technology WorldCom 22001 Loudoun County Parkway, F2-4115 Ashburn, VA 20147 703 886 1690 (v806 1690) 703 886 0047 fax
RE: Spring 2003 IETF - Why San Francisco?
Harald, I have two dumb questions about IETF-56: 1. My understanding is that there is no host and no terminals. Does it mean no wireless setup too? 2. Is there a reason the meeting location is not posted with the dates? Thanks Michel.
Re: Root Server DDoS Attack: What The Media Did Not Tell You
Louis Touton is Vice President and General Counsel of ICANN. yes true ICANN has had a root server advisory committee from early days, working on root server placement to improve resilience; would you be kind enough to offer a url that points to what this group has done? they had a CRADA to do something. I am unaware that they ever did anything. but perhaps I missed the announcement. the security and stability advisory committee was created in the wake of 9/11 and has increased the priority of root server security evaluation. Vint said has increased the priority of root server security evaluation This is an interesting comment. Again Vint please be concrete. What precisely have they done? Where is their report? Have they ever actually had a meeting? URL. Press releasesome definite citation please. -- The COOK Report on Internet, 431 Greenway Ave, Ewing, NJ 08618 USA (609) 882-2572 (phone fax) [EMAIL PROTECTED] Subscription info prices at http://cookreport.com/subscriptions.shtmlSummary of content for 10 years at http://cookreport.com/past_issues.shtml Info on Economics of Peering, Transit IXs November - December 118 pages available at http://cookreport.com/11.08-09.shtml
Re: Root Server DDoS Attack: What The Media Did Not Tell You
first of all I don't think this belongs in the IETF forum. Vint said has increased the priority of root server security evaluation This is an interesting comment. Again Vint please be concrete. What precisely have they done? Where is their report? Have they ever actually had a meeting? URL. Press releasesome definite citation please. see http://www.icann.org/committees/security/ for a list of the documents the group has produced and presented to date. -rick
Re: Root Server DDoS Attack: What The Media Did Not Tell You
Rick writes: first of all I don't think this belongs in the IETF forum. That's what delete keys are for. It seems relevant to me.
ietf 55
IETF members, Thank you all for your hospitality and consideration for my particularly bohemian lifestyle during the 55th ietf, and especially for those of you i had the opportunity to meet and interact with... Russ, Hue, TJ, the IETF secretariat staff and everyone else. It was a unique experience for me, to say the least:) I look forward to working with you all in the future. Scott -- Revolt now. +++ GMX - Mail, Messaging more http://www.gmx.net +++ NEU: Mit GMX ins Internet. Rund um die Uhr für 1 ct/ Min. surfen!
Re: Spring 2003 IETF - Why San Francisco?
In message 2B81403386729140A3A899A8B39B046405E4B0@server2000, Michel Py wri tes: Harald, I have two dumb questions about IETF-56: 1. My understanding is that there is no host and no terminals. Does it mean no wireless setup too? THere will be wireless. 2. Is there a reason the meeting location is not posted with the dates? It is posted at http://www.ietf.org/meetings/0mtg-sites.txt . But if you mean the hotel -- that's always released a bit later. --Steve Bellovin, http://www.research.att.com/~smb (me) http://www.wilyhacker.com (Firewalls book)
RE: Spring 2003 IETF - Why San Francisco?
Steve Bellovin wrote: But if you mean the hotel -- that's always released a bit later. That's what I meant. Would be nice to know in advance, for those of us that shop for price and want to book a hotel within walking distance of the IETF meeting. Michel.
Re: Root Server DDoS Attack: What The Media Did Not Tell You
Rick, first of all I don't think this belongs in the IETF forum. why? the DNS is a key piece of internet infrastrucure, as i'm sure you are well aware. if it is in danger, then all of us are in danger. what group is better equipped to deal with such problems than the ietf? scott Vint said has increased the priority of root server security evaluation This is an interesting comment. Again Vint please be concrete. What precisely have they done? Where is their report? Have they ever actually had a meeting? URL. Press releasesome definite citation please. see http://www.icann.org/committees/security/ for a list of the documents the group has produced and presented to date. -rick -- Revolt now. +++ GMX - Mail, Messaging more http://www.gmx.net +++ NEU: Mit GMX ins Internet. Rund um die Uhr für 1 ct/ Min. surfen!
Re: Root Server DDoS Attack: What The Media Did Not Tell You
On Sat, 23 Nov 2002, Rick Wesson wrote: see http://www.icann.org/committees/security/ for a list of the documents the group has produced and presented to date. there's not much there. it's lacking any response to the ddos incident. regards joe baptista
Re: Root Server DDoS Attack: What The Media Did Not Tell You
On Sun, 24 Nov 2002 00:51:49 +0100, [EMAIL PROTECTED] said: why? the DNS is a key piece of internet infrastrucure, as i'm sure you are well aware. if it is in danger, then all of us are in danger. what group is better equipped to deal with such problems than the ietf? That's an OPERATIONAL issue rather than a PROTOCOL issue. As such, it probably belongs over in NANOG or similar forums. NANOG had much operational discussion about the DDOS attack on the root servers recently, as it did about the operational impact of 9/11 on sites like 60 Hudson. -- Valdis Kletnieks Computer Systems Senior Engineer Virginia Tech msg09410/pgp0.pgp Description: PGP signature
Re: Root Server DDoS Attack: What The Media Did Not Tell You
On Sat, 23 Nov 2002, vinton g. cerf wrote: The USG doesn't actually run the root server (although some of the root servers are in fact housed at USG supported laboratories). The Dept of Commerce in effect delegates the actual operation to the root server operators. As a technical, legal, and historical matter the USG does not delegate root server management to anyone. Root server operators are volunteers and self-organizing. The USG lacks the authority to tell them what to do, or to fire them. Indeed, as you note, some are not affiliated with the US in any way. Nit-picking, yes, but fairly important when sorting out who has authority over what. (Cf. http://personal.law.miami.edu/~froomkin/articles/formandsubstance.pdf for a discussion of the legal import of the root sever operator's legal position.) The issue is less the size of the file than the problem of updating many copies of it reliably. The root server operators find it a challenge to assure that even the modestly sized root zone file is correctly distributed to all root servers accurately and in a timely fashion. Are there statistics on this? Certainly the published info I've seen is more of the patting-self-on-back variety. -- Please visit http://www.icannwatch.org A. Michael Froomkin |Professor of Law| [EMAIL PROTECTED] U. Miami School of Law, P.O. Box 248087, Coral Gables, FL 33124 USA +1 (305) 284-4285 | +1 (305) 284-6506 (fax) | http://www.law.tm --It's hot here.--