Skip to comments.
Denial of Service Attack at Internet Root Servers
AP ^
| 22 OCT 2002
| TED BRIDIS
Posted on 10/22/2002 4:54:09 PM PDT by j_tull
click here to read article
Navigation: use the links below to view more comments.
first previous 1-20, 21-40, 41-60, 61-67 next last
To: j_tull; swarthyguy
Office of Homeland Security and the President's Critical Infrastructure Protection Board. Hmmm, I didn't see in this article where the attacks came from. But I can guess.
To: aristeides
Yes. Of course, it could be a couple of kids :>>
To: j_tull
Actually, your access to FR does not rely on the root servers. The root servers are the
primary (but no only) method of associating an IP address (FR is 209.157.64.200) with the term
"www.freerepublic.com." That association is also stored at a DNS (Domain name server) close
to you. FR was slow for other reasons, not because 9 of 13 "root DNS servers" were slow
updating the name-lookup inquiries that they were getting. There are thousands of name-lookup
servers, and it is very unlikely that your browsing ever touches one directly.
23
posted on
10/22/2002 5:17:13 PM PDT
by
Cboldt
To: austingirl
So that's what happened - and this user sure noticed. I didn't see time of day given so it's still conjecture -- but I sure noticed something yesterday. (Memory says somewhat in the 7 - 9 AM PDT timeslot.)
24
posted on
10/22/2002 5:17:16 PM PDT
by
Eala
To: j_tull
Our GCI Internet connection to the outside world was down for 6 hours today. No explanation given so far.
To: j_tull
I think the statement: The origin of the attack was not known., is BS.They don't want us to know.
26
posted on
10/22/2002 5:20:40 PM PDT
by
philetus
To: Howlin
27
posted on
10/22/2002 5:21:28 PM PDT
by
Dakmar
To: austingirl
Count me as one who noticed as well---
To: Dog Gone; Madame Dufarge
Can anybody figure a way to get it hooked up to electricty??
29
posted on
10/22/2002 5:30:52 PM PDT
by
Howlin
To: hispanarepublicana
We've been having problems too. It was NOT our computer. Pages slow to open, or wouldn't open. Had a real hard time getting FR's Finest to open.
30
posted on
10/22/2002 5:37:07 PM PDT
by
GailA
To: Cboldt
Actually, your access to FR does not rely on the root servers. The root servers are the primary (but no only) method of associating an IP address (FR is 209.157.64.200) with the term "www.freerepublic.com." That association is also stored at a DNS (Domain name server) close to you. FR was slow for other reasons, not because 9 of 13 "root DNS servers" were slow updating the name-lookup inquiries that they were getting. There are thousands of name-lookup servers, and it is very unlikely that your browsing ever touches one directly. Well, regardless of whether your own machine ever touches those root servers, they are actually quite necessary.
DNS works by going from general-to-specific. The root servers manage a DNS zone that is really just "." (yup... dot).
So if you look up www.freerepublic.com, what you don't see is that domain names actually have a . on the end... just isn't needed really, it's assumed. :)
To lookup it's IP address, a DNS server would first find the servers that handle . (the root servers). Those would tell you where to find the servers that handle .com., and those servers tell you where to find freerepublic.com. and then it tells you where the server is for the hostname www in the domain freerepublic.com.
Rocket science, hardly, but just goes to show that without the root servers, we'd be screwed.
Practically speaking, any DNS server along the way can "cache" the data... I mean, DNS servers don't change all that often, so most servers out there, including the ones your local ISP uses, will cache data for hours, days, even weeks or months. I always get frustrated when I have to make a DNS change and there are servers out there that ignore my time-to-live settings and keep spitting out their invalid cached addresses. Urgh.
31
posted on
10/22/2002 5:47:18 PM PDT
by
MPB
To: j_tull
I was in Cozumel, Mexico when it happened. Slow is the norm there so I noticed nothing. Even the dogs are slow.
32
posted on
10/22/2002 5:58:51 PM PDT
by
unixfox
To: philetus
They don't want us to know. I concur, but I would REALLY like to know what the "defensive measures" are.
33
posted on
10/22/2002 6:07:35 PM PDT
by
j_tull
To: j_tull
For those of you wondering how the source of the attack can remain an unknown: There are several known attacks that permit the attacker to send packets with "spoofed" source IP addresses; an attacker could easily plug
your IP address into the source IP field so that from the victim's perspective, the attack would appear to be coming from your machine. Some attacks cause innocent third parties' servers to send unsolicited SYN/ACK packets to the victim's host. This is done in such a way that the machines being used to send the SYN/ACK packets each send only a trickle of them, barely noticeable to an admin who isn't looking for them, but in concert with hundreds or thousands of other machines the effect is a flood of traffic at the victim's end.
Counterattacking the IP address contained in the incoming packets would almost certainly be a bad idea because there's a high probability that the source IP is false, thus you'd be attacking a server that may not even exist or at worst is totally innocent, or belongs to a server that is simply doing what it is designed to do (as in the case of the unsolicited SYN/ACK attack).
To: dwollmann
Spoofed IP addresses are one technique to protect yourself when hacking someone's system, but they are not foolproof. Even without the IP in the header, the packets can be tracked backwards. It is slow and laborious and requires cooperation from your ISP and your ISP's ISP's ISP... It's how Stoll and friends caught the Hannover Hacker back in the day.
Another popular technique, which is more difficult to trace back to the attacker is the two phase attack. Phase 1, the hacker takes over some dupe's system. Phase 2, the hacker issues a time-delayed command to the dupe's system to attack your system. Usually, the logs (if there are any) have been recycled by the time the attack goes off and it is very difficult to figure out who took over the machine and issued the command.
To: calenel
Yup. China. Or North Korea. Or Terrorists. Or bored Canadian adolescents.
To: j_tull
I would REALLY like to know what the "defensive measures" are.
Depends on the nature of the attack. Totally. But for the general spam attack, they can block/reject/delay data that's associated with a sudden huge increase in volume. There are people at these roots 24/7 that are monitoring for suspcious stuff. They deal with minor security issues almost daily.
To: dwollmann
Some attacks cause innocent third parties' servers to send unsolicited SYN/ACK packets to the victim's host. This is done in such a way that the machines being used to send the SYN/ACK packets each send only a trickle of them, barely noticeable to an admin who isn't looking for them, but in concert with hundreds or thousands of other machines the effect is a flood of traffic at the victim's end. For others that may not be familiar with the technology: this is what is known as a DDOS attack, or Distrubuted Denial Of Service. It is typically launched with a collection of servers that have already been compromised and have been held in waiting until given instructions to start the attack.
I don't know the specifics of this attack, but DNS lookup (port 53) is a connectionless UDP protocol, rather than TCP. So, there would be no SYN/ACK. However, I believe there are some aspects of DNS that are TCP.
To: j_tull
I had a mysterious non-response from hotmail yesterday. Nothing like it ever before.
To: j_tull
I felt that... Wonder if it was a 'trial run'?
40
posted on
10/22/2002 7:03:13 PM PDT
by
RCW2001
Navigation: use the links below to view more comments.
first previous 1-20, 21-40, 41-60, 61-67 next last
Disclaimer:
Opinions posted on Free Republic are those of the individual
posters and do not necessarily represent the opinion of Free Republic or its
management. All materials posted herein are protected by copyright law and the
exemption for fair use of copyrighted works.
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson