Denial of Service Attack at Internet Root Servers

AP ^ | 22 OCT 2002 | TED BRIDIS

[aristeides]

Office of Homeland Security and the President's Critical Infrastructure Protection Board.

Hmmm, I didn't see in this article where the attacks came from. But I can guess.

[swarthyguy]

Yes. Of course, it could be a couple of kids :>>

[Cboldt]

Actually, your access to FR does not rely on the root servers. The root servers are the
primary (but no only) method of associating an IP address (FR is 209.157.64.200) with the term
"www.freerepublic.com." That association is also stored at a DNS (Domain name server) close
to you. FR was slow for other reasons, not because 9 of 13 "root DNS servers" were slow
updating the name-lookup inquiries that they were getting. There are thousands of name-lookup
servers, and it is very unlikely that your browsing ever touches one directly.

[Eala]

So that's what happened - and this user sure noticed.

I didn't see time of day given so it's still conjecture -- but I sure noticed something yesterday. (Memory says somewhat in the 7 - 9 AM PDT timeslot.)

[RightWhale]

Our GCI Internet connection to the outside world was down for 6 hours today. No explanation given so far.

[philetus]

I think the statement: The origin of the attack was not known., is BS.They don't want us to know.

[Dakmar]

[stands2reason]

Count me as one who noticed as well---

[Howlin]

Can anybody figure a way to get it hooked up to electricty??

[GailA]

We've been having problems too. It was NOT our computer. Pages slow to open, or wouldn't open. Had a real hard time getting FR's Finest to open.

[MPB]

Actually, your access to FR does not rely on the root servers. The root servers are the primary (but no only) method of associating an IP address (FR is 209.157.64.200) with the term "www.freerepublic.com." That association is also stored at a DNS (Domain name server) close to you. FR was slow for other reasons, not because 9 of 13 "root DNS servers" were slow updating the name-lookup inquiries that they were getting. There are thousands of name-lookup servers, and it is very unlikely that your browsing ever touches one directly.

Well, regardless of whether your own machine ever touches those root servers, they are actually quite necessary.

DNS works by going from general-to-specific. The root servers manage a DNS zone that is really just "." (yup... dot).

So if you look up www.freerepublic.com, what you don't see is that domain names actually have a . on the end... just isn't needed really, it's assumed. :)

To lookup it's IP address, a DNS server would first find the servers that handle . (the root servers). Those would tell you where to find the servers that handle .com., and those servers tell you where to find freerepublic.com. and then it tells you where the server is for the hostname www in the domain freerepublic.com.

Rocket science, hardly, but just goes to show that without the root servers, we'd be screwed.

Practically speaking, any DNS server along the way can "cache" the data... I mean, DNS servers don't change all that often, so most servers out there, including the ones your local ISP uses, will cache data for hours, days, even weeks or months. I always get frustrated when I have to make a DNS change and there are servers out there that ignore my time-to-live settings and keep spitting out their invalid cached addresses. Urgh.

[unixfox]

I was in Cozumel, Mexico when it happened. Slow is the norm there so I noticed nothing. Even the dogs are slow.

[j_tull]

They don't want us to know.

I concur, but I would REALLY like to know what the "defensive measures" are.

[dwollmann]

For those of you wondering how the source of the attack can remain an unknown: There are several known attacks that permit the attacker to send packets with "spoofed" source IP addresses; an attacker could easily plug your IP address into the source IP field so that from the victim's perspective, the attack would appear to be coming from your machine. Some attacks cause innocent third parties' servers to send unsolicited SYN/ACK packets to the victim's host. This is done in such a way that the machines being used to send the SYN/ACK packets each send only a trickle of them, barely noticeable to an admin who isn't looking for them, but in concert with hundreds or thousands of other machines the effect is a flood of traffic at the victim's end.

Counterattacking the IP address contained in the incoming packets would almost certainly be a bad idea because there's a high probability that the source IP is false, thus you'd be attacking a server that may not even exist or at worst is totally innocent, or belongs to a server that is simply doing what it is designed to do (as in the case of the unsolicited SYN/ACK attack).

[ReadMyMind]

Spoofed IP addresses are one technique to protect yourself when hacking someone's system, but they are not foolproof. Even without the IP in the header, the packets can be tracked backwards. It is slow and laborious and requires cooperation from your ISP and your ISP's ISP's ISP... It's how Stoll and friends caught the Hannover Hacker back in the day.

Another popular technique, which is more difficult to trace back to the attacker is the two phase attack. Phase 1, the hacker takes over some dupe's system. Phase 2, the hacker issues a time-delayed command to the dupe's system to attack your system. Usually, the logs (if there are any) have been recycled by the time the attack goes off and it is very difficult to figure out who took over the machine and issued the command.

[FreeTheHostages]

Yup. China. Or North Korea. Or Terrorists. Or bored Canadian adolescents.

[FreeTheHostages]

I would REALLY like to know what the "defensive measures" are.

Depends on the nature of the attack. Totally. But for the general spam attack, they can block/reject/delay data that's associated with a sudden huge increase in volume. There are people at these roots 24/7 that are monitoring for suspcious stuff. They deal with minor security issues almost daily.

[justlurking]

Some attacks cause innocent third parties' servers to send unsolicited SYN/ACK packets to the victim's host. This is done in such a way that the machines being used to send the SYN/ACK packets each send only a trickle of them, barely noticeable to an admin who isn't looking for them, but in concert with hundreds or thousands of other machines the effect is a flood of traffic at the victim's end.

For others that may not be familiar with the technology: this is what is known as a DDOS attack, or Distrubuted Denial Of Service. It is typically launched with a collection of servers that have already been compromised and have been held in waiting until given instructions to start the attack.

I don't know the specifics of this attack, but DNS lookup (port 53) is a connectionless UDP protocol, rather than TCP. So, there would be no SYN/ACK. However, I believe there are some aspects of DNS that are TCP.

[Arthur McGowan]

I had a mysterious non-response from hotmail yesterday. Nothing like it ever before.

[RCW2001]

I felt that... Wonder if it was a 'trial run'?