tag:blogger.com,1999:blog-37798047.post3965510540274659029..comments2024-01-16T05:48:33.523-05:00Comments on Errata Security: Root DNS attacked, that's sooooo 20th centuryDavid Maynorhttp://www.blogger.com/profile/09921229607193067441noreply@blogger.comBlogger2125tag:blogger.com,1999:blog-37798047.post-29546241904417161192007-02-11T06:59:00.000-05:002007-02-11T06:59:00.000-05:00Root DNS attacked, that's sooooo 20th centuryPeopl...<I>Root DNS attacked, that's sooooo 20th century</I><BR/><BR/>People have their reasons for doing this today. Read on.<BR/><BR/><I>One defense implemented by servers has been to split the workload.</I><BR/><BR/>Only it wasn't originally planned a defense. It was designed that way "to split the workload".<BR/><I>As a result of all these defenses, it's unlikely that DoSing the root servers would be viable attack.</I><BR/><BR/>It's not meant to be a viable attack. It's a testing playground for packet kiddies. If you can make a dent on the Root DNS infrastructure you get "mad props" or something. You can also measure how big your amplification attack can get. Practice makes perfect after all.<BR/><BR/>The Root DNS servers aren't the real target. They're just the test / pre-party.<BR/><BR/><I>A better offense would be to find a DoS in popular software such as BIND or Microsoft DNS, catalogue all the servers that use it, then DoS them all at once.</I><BR/><BR/>See my last two paragraphs. They aren't trying to find a specific DoS. They are trying to use a universal DDoS system based on <A HREF="http://archives.neohapsis.com/archives/fulldisclosure/2005-05/att-0622/dnos.c" REL="nofollow">UDP amplification</A>... usually SOA RR's using the DNS.<BR/><BR/>DDoSers can repurpose their tools and attacks on others using these exact methods.<BR/><BR/><I>One thing that I've always found curious was that the root servers don't use custom software, but instead off-the-shelf platforms like Solaris and BIND.</I><BR/><BR/>That is totally untrue. The Root DNS infrastructure is far from a monoculture, and it is also far from even mostly "Solaris and BIND".<BR/><BR/>UltraDNS has their own name server software, as does GoDaddy, et al. djbdns, NSD, and many others make up the Root DNS infrastructure. Sorry if Microsoft and Apple DNS servers aren't used - they happen to be toys in comparison. Go run dnsfp and see for yourself. Remember that they use anycast, so you have to test from totally different networks to be sure!<BR/><BR/><I>We created the Proventia IPS... Using similar techniques, we could create a system for serving 10 times the requests that such systems can currently handle.</I><BR/><BR/>Other aspects to building a Root DNS infrastructure include cost, time, and availability. If you provide Proventia IPS boxes for free, Paul Vixie (or whoever) is probably going to ask you how long he can burn them in his lab for before putting them out in production (and it wouldn't surprise me if he asked for more than 3 years). Things like MTBF and MTTR are extremely important and delicate in this type of operation. Much more so than say, big destinations like Google/eBay/Yahoo. People tend to take Root DNS infrastructure pretty seriously.drehttps://www.blogger.com/profile/17414510788948258195noreply@blogger.comtag:blogger.com,1999:blog-37798047.post-29492677845078142532007-02-10T08:21:00.000-05:002007-02-10T08:21:00.000-05:00Maybe it takes too much time and energy to impleme...Maybe it takes too much time and energy to implement a custom solution. It might be cheaper to just throw more hardware at the problem. <BR/><BR/>An IDS/IPS "just" looks at network packets and then drops some. It's not easy, but I think it's a whole lot easier than writing something which answers requests from a gazillion of DNS servers seven days a week. Answers them in a way that the other side (which migh be broken one way or the other) does the right thing.<BR/><BR/>And though the Proventia is very fine IDS/IPS, it has it's share of false positives with some DNS packets. Hasn't it?a.https://www.blogger.com/profile/08927986504610741040noreply@blogger.com