Tuesday, February 06, 2007

Root DNS attacked, that's sooooo 20th century

According to an AP article, some of the 13 root named servers were overloaded recently. Overloading the root servers has long been one of the Top 10 Techniques for DoSing the Internet. It wouldn't actually stop packets from being routed, but trying to resolve www.praetorian.com to IP addresses like 24.75.345.200 would no longer work, and your browser wouldn't be able to get to websites.

However, the root system has been hardened against such attacks, especially after an incident in 2002.

One defense implemented by servers has been to split the workload. In the past, the root name servers would resolve the last 2 portions (like "example.com") and leave the rest for your ISP to continue resolving. Now they just resolve the last portion (like ".com"). Other root-like servers do the second level resolution. For the attacker, this means there are a lot more servers they need to attack.

Another defense, used first by the 'F' root server, is 'anycasting'. It's IP address of 192.5.5.241 does not route to a single machine, but instead to one of roughly 40 machines spread throughout the Internet. If you were to flood it from a single machine, you could only take out one of them. You would need at least 40 separate sources to flood all 40 machines.

Yet another defense are ISPs that cache results. This leads to its own problems, such as return stale data, but this means that if the root system failed, they would still be able to return good enough results.

As a result of all these defenses, it's unlikely that DoSing the root servers would be viable attack. A better offense would be to find a DoS in popular software such as BIND or Microsoft DNS, catalogue all the servers that use it, then DoS them all at once.

One thing that I've always found curious was that the root servers don't use custom software, but instead off-the-shelf platforms like Solaris and BIND. We created the Proventia IPS using custom network drivers, custom TCP/IP stacks, and custom protocol parsers. Using similar techniques, we could create a system for serving 10 times the requests that such systems can currently handle.

2 comments:

a. said...

Maybe it takes too much time and energy to implement a custom solution. It might be cheaper to just throw more hardware at the problem.

An IDS/IPS "just" looks at network packets and then drops some. It's not easy, but I think it's a whole lot easier than writing something which answers requests from a gazillion of DNS servers seven days a week. Answers them in a way that the other side (which migh be broken one way or the other) does the right thing.

And though the Proventia is very fine IDS/IPS, it has it's share of false positives with some DNS packets. Hasn't it?

dre said...

Root DNS attacked, that's sooooo 20th century

People have their reasons for doing this today. Read on.

One defense implemented by servers has been to split the workload.

Only it wasn't originally planned a defense. It was designed that way "to split the workload".
As a result of all these defenses, it's unlikely that DoSing the root servers would be viable attack.

It's not meant to be a viable attack. It's a testing playground for packet kiddies. If you can make a dent on the Root DNS infrastructure you get "mad props" or something. You can also measure how big your amplification attack can get. Practice makes perfect after all.

The Root DNS servers aren't the real target. They're just the test / pre-party.

A better offense would be to find a DoS in popular software such as BIND or Microsoft DNS, catalogue all the servers that use it, then DoS them all at once.

See my last two paragraphs. They aren't trying to find a specific DoS. They are trying to use a universal DDoS system based on UDP amplification... usually SOA RR's using the DNS.

DDoSers can repurpose their tools and attacks on others using these exact methods.

One thing that I've always found curious was that the root servers don't use custom software, but instead off-the-shelf platforms like Solaris and BIND.

That is totally untrue. The Root DNS infrastructure is far from a monoculture, and it is also far from even mostly "Solaris and BIND".

UltraDNS has their own name server software, as does GoDaddy, et al. djbdns, NSD, and many others make up the Root DNS infrastructure. Sorry if Microsoft and Apple DNS servers aren't used - they happen to be toys in comparison. Go run dnsfp and see for yourself. Remember that they use anycast, so you have to test from totally different networks to be sure!

We created the Proventia IPS... Using similar techniques, we could create a system for serving 10 times the requests that such systems can currently handle.

Other aspects to building a Root DNS infrastructure include cost, time, and availability. If you provide Proventia IPS boxes for free, Paul Vixie (or whoever) is probably going to ask you how long he can burn them in his lab for before putting them out in production (and it wouldn't surprise me if he asked for more than 3 years). Things like MTBF and MTTR are extremely important and delicate in this type of operation. Much more so than say, big destinations like Google/eBay/Yahoo. People tend to take Root DNS infrastructure pretty seriously.