Denial of Service Attack at Internet Root Servers

AP ^ | 22 OCT 2002 | TED BRIDIS

[j_tull]

Thanks Free..., I guess was hoping for something more along the lines of Howlin's lightning button or some super secret "go f*ck yourself" command that only THE root could originate.

[FreeTheHostages]

the root can do a lot. root operators are very powerful. but they work together and coordinate and share intelligence for maximum effect. they have their own internet version of norad -- where they have tactical stuff ready to go if something devastating is launched.

[Cold Heat]

Nice to know, but I was so pissed at my computer I almost reformatted. Sheesh!

[aristeides]

Is there any relation between the President's Critical Infrastructure Protection Board and the National Infrastructure Protection Center at which Linda Franklin (the victim of the Home Depot murder) worked and "studied terror threats"?

[Havoc]

The reason Microsoft stuff should never be put on internet servers. I wouldn't lay bets on what's running those backbone servers; but, can anyone who runs MS at work or home imagine the damage that could occur by using an MS based web server knowing it's not only junkware but also the prime target for virii(misery loves company btw)?

[potlatch]

was in Cozumel, Mexico when it happened.

Lucky you!! The last time I was there, a local kid sneezed in my face and I was sick for a week!!

[j_tull]

I wouldn't lay bets on what's running those backbone servers; Remember Sun's "we're the 'dot' in 'dot com'?" They subsequently lost that contract.

[edwin hubble]

CHINA...yes, China

-----

http://www.infowar.com/mil_c4i/00/mil_c4i_101100b_j.shtml

10/11/00
China Threatens 'Electronic Pearl Harbor' Attack on U.S.

NewsMax.com
Wednesday, Oct. 11, 2000

Nations lacking military muscle could create an "electronic Pearl Harbor" that could defeat the U.S. by using electronic warfare to cripple America’s high-tech-dependent armed forces, an official Chinese report claims.

In the report, "The U.S. Military's Soft Ribs and Strategic Weaknesses," which analyzed America’s military doctrines, the strategies and tactics that Beijing could use against the U.S. were revealed by the official Chinese Xinhua news agency.

According to the authoritative American Foreign Policy Council (AFPC), the Beijing document explained how China or any other country could use electronic warfare against the U.S.:
****** more ... see link above

---

[Havoc]

Gotta be better on the network than MS though. LOL. I speak from experience (don't pitty me, I get paid for it too) LOL

[edwin hubble]

j_tull... I meant to send reply #48 to you...

[dwollmann]

The SYN/ACK DDoS attack I referred to works no matter what's running on the victim--it's targeted at the victim's resources--not any particular server. The attacker sends SYN packets at each host he wants to send traffic to the victim, with the victim's IP in the source address. The server SYN/ACKS to the victim, whose stack doesn't have a clue what to do with the packet. Gibson has a write-up on this attack somewhere on grc.com, if I remember correctly.

[Spiff]

Here's my personal, gut feeling (and I'm in the computer security industry). This was a test. The real thing is going down on 26 October - the date selected for nationwide anti-war rallies.

Mind you, I've been wrong before and this is purely a gut feeling. But the hacker community seems to be in lockstep against "Dubya's war for oil to avenge his daddy" and they've been itching to find an excuse to use their Distributed Denial of Service (DDOS) zombie farms for a common hacktivist cause. 26 October marks the biggest anti-war event yet.

[Frances_Marion]

No idea where it came from. How is that?

That's my theory, and I'm sticking to it.

[isthisnickcool]

The article said this was on Monday. It was also happening Sunday evening for a period of time.

[toenail]

Remember Sun's "we're the 'dot' in 'dot com'?" They subsequently lost that contract.

The trial run of the slogan went: "Sun. We're the invisible dot at the end of dot com. Really. No, really, there's an invisible dot at the end. That's us."

[UnBlinkingEye]

"As best we can tell, no user noticed and the attack was dealt with and life goes on," said Louis Touton, vice president for the Internet Corporation for Assigned Names and Numbers, the Internet's key governing body.

I noticed severe slowdowns both yesterday and today, no idea if the problems are related to this reported attack, but many sites were terribly slow.

[justlurking]

SYN/ACK is only a vulnerability if the server accepts TCP connections. Since DNS is nominally a UDP protocol, it's connectionless. There is no SYN/ACK handshake to create a connection: a request comes in, a reply goes out. If the server doesn't reply to the request for any reason, it's the responsibility of the application to retry or take other action. That's what the U in UDP means: Unreliable.

The DNS protocol does provide a TCP port for name service, but convention discourages its use. I wouldn't be surprised if the root servers don't support it, due to the resources that would be required to support a large number of users.

However, zone transfers (which update DNS servers) use TCP in order to preserve data integrity. There are presumably some security measures in place to protect against a SYN flood.

It turns out that this was indeed a DDoS attack, but it was a flood of ICMP echo requests. That made it very easy to filter with a firewall, although the attack apparently ended very quickly. See this posting for details.

[MPB]

It turns out that this was indeed a DDoS attack, but it was a flood of ICMP echo requests. That made it very easy to filter with a firewall, although the attack apparently ended very quickly. See this posting for details.

Hmm... I would have imagined that the maintainers of the roots would have LONG ago turned if ICMP at the routers. That doesn't stop ICMP requests from flooding the routers, but then you realize that the routers feeding these boxes have some decent load balancing going on, so you'd have to REALLY do a massive PoD (ping of death) to swamp it, and even then you're just pegging the router, not the actual DNS server.

Oh well... I figured that just doing a flood of dns lookups might have been sufficient to peg these machines. Nothing more complicated than a bunch of machines doing tons of UDP requests to port 51 and then not even bothering to listen for a response before sending thousands more.

To answer other questions, I could be entirely off my rocker, but I'm fairly certain the roots run just customized *nix of some form, with only DNS doing anything on the machine. Nothing too fancy besides some nice hardware, stable OS, plenty of redundant bandwidth. DNS requests aren't exactly high bandwidth anyway, so it takes surprisingly little to be able to manage a lot of requests.