admin
02-08-2007, 01:21 PM
DNSstuff RESPONSE
DNS TECH INCIDENT: Root Server Attack, February 7, 2007
NEWS / EDITORIAL LINKS:
http://www.cnn.com/2007/TECH/internet/02/06/internet.attacks.ap/index.html
http://hosted.ap.org/dynamic/stories/I/INTERNET_ATTACKS?SITE=WIRE&SECTION=HOME&TEMPLATE=DEFAULT
DNSstuff RESPONSE IN THE NEWS:
http://www.darkreading.com/document.asp?doc_id=116685&WT.svl=news1_1
WHAT HAPPENED?
The attack was apparently aimed primarily at the true root servers, which
are not nearly as frequently used as the .com parent servers. The .com
parent servers handle the millions of .com domains. The root servers are
still very important -- knowing what DNS servers to contact to look up any
DNS request -- but when they receive a DNS request for a .com domain, they
just give the DNS server a list of the .com parent servers, and say "You
can use these any time you have a .com DNS query for the next 48 hours."
So a DNS server will normally only connect to the root servers once every
48 hours, whereas they will connect to the .com DNS servers much more
frequently (in some cases, many times a second).
Most likely a coordinated attack using preprogrammed or controlled "bots"
installed on unsuspecting users computers. This software is typically
installed via a download or spam receipt and then hides on the user's
computer waiting for instructions, or waits until a specific time, and
then "attacks". These attacks could be as simple as sending many standard
DNS lookups to certain servers. In the case of this attack, the servers
which were targeted were F, G, I and M. If you refer to
http://www.root-servers.org/, you can see the IP address information, as
well as other data, for these servers. Further it appears that only G
suffered a mentionable impact. Again an analogy for distributed
denial-of-service (DDOS) is equivalent to 10,000 people trying to call
your phone for a period of time. You can only deal with a certain number
of calls during that time and the phone company can only deal with a
certain number of calls as well, this would cause many of the callers to
get the dreaded "all circuits are busy" and this is not happening because
it is Mother's Day - it is happening because some organized activity is
taking place.
DID YOU KNOW?
Q: What is it that root name servers do exactly?
A: They are part of the Domain Name System (DNS), a worldwide distributed
database that is used to translate worldwide unique domain names such as
www.isoc.org to other identifiers. The DNS is an important part of the
Internet because it is used by almost all Internet applications.
The root name servers publish the root zone file to other DNS servers and
clients on the Internet. The root zone file describes where the
authoritative servers for the DNS top-level domains (TLD) are located; in
other words: which server one has to ask for names ending in one of 258
(December 2004) TLDs, such as ORG, NET, NL or AU.
For a detailed description of how the DNS works and the role of the root
name servers see: http://www.isoc.org/briefings/016/index.shtml
Source: www.isoc.org
WHY DIDN’T YOU FEEL IT?
The chances that you experienced any DNS disruption are unlikely. Since
DNS information is cached, most domain name resolution queries would be
answerable based on cached information.
Most importantly, there are currently 13 root name servers. Yesterday’s
attack involved only a handful of these servers. If one root name server
is unable to respond, the system is designed such that the load is
distributed among the remaining operational root servers. It is likely
that Internet users did not notice any disruption at all.
Additionally, the mention of 13 root servers is a little bit misleading as
there are actually 13 root server systems, each of which may be comprised
of one or many DNS servers. So while one of the servers within a root
system may be degraded others may or may not be. At this level, the DNS
system demonstrates a high level of resiliency.
WHAT IS THE POTENTIAL IMPACT OF THIS
The impact of a well executed attack could be significant. Basically, an
extensive, coordinated attack could make it difficult for computers to
communicate with each other using domain names. IP addresses would still
work, but how many people memorize the IP addresses of their favorite web
sites? Not too many. So while an attack was ongoing users would see
inability to reach web sites and email not being able to be delivered.
ARE WE IN DANGER OF MORE/BIGGER ATTACKS – ABSOLUTELY!
The root servers are quite well designed and are quite resilient and
should be able to withstand most attacks as we have seen over recent
years. However, a more significant risk exists to smaller sets of users -
what if your domain's authoritative server was attacked? This is one of
the most significant areas of risk on the Internet today. It is not
difficult to coordinate and execute an attack on specific DNS servers and
render the domains they control effectively inoperative. There are many
things which can be done to help mitigate these risks but the majority of
domain holders are either unaware or unable to implement the necessary
changes.
DO YOUR PART:
There is nothing that most IT administrators can do about cases like this
happening at the root server level.
But, we need to be prepared in the event of more damaging attaches on DNS
at the .com or .org level.
Based on an assumption that DNS client servers would only need to query
the root name servers about once every 48 hours, the expected load on all
the root servers is much less than it actually is in reality.
This is because there are many misconfigured or broken DNS clients,
resulting in many ‘invalid’ (unnecessary) queries being made to the root
servers, who must respond regardless. [Source: www.isoc.org]
DNSstuff has found in recent survey data that 70% of all DNS servers have
one or more misconfigured settings.
You can do your part by being proactive and running a DNSreport
(www.dnsstuff.com) to check and resolve any issues with your DNS settings.
In addition, we suggest you monitor your domain with a DNSstuff DNSalert,
so you will be notified when there are any changes to your DNS that may
require your attention.
We encourage you to respond in our forums with any questions or comments.
Remember, using DNSstuff tools help mitigate the risk to your business
when DNS and Internet attacks occur.
Thank you,
Team DNSstuff
DNS TECH INCIDENT: Root Server Attack, February 7, 2007
NEWS / EDITORIAL LINKS:
http://www.cnn.com/2007/TECH/internet/02/06/internet.attacks.ap/index.html
http://hosted.ap.org/dynamic/stories/I/INTERNET_ATTACKS?SITE=WIRE&SECTION=HOME&TEMPLATE=DEFAULT
DNSstuff RESPONSE IN THE NEWS:
http://www.darkreading.com/document.asp?doc_id=116685&WT.svl=news1_1
WHAT HAPPENED?
The attack was apparently aimed primarily at the true root servers, which
are not nearly as frequently used as the .com parent servers. The .com
parent servers handle the millions of .com domains. The root servers are
still very important -- knowing what DNS servers to contact to look up any
DNS request -- but when they receive a DNS request for a .com domain, they
just give the DNS server a list of the .com parent servers, and say "You
can use these any time you have a .com DNS query for the next 48 hours."
So a DNS server will normally only connect to the root servers once every
48 hours, whereas they will connect to the .com DNS servers much more
frequently (in some cases, many times a second).
Most likely a coordinated attack using preprogrammed or controlled "bots"
installed on unsuspecting users computers. This software is typically
installed via a download or spam receipt and then hides on the user's
computer waiting for instructions, or waits until a specific time, and
then "attacks". These attacks could be as simple as sending many standard
DNS lookups to certain servers. In the case of this attack, the servers
which were targeted were F, G, I and M. If you refer to
http://www.root-servers.org/, you can see the IP address information, as
well as other data, for these servers. Further it appears that only G
suffered a mentionable impact. Again an analogy for distributed
denial-of-service (DDOS) is equivalent to 10,000 people trying to call
your phone for a period of time. You can only deal with a certain number
of calls during that time and the phone company can only deal with a
certain number of calls as well, this would cause many of the callers to
get the dreaded "all circuits are busy" and this is not happening because
it is Mother's Day - it is happening because some organized activity is
taking place.
DID YOU KNOW?
Q: What is it that root name servers do exactly?
A: They are part of the Domain Name System (DNS), a worldwide distributed
database that is used to translate worldwide unique domain names such as
www.isoc.org to other identifiers. The DNS is an important part of the
Internet because it is used by almost all Internet applications.
The root name servers publish the root zone file to other DNS servers and
clients on the Internet. The root zone file describes where the
authoritative servers for the DNS top-level domains (TLD) are located; in
other words: which server one has to ask for names ending in one of 258
(December 2004) TLDs, such as ORG, NET, NL or AU.
For a detailed description of how the DNS works and the role of the root
name servers see: http://www.isoc.org/briefings/016/index.shtml
Source: www.isoc.org
WHY DIDN’T YOU FEEL IT?
The chances that you experienced any DNS disruption are unlikely. Since
DNS information is cached, most domain name resolution queries would be
answerable based on cached information.
Most importantly, there are currently 13 root name servers. Yesterday’s
attack involved only a handful of these servers. If one root name server
is unable to respond, the system is designed such that the load is
distributed among the remaining operational root servers. It is likely
that Internet users did not notice any disruption at all.
Additionally, the mention of 13 root servers is a little bit misleading as
there are actually 13 root server systems, each of which may be comprised
of one or many DNS servers. So while one of the servers within a root
system may be degraded others may or may not be. At this level, the DNS
system demonstrates a high level of resiliency.
WHAT IS THE POTENTIAL IMPACT OF THIS
The impact of a well executed attack could be significant. Basically, an
extensive, coordinated attack could make it difficult for computers to
communicate with each other using domain names. IP addresses would still
work, but how many people memorize the IP addresses of their favorite web
sites? Not too many. So while an attack was ongoing users would see
inability to reach web sites and email not being able to be delivered.
ARE WE IN DANGER OF MORE/BIGGER ATTACKS – ABSOLUTELY!
The root servers are quite well designed and are quite resilient and
should be able to withstand most attacks as we have seen over recent
years. However, a more significant risk exists to smaller sets of users -
what if your domain's authoritative server was attacked? This is one of
the most significant areas of risk on the Internet today. It is not
difficult to coordinate and execute an attack on specific DNS servers and
render the domains they control effectively inoperative. There are many
things which can be done to help mitigate these risks but the majority of
domain holders are either unaware or unable to implement the necessary
changes.
DO YOUR PART:
There is nothing that most IT administrators can do about cases like this
happening at the root server level.
But, we need to be prepared in the event of more damaging attaches on DNS
at the .com or .org level.
Based on an assumption that DNS client servers would only need to query
the root name servers about once every 48 hours, the expected load on all
the root servers is much less than it actually is in reality.
This is because there are many misconfigured or broken DNS clients,
resulting in many ‘invalid’ (unnecessary) queries being made to the root
servers, who must respond regardless. [Source: www.isoc.org]
DNSstuff has found in recent survey data that 70% of all DNS servers have
one or more misconfigured settings.
You can do your part by being proactive and running a DNSreport
(www.dnsstuff.com) to check and resolve any issues with your DNS settings.
In addition, we suggest you monitor your domain with a DNSstuff DNSalert,
so you will be notified when there are any changes to your DNS that may
require your attention.
We encourage you to respond in our forums with any questions or comments.
Remember, using DNSstuff tools help mitigate the risk to your business
when DNS and Internet attacks occur.
Thank you,
Team DNSstuff