Re: A code red that could bring down the net?
From: David R. Conrad (david.conrad@nominum.com)Date: 07/25/01
- Previous message: Christian Jean: "Re: NetBSD ipfilter stateful??"
- In reply to: Felix Harris: "Re: A code red that could bring down the net?"
- Next in thread: Ian Stoba: "Re: A code red that could bring down the net?"
- Next in thread: Patrick Smallwood: "RE: A code red that could bring down the net?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Message-Id: <5.0.2.1.2.20010724190116.02c2e490@localhost> Date: Tue, 24 Jul 2001 20:36:25 -0700 To: felix@warlords.net, michael@mastergeek.com From: "David R. Conrad" <david.conrad@nominum.com> Subject: Re: A code red that could bring down the net?
Hi,
At 11:25 AM 7/24/2001 +0100, Felix Harris wrote:
> > 1) The Internet has a limited number of root name
> > servers.
Yes, 13. Nominum operates two (one for ISC and the other for NASA).
>This would
>mean that a DoS would have to operate until the cache expired, by
>which time the attacking hosts could have been filtered, or the root
>nameservers could have been kicked.
What you'd end up getting a linearly increasing number of users
experiencing a denial of service. Small at first, as empty caches can't
get filled, increasing over time as cache entries expire. The root
operators would be aware of any issues long before significant numbers of
people noticed any degradation in name service.
> > 2) An application can easilly be created to perform a
> > DOS attack on these root servers.
While I might argue "easily", it is indeed theoretically possible to come
up with an application that, when used with thousands of machines, could
generate a DOS effect on all 13 root name servers. The most significant
risk is the bandwidth going into the root name servers (however, since many
of the roots are located on IXes, ramping up bandwidth very quickly in an
emergency would be feasible). With that said, I am skeptical that such an
attempt could be successful long enough to have any significant effect.
>As I've said previously, DDos wouldn't work particularly well,
>because there's a lot of hosts to hit, and the root nameservers are
>fairly well maintained.
Yes. They are constantly monitored and the operators communicate among
themselves.
>The next suggestion would be just a typical
>memory leaky-thingy (I love technical terms) or something along
>those lines to kill the named.
No. Root servers are authoritative only. They don't cache. Their memory
footprint does not change over time, regardless of how many queries they
get or what the queries are for.
Rgds,
-drc
- Previous message: Christian Jean: "Re: NetBSD ipfilter stateful??"
- In reply to: Felix Harris: "Re: A code red that could bring down the net?"
- Next in thread: Ian Stoba: "Re: A code red that could bring down the net?"
- Next in thread: Patrick Smallwood: "RE: A code red that could bring down the net?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
