Why not go the whole hog and transport the entire DNS system over Napster? Of course this would have some minor inconveniences, not least the fact that the assumed resilience of the other infrastructure might be imagined and none of the existing software would work. Anything at the application layer has a severe bootstrap problem. Hint, I don't type a raw IP address into my newsreader, I type nntp.attbi.com... Plus DoS attacks against NNTP are quite easy, particularly at the local level. The services are not configured as critical infrastructure. All it takes is one news server configured with a guest login account and that server canbe used to take down UESnet. Flood fill breaks both ways. Usenet is the biggest packet amplifier out there. Before chasing off with 'fixes' that change the whole architectural model I would like to know some information about the puported success of the attack. Specifically did any machines actually go down or was the reported 'unavailability' due to ISPs and others turning off ICMP responses? Several of the 'measurement' sites were using ping packets. This is a classic example of a reputation attack. We had one at the Whitehouse once. The router blew a fuse and before it was fixed a bunch of Russian hackers were claiming to Wired.com that they were responsible. First we need to get the measurement sites reconfigured so that they use an actual DNS query and not a PING packet. Second it would be useful to know which systems (if any) went down. To date I know the identity of 5 of the 4 servers that stayed up and do not know the identity of a single machine that went down. Then we should consider architectural approaches such as using anycast that allow DNS to be DoS proofed without disruption. Phill > -----Original Message----- > From: D. J. Bernstein [mailto:djb@cr.yp.to] > Sent: Sunday, November 24, 2002 4:27 AM > To: namedroppers@ops.ietf.org > Subject: Re: DNS Server DoS Attacks > > > [ post by non-subscriber. with the massive amount of spam, > it is easy to > miss and therefore delete mis-posts. your subscription address is > 54830374684695-namedroppers@sublist.cr.yp.to, please post from it or > fix subscription your subscription address! ] > > Rob Payne writes: > > You want to turn the root zone into a signed "hosts.txt" (RFC 952, > > 953), and how, exactly does that scale > > I already answered that: ``Effects on load: Everybody will receive the > entire zone, rather than just the parts they need. On the other hand, > any sensible format would be much smaller than DNS packet format. More > importantly, the data will be cached much more effectively than it is > with the current root-zone protocol. Most importantly, the > load will be > very widely distributed.'' > > The last factor is, as I said, the most important one. USENET wouldn't > notice if ten copies of the root zone---or ten thousand copies---were > sent out every day. > > > it did not scale the last time > > Nobody really tried to make it scale, but this is beside the point. > ``Root zone'' does not mean ``complete list of Internet hosts.'' > > ---D. J. Bernstein, Associate Professor, Department of Mathematics, > Statistics, and Computer Science, University of Illinois at Chicago > > > > -- > to unsubscribe send a message to > namedroppers-request@ops.ietf.org with > the word 'unsubscribe' in a single line as the message text body. > archive: <http://ops.ietf.org/lists/namedroppers/> >
Attachment:
smime.p7s
Description: application/pkcs7-signature