I thought that was the most likely situation. There may also have been measurement problems due to ISPs turning off transport of ICMP pings and due to ICMP packets being preferentially dropped which would explain some of the measurements. I don't think the answer is to redesign DNS for several reasons, not least the fact that there are other critical infrastructures susceptible to DoS attack. What we need is some sort of mechanism for providing a trusted advertisement that a critical site is under DoS attack from specific (or non-specific) sources. Then we can start implementing successive blocking of the attack packets in the infrastructure. For example we could have DocSIS III have a filtering capability that could be turned on by the cable provider to block packets on specific ports to specific destinations. This would provide a cheap and lightweight handle for turning off machines that have been compromised and turned into a DDoS drone. Phill > -----Original Message----- > From: John S. Quarterman [mailto:jsq@matrix.net] > Sent: Monday, November 25, 2002 11:37 AM > To: Hallam-Baker, Phillip > Cc: John S. Quarterman; 'D. J. Bernstein'; namedroppers@ops.ietf.org > Subject: Re: DNS Server DoS Attacks > > > > Second it would be useful to know which systems (if any) > went down. To > > date I know the identity of 5 of the 4 servers that stayed > up and do not > > know the identity of a single machine that went down. > > All 13 root DNS servers were up during the DDoS attack of > 22-23 October 2002. > 3 of them turned off ICMP ECHO responses, but were responding > to DNS requests. > There were side effects on Internet performance elsewhere. > > -jsq >
Attachment:
smime.p7s
Description: application/pkcs7-signature