[ISN] Keeping ahead of DNS attacks

From: InfoSec News (isnat_private)
Date: Mon Jan 13 2003 - 00:30:27 PST

  • Next message: InfoSec News: "[ISN] Microsoft's Report Card"

    By Paul Mockapetris 
    Special to ZDNet
    January 8, 2003
    COMMENTARY -- The domain name system--the global directory that maps
    names to Internet protocol addresses--was designed to distribute
    authority, making organizations literally "masters of their own
    domain." But with this mastery comes the responsibility of
    contributing to the defense of the DNS.
    The distributed denial-of-service (DDoS) attacks against the DNS root
    servers on Oct. 21, 2002, should serve as a wake-up call. The attack
    was surprisingly successful--most of the root servers were disrupted
    by a well-known attack strategy that should have been easily defeated.  
    Future attacks against all levels of the DNS--the root at the top;  
    top-level domains like .com, .org and the country codes; and
    individual high-profile domains--are inevitable.
    The October attack was a DDoS "ping" attack. The attackers broke into
    machines on the Internet (popularly called "zombies") and programmed
    them to send streams of forged packets at the 13 DNS root servers via
    intermediary legitimate machines. The goal was to clog the servers,
    and communication links on the way to the servers, so that useful
    traffic was gridlocked. The assault is not DNS-specific--the same
    attack has been used against several popular Web servers in the last
    few years.
    The legitimate use of ping packets is to check whether a server is
    responding, so a flood of ping packets is clearly either an error or
    an attack. The typical defense is to program routers to throw away
    excessive ping packets, which is called rate limiting. While this
    protects the server, the attack streams can still create traffic jams
    up to the point where they are discarded.
    Excess capacity in the network can help against such attacks, as long
    as the additional bandwidth can't be used to carry additional attacks.  
    By intent, root servers are deployed at places in the network where
    multiple Internet service providers intersect. In the October attacks,
    some networks filtered out the attack traffic while others did not, so
    a particular root server would seem to be "up" for a network that was
    filtering and "down" for one that was not.
    Unlike most DDoS attacks, which fade away gradually, the October
    strike on the root servers stopped abruptly after about an hour,
    probably to make it harder for law enforcement to trace.
    DNS caching kept most people from noticing this assault. In very rough
    terms, if the root servers are disrupted, only about 1 percent of the
    Internet should notice for every two hours the attack continues--so it
    would take about a week for an attack to have a full effect. In this
    cat-and-mouse game between the attackers and network operators,
    defenders count on having time to respond to an assault.
    Defending the root
    The root servers are critical Internet resources, but occupy the "high
    ground" in terms of defensibility. The root server database is small
    and changes infrequently, and entries have a lifetime of about a week.  
    Any organization can download an entire copy of the root database,
    check for updates once a day, and stay current with occasional
    reloads. A few organizations do this already.
    Root server operators are also starting to deploy root servers using
    "anycast" addresses that allow multiple machines in different network
    locations to look like a single server.
    In short, defending the DNS root is relatively easy since it is
    possible to minimize the importance of any root server, by creating
    more copies of the root database--some private, some public.
    Top-level domains, or TLDs, will be much harder to defend. The copying
    strategy that can defend the root server will not work for most TLDs.  
    It is much harder to protect, say, .com or .fr than to defend the
    root. This is because the data in TLDs is more voluminous and more
    volatile, and the owner is less inclined to distribute copies for
    privacy or commercial reasons.
    There is no alternative. TLD operators must defend their DNS servers
    with rate-limiting routers and anycast because consumers of the TLD
    data cannot insulate themselves from the attacks.
    Defending your organization
    If your organization has an intranet, you should provide separate
    views of DNS to your internal users and your external customers. This
    will isolate the internal DNS from external attacks. Copy the root
    zone to insulate your organization from future DDoS attacks on the
    root. Consider also copying DNS zones from business partners on
    extranets. When DNS updates go over the Internet, they can also be
    hijacked in transit--use TSIGs (transaction signatures) to sign them
    or send updates over VPNs (virtual private networks) or other
    But understand that until tools for digital signatures in DNS are
    finished and deployed, you are going to be at risk from the DNS
    counterfeiting attacks that lie not too far in the future (and that
    have apparently already occurred in China). Unfortunately for those of
    us who depend on the Internet, the attackers seem likely to strengthen
    their tactics and distribute new attackware, while the Internet
    community struggles to mount a coordinated approach to DNS defense.
    Paul Mockapetris, the inventor of the domain name system, is chief
    scientist and chairman of the board at Nominum.
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Mon Jan 13 2003 - 03:13:10 PST