[ISN] 'Net security gets root-level boost

From: InfoSec News (isn@private)
Date: Tue Oct 28 2003 - 02:18:12 PST

  • Next message: InfoSec News: "[ISN] Fake Armored Car Guard Takes $100,000 from Wal-Mart"

    http://www.nwfusion.com/news/2003/1027ddos.html
    
    By Carolyn Duffy Marsan and Cara Garretson
    Network World, 10/27/03
    
    A year after surviving a massive distributed denial-of-service attack, 
    the Internet's root servers are better fortified against hacker 
    activity, thanks to behind-the-scenes deployment of a routing 
    technique known as Anycast, experts say. 
    
    With Anycast, the root server operators have more than doubled the 
    number of server farms available to handle the highest-level DNS 
    queries. This routing technique heightens root server resilience by 
    multiplying the number of servers with the same IP address and 
    balancing the load across an army of geographically dispersed servers. 
    
    A handful of the 13 root server operators have begun deploying Anycast 
    since last year's attack, which didn't succeed in crashing DNS but 
    rendered several root servers unavailable for legitimate queries. 
    Experts say the deployment of Anycast is making the entire root-server 
    system more resistant to outage. 
    
    "More of the root server operators are doing this routing technique, 
    and the DNS is more robust than ever," says Paul Mockapetris, inventor 
    of the DNS and chairman of DNS software vendor Nominum. "The DNS is 
    more resilient than it was a year ago by a factor of two." 
    
    A reinforced DNS is a boon to enterprise network managers who need a 
    rock-solid root server and DNS system for all of their IP services to 
    function. However, one network executive resists putting much faith in 
    a new DNS technique until it's been tested under attack. 
    
    DNS is "still not as secure as it could be, or should be," says 
    Stephen Lengel, systems engineering manager at The ServiceMaster Co. 
    in Downers Grove, Ill., which provides heating, cooling, landscaping, 
    pest control and appliance maintenance services, and has about 20,000 
    users on its network. Despite the use of techniques such as Anycast, 
    no technology is 100% safe from attack, he adds. "It's usually just a 
    matter of time before someone exploits it or finds a hole in it." 
    
    While distributed DoS attacks have occurred for years, last October's 
    assault on the Internet's 13 root servers - which run the master 
    directory for lookups that match domain names with their corresponding 
    IP addresses - served as a wake-up call to the vulnerabilities 
    inherent in the distributed design of DNS. Below the root servers are 
    the servers that support top-level domains such as .com, .net and 
    .org, and below the top-level domain servers are hosts of Web sites. 
    
    During a distributed DoS attack, a hacker hijacks machines across the 
    Internet and uses them to send a flood of requests to a server until 
    it becomes overwhelmed and stops functioning. 
    
    Last October, the root servers were under a distributed DoS attack for 
    about an hour, causing several servers to stop being available to 
    regular Internet traffic. However, the remaining root servers 
    withstood the attack and ensured that the Internet's overall 
    performance was not degraded. Nonetheless, this was the most serious 
    hacker attack ever on this key piece of the Internet infrastructure, 
    and it was an eye-opener for the root-server operators. 
    
    Without the root servers, the Internet cannot function. Named by the 
    letters A through M, the root servers are operated by U.S. government 
    agencies, universities, nonprofit organizations and companies such as 
    VeriSign. Of the original 13 root servers, 10 are located in the U.S., 
    one in Asia and two in Europe. 
    
    With Anycast, the root server operators are replicating these servers 
    around the world. Four of the root-server operators - including the 
    Internet Software Consortium and VeriSign - have mirrored their root 
    servers. There are now 34 locations worldwide with root servers or 
    replicas deployed. 
    
    Using this technique, Internet addresses are "more like 800 numbers 
    that get routed to call centers," Mockapetris says. "There are...more 
    root servers scattered around the network than there used to be. It's 
    not necessarily that the servers are more available but that the [data 
    is] more distributed." 
    
    As extra root servers are deployed using Anycast, the root server 
    system acquires additional capacity if another distributed DoS attack 
    occurs. DNS experts say the root server system is much better equipped 
    to respond to this type of attack than it was a year ago, because of 
    Anycast and concurrent hardware and software upgrades. 
    
    "Trying to attack the root DNS servers is probably one of the most 
    foolish things you can do," says Daniel Golding, senior consultant 
    with Burton Group. "It's easy to down a single [Web] site, but with a 
    distributed infrastructure that's moving to Anycast, it's just really 
    kind of dumb. It's not going to be that effective." 
    
    Anycast is a routing technique that announces a particular block of IP 
    addresses can be reached from a number of routers. The technique tells 
    the Internet that queries to that address space should go to the 
    closest available router. The 10-year-old technique is built into 
    IPv6, the next-generation of IP, but this is the first time Anycast 
    has been deployed in the DNS. 
    
    "Anycasting is something that had been discussed among all of the root 
    operators for a considerable amount of time, long before the attacks 
    [of last October]," says Ken Silva, vice president of networks and 
    information security at VeriSign. But after the attacks "was the time 
    to roll it out," he says. 
    
    Starting last November, the Internet Software Consortium began 
    deploying mirrored copies of its F root server around the globe using 
    Anycast. Since then, the consortium has announced mirrored copies of 
    its U.S.-based root server being deployed in Brazil, Canada, Hong 
    Kong, Korea, New Zealand and Spain. Today, the F root server and its 
    replicas are located in 12 sites. 
    
    A year ago, VeriSign had a single address space for both its A and J 
    root servers, both of which remained operational during the 
    distributed DoS attack. Since then, VeriSign has acquired new address 
    space for the J root and deployed mirrored copies of it around the 
    globe. 
    
    VeriSign this year used Anycast to mirror its J root server in six 
    locations in the U.S. plus London and Amsterdam. VeriSign also has two 
    mobile Anycast sites for its J root, which can reside anywhere within 
    VeriSign's global network infrastructure if needed. 
    
    "We tested Anycast for about a year...to monitor its behavior," Silva 
    says. "These are important servers, and we didn't want to make any 
    rash decisions about deploying it." Silva says Anycast is working well 
    and hasn't introduced any major complexities or problems into the 
    Internet. 
    
    However, VeriSign has not used Anycast to mirror the A root server 
    that sits in a highly secured facility in Dulles, Va.
    
    "The A root sits on an address block that is shared with other legacy 
    services such as Whois and an InterNIC FTP server, so Anycasting that 
    address block is not a good idea right now," Silva says. "The A root 
    server has sufficient capacity for now, but we ultimately will Anycast 
    that server" after splitting off the legacy services. 
    
    Anycast has many benefits besides protection against distributed DoS 
    attacks. ISPs get faster response times to their root-server lookups 
    because the closest available server handles the queries and the 
    servers are more distributed. 
    
    The root-server system is more resilient now because many regions of 
    the world have local root servers that can continue to operate if a 
    major physical connection to the rest of the Internet suffers an 
    outage. 
    
    The root-server operators have spent millions of dollars on the 
    hardware, software and engineering expertise required to set up 
    mirrored sites around the globe using Anycast. VeriSign says it has 
    spent $150 million in the past two and a half years rolling out a more 
    secure and resilient infrastructure for its A and J roots and the .com 
    and .net top-level domains. This investment includes the deployment of 
    Anycast. 
    
    "The attacks of October last year didn't come as a surprise to us," 
    Silva says. "We feel we were prepared, but now we feel like we need to 
    be prepared for something even bigger." 
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomo@private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Tue Oct 28 2003 - 05:10:33 PST