Hi, At 11:25 AM 7/24/2001 +0100, Felix Harris wrote: > > 1) The Internet has a limited number of root name > > servers. Yes, 13. Nominum operates two (one for ISC and the other for NASA). >This would >mean that a DoS would have to operate until the cache expired, by >which time the attacking hosts could have been filtered, or the root >nameservers could have been kicked. What you'd end up getting a linearly increasing number of users experiencing a denial of service. Small at first, as empty caches can't get filled, increasing over time as cache entries expire. The root operators would be aware of any issues long before significant numbers of people noticed any degradation in name service. > > 2) An application can easilly be created to perform a > > DOS attack on these root servers. While I might argue "easily", it is indeed theoretically possible to come up with an application that, when used with thousands of machines, could generate a DOS effect on all 13 root name servers. The most significant risk is the bandwidth going into the root name servers (however, since many of the roots are located on IXes, ramping up bandwidth very quickly in an emergency would be feasible). With that said, I am skeptical that such an attempt could be successful long enough to have any significant effect. >As I've said previously, DDos wouldn't work particularly well, >because there's a lot of hosts to hit, and the root nameservers are >fairly well maintained. Yes. They are constantly monitored and the operators communicate among themselves. >The next suggestion would be just a typical >memory leaky-thingy (I love technical terms) or something along >those lines to kill the named. No. Root servers are authoritative only. They don't cache. Their memory footprint does not change over time, regardless of how many queries they get or what the queries are for. Rgds, -drc
This archive was generated by hypermail 2b30 : Wed Jul 25 2001 - 11:47:47 PDT