I had more important things on my mind a couple of weeks ago when the DNS (Domain Name System) root servers were being attacked. I was sitting in my dentist’s chair and missed the whole thing. When the attack was revealed the next day, I figured we got off easy.
Following the reaction has been much more entertaining than having my teeth cleaned. The theme of many of the follow-up articles is that the attack somehow failed because the operators of the root servers were able to keep the forged ICMP (Internet Control Message Protocol) “ping” packets from swamping the servers.
This is nonsense. The attack didn’t fail – the attackers merely stopped.
Few if any end users noticed a problem because a fair amount of DNS data is cached by service providers and network administrators on their own servers. Of course, if the attack had continued for a day or more, there would have been real trouble. When we’re talking about DNS, an hour’s DoS (denial of service) does not a siege make; this was just a warning shot across the bow.
So how do we keep it from happening again? That’s a good question, one which has no simple answer. After all, it’s not really feasible to have “shadow” root servers stashed in a bunker somewhere, akin to our return to the Cold War practice of maintaining a shadow government somewhere in Pennsylvania.
DNS guru Paul Vixie, who operates one of the root servers, has been quoted in various venues as proposing two solutions. But neither of them appears practical unless, of course, you’re an Internet nabob.
The first of Vixie’s proposals is simple enough: massive over-provisioning, so that the number of future targets becomes vaster than even a scripted attack can handle. Of course, this is what got many ISPs into trouble in the late ’90s, when all Wall Street cared about was the ability to absorb floods of customer traffic. Data and voice carriers will pay for that mistake for several more years.
Vixie’s second suggestion, which has been echoed elsewhere, involves securing every host that connects to the Internet. It’s a pretty good idea, but one that hasn’t been realistic for several years. Ten years ago, when the Internet was still obscure, locking out unsecured hosts might have been possible, but that opportunity vanished somewhere around 1995 or 1996.
Nevertheless, I expect that the Internet community will probably take a stab at implementing both of Vixie’s propositions. It may well be that the systems that connect to the root servers – the ones that were overwhelmed – will be beefed up and augmented in numbers to provide more redundancy. ISPs and network administrators may also decide to retain more DNS information than they now do.
In the end, the only way to prevent future DoS attacks is for ordinary users to keep their systems secure. Like flossing, that’s not something you only have to do once a week.
Connolly is a senior analyst at the InfoWorld Test Center. Contact him at [email protected].
