Re: Recent Attacks

[Drew Smith <drew () pctc com>]

Michael Cassidy wrote:
> At 4:03 PM -0700 2/12/00, hnd () asu edu wrote:
> > hi,
> >
> > I was just wondering that The latest attacks on the popular web sites had only
> > one objective behind it: to bring the web sites and render it useless for the
> > period of attack. If these hacker really do want to create massive scale
> > problems why not hack the root servers?!!!!!!!  This will bring down the whole
> > internet.
>
> bringing down a few dot.coms isnt bring down the net or causing massive
> problems espcially for those of us that dont think the net is a retail
> store.

        You don't make any sense.  Taking out the root nameservers would bring
the entire net to its knees.  If "those of us that don't think of the
internet as a retail store" are those people that have decided that
nameservice is useless and that everyone should just memorize IP
addresses - count me out.  Nameservice is necessary for just about every
other service available, and without the root servers, nameservice
wouldn't work.  No email, no http, no streaming audio, no IRC, no ICQ,
nothing.  Period.

        Try and read a little before flaming.

        Hoshil:  You've got a real and solid question there - what exactly are
the maintainers of the root nameservers doing to make certain that this
doesn't happen?  I remember reading about a "DNS Smurf" attack on
Bugtraq - anyone have any idea what's possible to prevent something like
this?

        Is it possible to do some sort of stateful inspection to block this? 
Ahh, found the message with the advisory: 

<quote>

TESO Security Advisory
02/11/2000

Nameserver traffic amplify (DNS Smurf) and NS Route discovery (DNS
Traceroute)

Summary
===================

    Nameservers which accept and forward external DNS queries may be
abused
    as traffic amplifiers, exposing a possible threat to network
integrity
    by bandwidth saturation (DNS Smurf).

    A "deaf" pseudo nameserver may be used to discover the query chain a
    DNS query takes through various nameservers, allowing to make a
trace-
    route like route discovery (DNS Traceroute).

</quote>

        Anyone have any clue how to protect a nameserver against this?  If I'm
reading the advisory correctly, misconfigured nameservers are used in a
chain to do bandwidth amplification, and this - hurm.  Seems like
perhaps it's just another denial of service attack, much like smurf,
that uses DNS queries as the traffic, and uses misconfigured servers to
provide that bandwidth.  So, it probably doesn't directly affect the
root nameservers, but rather, it's just another form of DoS that COULD
be used on them.

        The risk is there - anyone have any insider stuff on what's being done?

        Cheers,
        - Drew.