nanog mailing list archives

Re: The weak link? DNS


From: "Matt Buford" <matt () overloaded net>
Date: Wed, 26 Mar 2003 14:59:53 -0500


I can not go into details, but suffice it to say DNS was just a symptom of
other events, not the problem itself.  DNS TTL on the global load balancing
system was at 5 seconds and DNS load never rose above trivial.

----- Original Message -----
From: "Sean Donelan" <sean () donelan com>
To: <nanog () merit edu>
Sent: Wednesday, March 26, 2003 4:09 AM
Subject: The weak link? DNS



Watching the Iraqi Ururklink and Al Jazeera over the weekend what struck
me is how many different ways network administrators can mess up.
Although malicious actors have been trying (and succeeding) to exploit
vulnerabilities, the worst problems seem to be self-inflicted.

Administrators had used firewalls and locked down their web sites,
sometimes so well they couldn't handle the traffic load.

But the real weak link was their DNS servers.

For example, Al Jazeera had time-to-live set of their domain records set
to 15 minutes, making them even more vulnerable to increasing the load
on their systems.  Of course, Al Jazeera had other problems too.

What even stranger about the Iraqi state provider Uruklink.net is the DNS
servers are now self-identifying with earlier (with known bugs) versions
of BIND.  Last week the Uruklink name server 62.145.94.1 was running
8.2.2-P5, but now is running 8.1.2.  Although the web site for
www.uruklink.net is up, DNS lookups for www.uruklink.net return various
other IP addresses (not in 62.145.94.0/24).  Including some addresses
running web sites claiming the site is "owned." In reality, the site
isn't owned, you are being redirected to a unrelated web site.




Current thread: