Vulnerability Development mailing list archives
Re: A code red that could bring down the net?
From: "David R. Conrad" <david.conrad () nominum com>
Date: Tue, 24 Jul 2001 20:36:25 -0700
Hi, At 11:25 AM 7/24/2001 +0100, Felix Harris wrote:
> 1) The Internet has a limited number of root name > servers.
Yes, 13. Nominum operates two (one for ISC and the other for NASA).
This would mean that a DoS would have to operate until the cache expired, by which time the attacking hosts could have been filtered, or the root nameservers could have been kicked.
What you'd end up getting a linearly increasing number of users experiencing a denial of service. Small at first, as empty caches can't get filled, increasing over time as cache entries expire. The root operators would be aware of any issues long before significant numbers of people noticed any degradation in name service.
> 2) An application can easilly be created to perform a > DOS attack on these root servers.
While I might argue "easily", it is indeed theoretically possible to come up with an application that, when used with thousands of machines, could generate a DOS effect on all 13 root name servers. The most significant risk is the bandwidth going into the root name servers (however, since many of the roots are located on IXes, ramping up bandwidth very quickly in an emergency would be feasible). With that said, I am skeptical that such an attempt could be successful long enough to have any significant effect.
As I've said previously, DDos wouldn't work particularly well, because there's a lot of hosts to hit, and the root nameservers are fairly well maintained.
Yes. They are constantly monitored and the operators communicate among themselves.
The next suggestion would be just a typical memory leaky-thingy (I love technical terms) or something along those lines to kill the named.
No. Root servers are authoritative only. They don't cache. Their memory footprint does not change over time, regardless of how many queries they get or what the queries are for.
Rgds, -drc
Current thread:
- Re: Win32.Sircam.Worm Alert....., (continued)
- Re: Win32.Sircam.Worm Alert..... Pete Sherwood (Jul 25)
- Re: Win32.Sircam.Worm Alert..... Miguel Angel Rodriguez Jodar (Jul 25)
- multi-OS infections (was Re: A code red that could bring down the net? Meritt James (Jul 23)
- Re: multi-OS infections (Multi OS shellcode) Riley Hassell (Jul 24)
- Re: multi-OS infections (Multi OS shellcode) Damir Rajnovic (Jul 25)
- Re: multi-OS infections (Multi OS shellcode) corecode (Jul 25)
- RE: A code red that could bring down the net? Dom De Vitto (Jul 23)
- Re: A code red that could bring down the net? Birger Toedtmann (Jul 23)
- Re: A code red that could bring down the net? Michael Tench (Jul 23)
- Re: A code red that could bring down the net? Felix Harris (Jul 24)
- Re: A code red that could bring down the net? David R. Conrad (Jul 25)
- Re: A code red that could bring down the net? Lynn Crumbling (Jul 25)
- Re: A code red that could bring down the net? Sven van ´t Veer (Jul 26)
- Re: A code red that could bring down the net? security curmudgeon (Jul 26)
- Re: A code red that could bring down the net? Ian Stoba (Jul 25)
- Re: A code red that could bring down the net? Michael Tench (Jul 26)
- Re: A code red that could bring down the net? Jose Nazario (Jul 26)
- Re: A code red that could bring down the net? Meritt James (Jul 24)
- RE: Update to "Code Red" Worm. Its a date bomb, not time. Marc Maiffret (Jul 19)
- Re: Update to "Code Red" Worm. Its a date bomb, not time. Blue Boar (Jul 19)