Re: A code red that could bring down the net?

["David R. Conrad" <david.conrad () nominum com>]

Hi,

At 11:25 AM 7/24/2001 +0100, Felix Harris wrote:
> > 1) The Internet has a limited number of root name
> > servers.

Yes, 13.  Nominum operates two (one for ISC and the other for NASA).

> This would
> mean that a DoS would have to operate until the cache expired, by
> which time the attacking hosts could have been filtered, or the root
> nameservers could have been kicked.

What you'd end up getting a linearly increasing number of users 
experiencing a denial of service.  Small at first, as empty caches can't 
get filled, increasing over time as cache entries expire.  The root 
operators would be aware of any issues long before significant numbers of 
people noticed any degradation in name service.

> > 2) An application can easilly be created to perform a
> > DOS attack on these root servers.

While I might argue "easily", it is indeed theoretically possible to come 
up with an application that, when used with thousands of machines, could 
generate a DOS effect on all 13 root name servers.  The most significant 
risk is the bandwidth going into the root name servers (however, since many 
of the roots are located on IXes, ramping up bandwidth very quickly in an 
emergency would be feasible).  With that said, I am skeptical that such an 
attempt could be successful long enough to have any significant effect.

> As I've said previously, DDos wouldn't  work particularly well,
> because there's a lot of hosts to hit, and the root nameservers are
> fairly well maintained.

Yes.  They are constantly monitored and the operators communicate among 
themselves.

> The next suggestion would be just a typical
> memory leaky-thingy (I love technical terms) or something along
> those lines to kill the named.

No.  Root servers are authoritative only.  They don't cache.  Their memory 
footprint does not change over time, regardless of how many queries they 
get or what the queries are for.

Rgds,
-drc