Verisign Hides A Root Server

from the now-we're-playing-hide-and-seek? dept

Verisign has decided that having two of the root servers in the same building on the same network makes it more likely that a denial of service attack would knock them both out, and so they’ve moved one to an undisclosed location and put it on a different network. While this is getting a lot of press, I doubt it does very much to help protect the server. Its physical location doesn’t much matter when the denial of service attack comes in.

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Verisign Hides A Root Server”

Subscribe: RSS Leave a comment
Anonymous Coward says:

Re: It's not just about physical DoS

Separating the two machines makes sense for more reasons than just the possibility of a physical attack on the machine(s) in question. If the two are in different physical locations, they likely will connect to the rest of the Internet via different physical connections. This means two things:

First, physical attacks, or just physical plant accidents like a fire in a wiring closet or a construction crew digging up a trunk cable, are less likely to take down multiple machines.

Second, since one of the points of a network DOS attack is to saturate the target’s link to the rest of the network, two machines with separate links to the network are more resistant to some attacks than two machines that share a link to the network. Moving to a new physical location most likely has the effect of making them use two different links, and is possibly easier/quicker/cheaper than running a whole bunch of duplicate cable, switching equipment, etc. to the common location.

The physical distribution of the root servers and the large number of them compared to the demand on them, has set a fairly low bar for their security. But now that we know that a DOS can get us within just one or two machines of crippling the network, the cost/benefit ratio changes, and we have to consider more, and more unlikely, vulnerabilities. It’s still certainly possible to overdo it, but it’s not necessarily unreasonable to take more precautions than we used to take.

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...