Three Root Servers Knocked Out By Attacks; Internet Keeps On Ticking
from the is-that-all-you've-got? dept
There’s been some fear in the past about the fact that a key part of keeping the internet running, the core “root servers,” are somewhat vulnerable. There are only 13 root servers, and taking them all out would cause quite a problem. So far, though, attacks have been unable to do so. Nearly five years ago, all 13 were attacked, taking out seven or eight of them for a period of time — though the others picked up the slack and there were no noticeable problems. The latest story is that some sort of attack from hackers took down three of the servers, the biggest attack since the ones in 2002. Some of the attacks went on as long as 12 hours. Again, there was no noticeable impact for most users. However, the question is being raised again about whether using just 13 root servers is really safe. A few years back, there was a suggestion that it might be a lot safer to set up some sort of peer-to-peer system to better distribute the root servers among many more machines. It doesn’t seem like that idea got much traction (and it certainly has its downsides as well), but it will be interesting to see if the latest attacks get people discussing this question once again, and whether or not they have any creative solutions.
Comments on “Three Root Servers Knocked Out By Attacks; Internet Keeps On Ticking”
Answer
Here’s a creative solution: Find the party(s) responsible and kick the living hell out of them!
There's more than just
Mike,
There actually is more than 13 root nameservers — in fact there are multiples of 13. I think where people get confused is they read about the “a” root server, the “b” root server, and so on,, through the “m” root server. Well, there are multiples of each of these, geographically placed and multicast synchronized.
More information can be found here:
http://www.cymru.com/monitoring/dnssumm/index.html
Cheers,
– ferg
Probably impractical by all means, but consider wh
IF there’s only 13 of these servers (and i imagine they mean warehouses full of equipment) why not dupe them and keep them all on standby? With as much as the human race has made the internet an integral part of their lives, you’d think a surefire backup plan would already be in effect. However, if it’s true they really only need about 5-8 to keep things running smoothly, then maybe they’ve already taken some preemptive measures.
Personally I’d host 1 server as a geuinea pig and let everyone in the world try and bring it down, those who’re successful give them $1,000 to have them show you what flaws have been overlooked. Maybe not something that “simplistc,” but a similar system to stress test the equipment against possible outside attacks would seem to be at the very least a good place to start.
wow
I never knew about these supposed 13 servers. I never knew that the Internet had such a focused core. Interesting. It’s sad that there are people corrupt enough to want to disrupt this wonderful phenomenon. Oh well. Crying about it won’t get me anywhere. LONG LIVE THE INTERNET!
Core servers? I just assumed that the internet was made up of interconnected servers (one for each domain). I am so n00b.
Forgive me.
Re: Buzz and Anonynoob
I never knew about these supposed 13 servers. I never knew that the Internet had such a focused core.
and…
Core servers? I just assumed that the internet was made up of interconnected servers (one for each domain).
The words “Client” and “Server” are more like concepts than physical machines. A “client” requests information or services from another machine called a “Server”. A “Server” provides that information or service. Any device connected to the internet can be either, and quite often both. “Peer to Peer” or “P2P” is a situation where a machine is both client and server for the same type of service or information.
That said, there are millions of servers on the internet. There are thousands alone that respond to the address http://www.google.com/, for instance (making multiple machines answer a single name is called clustering – this will be important later). The servers spoken of here, though, are a special type of server providing a special type of information – Domain Name Resolution.
Computers think in numbers. Each device on the internet has an IP address, often expressed as 4 3-digit numbers seperated by periods (255.255.255.255). This represents a 32-bit number providing a little over 4 billion possible addresses. Your computer finds another computer – like TechDirt or Google – by its numerical address.
Domain Name Resolution is sort of like the phone book your computer uses to find the numerical address it should go to when you ask for Google.
Let’s look at how to read a domain name. Every period indicates a new heirarchial level and a new Zone of Authority. Reading the domain name from right to left takes you from the trunk all the way out to your destination. “www.google.com” is in the top-level domain (or TLD) “com”, in which is the domain “google”, in which is a machine called “www”.
The objective for DNS is to find the authoritative name server for your request. Your web browser sends the request to your ISP’s name servers, which send the request up the tree until they find a server that can say with authority where Google’s nameservers are. NOT where Google’s machine “www” is, but where its nameservers are.
The machines that do this are the TLD name servers, or the root name servers, of which there are 13 clusters, each with hundreds of machines.
If you take out these root servers, you have taken out the top level of authority that directs you to Google’s nameservers. Google’s machines will probably still be running, but if you can’t find them that doesn’t do you a lot of good. The attack was essentially aimed at the trunk of a heirarchial tree. Like any tree, if you do enough damage to the trunk, the whole thing falls over.
This does not make the internet stop working. It will probably make it nearly unusable for common end users, but all of those numeric addresses I talked about before? They’re still there, and they are what really make things talk to each other. If you happen to know Google’s IP address, then you can still use Google, for instance.
So, yeah – that should give you a better idea of what’s going on. Keep in mind that I’ve glossed over some points, ignored others, and possibly blantantly misrepresented one or two, but essentially this is what’s going on.
Re: Re: Buzz and Anonynoob
Good post Dosquatch.
Re: Re: Re: Buzz and Anonynoob
i concur… nice to read such a concise synopsis.
The article is somewhat confusing to people with no DNS knowledge; who apparently assume those 13 nameservers are the entire internet. Assuming a worst case scenario, you could still navigate using IP addresses.
As pointed out before, there are more than 13 root nameservers. The 13 letters exist in different locations in different continents, using unicast for decentralization.
Why was there no noticable difference for most users? DNS requests get cached somewhere along the way and you rarely end up querying the root servers; and many more ‘root’ nameservers can fill up the gap.
No mention of anycast
The original article is very bad and displays a lot of ignorance. There are far more than 13 *machines* since they are replicated and reachable by BGP anycast (see RFC 4786) and often, at each site, there are several machines behind a load-balancer.
See http://www.root-servers.org/ for details and the complete list of the sites.
long live google
66.102.7.104 is all we need!
So who did this?
My speculation is that this event was a test by the Chinese military. I’m sure they would like to have a firm idea as to the amount of effort it would take to bring down the internet. It isn’t hard to imagine that they would find it useful to be able to remove this form of communication should the “need” arise. Of course the same could be said of the US military…
CTFO
He said 13 Root Servers. Not 13 DNS servers in the entirety of the internet. I am not saying whether or not there are more (I have no idea), but some people didn’t make the distinction.
And even though very few of the total requests go to the root servers, and as nice as it is to think that the internet would still technically function without any DNS/domains at all, using IP addresses, this is simply not true.
The LARGE majority of internet users have no idea what an IP address is, how to use it, or how to find it. In fact, it has become quite obvious that many people don’t even know what a URL is, or how to use an address bar. As is indicated by people searching for “google” on yahoo. Even homepages are set by domain. So effectively, without DNS, for millions and millions of users, the internet would be broken.
h4x0rs
Do these guys necessarily deserve to be punished? Isn’t it quite possible this is being done to test the strength of the security on these servers, (ie. ethical hacking)?
I could be out of line here, but why the rush to condemn them?
Re: h4x0rs
Yes, and Lee Harvey Oswald was just testing the effectiveness of the Secret Service.
And the 9/11 terrorists were just testing the structural integrity of our skyscrapers.
Re: Re: h4x0rs
lol…
Re: Re: h4x0rs
Just asking a question, no need for sarcasm.
I would be really surprised if this type of attack were to ever be completely successful. Unless some certain folks completely fall asleep at the switch.
this is why we have caches and local domain name servers in the first place. other wise the local computer would just contact the root server directly. The local domain name servers store information about domains so the majority of the internet would continue to function for a relativly long time even if all of the root servers were taken out. If you did want to have an quick and effective attack on the internet, attacking the root servers would not be the way to do it.
Re: Re:
The local domain name servers store information about domains so the majority of the internet would continue to function for a relativly long time even if all of the root servers were taken out.
This isn’t quite true either. It is true that your local DNS caches lookups, and will serve from the cache directly if it has an entry. It has to refresh that entry from time to time, though, based on the “time to live” (TTL) dictated by the authoritative server for the query (meaning Google’s, or TechDirt’s, or whatever – not yours). Your server will refresh from its upstream server, which will refresh from its upstream server. Eventually everything leads back to the TLD. If the TLD is gone, the refresh doesn’t happen.
The effects would start showing immediately, and DNS would effectively die somewhere around the median TTL set by servers worldwide. That’d be about 1 to 2 days.
Re: Re: Re:
absolutly right, I guess I implied to much there. Notice I said relativly long time. 1 or 2 days is a long time in internet time and I doubt any kind of attack would take out all of them for that long.
Re: Re: Re: Re:
I would assume that if a catastrophic failure of the root servers were to happen, then the majority of the local DNS servers would continue to serve off of the current database that they have… this would in turn allow users to be directed to any existing DNS entries, but users wouldn’t be able to see any updates until the connection to the root servers is restored.
13 roots but duplicate sites
The authority would be http://www.root-servers.org/
Of course, the net was originally designed to avoid
a single point failure (from nuclear war.)
server??
if the servers are broken up like that why dont they simply force all porn etc to use one type or one ending say .xxx so it can be blocked with any simple content filter?
Re: server??
you can’t control porn… plain and simple.
One thing not mentioned that I was wondering about. The RSA Conference is happening this week, kicked off Monday. I wonder if this was planned to happen while all of the top security people were together. Kind of a “hey look at what we can do?”