From: Paul Vixie <vixie@vix.com>
mike@sentex.net (Mike Tancsa) writes:
... Still, I think the softest targets are the root name servers. I was glad to hear at the Toronto NANOG meeting that this was being looked into from a routing perspective. Not sure what is being done from a DoS perspective.
I think the gtld-servers.net are the target for a globally disruptive and prolonged DDoS. Servers doing reverse lookup might also be targets in more specialised attacks, as their disruption would be continent wide rather than merely country wide (like most forward look ups). Paul obviously has the experience to tell me if I'm crazy, but I would guess the "." zone probably isn't that large in absolute terms, so large ISPs (NANOG members ?) could arrange for their recursive servers to act as private secondaries of ".", thus eliminating the dependence on the root servers entirely for a large chunks of the Internet user base. To set up such a backup plan during a DDoS against the root name servers might be challenging, but it isn't impossible, it would also stop large ISPs DNS servers forwarding daft queries onto the root DNS servers, thus lowering the load on the root-servers when they need it most! So whilst the root servers make the obvious target they are also in some ways a relatively easy target to move, or expand in number. I think private secondaries are a better bet than new root servers, as that would require trusting less experienced admins with all of the Internet's DNS, rather than just ISP users trusting their ISP (which they do implicitly already). I think the kinds of zones being handled by the gtld-servers would be harder to relocate, if only due to size, although the average NANOG reader probably has rather more bandwidth available than I do, they may not have the right kind of spare capacity on their DNS servers to secondary ".com" at short notice.
Now that we've seen enough years of experience from Genuity.orig, UltraDNS, Nominum, AS112, and {F,K}.root-servers.net, we're seriously talking about using anycast for the root server system.
We have even more experience at zone transfers with DNS, and it doesn't require complicating anything lower than layer 7, which has an appeal to me, and I suspect most ISPs who probably have enough trouble keeping BGP in order. All I think root server protection requires is someone with access to the relevant zone to make it available through other channels to large ISPs. There is no technical reason why key DNS infrastructure providers could not implement such a scheme on their own recursive DNS servers now, and it would offer to reduce load on both their own, and the root DNS servers and networks. Other DNS admins could change their caching servers to forward to their ISPs name servers - and whilst forwarding might be frowned on by the DNS community, the hierarchical caching model is typically faster than the current approach, and more scalable, if potentially less secure (poisoning of a tier in the hierarchy is bad news - theoretically we lose some redundancy, although forward-first might address that, and some current DNS server implementations do not support this model as well as they could - undoubtably such a scheme would lead to more small disruptions but presumably avoid the "one big one" being discussed). The single limiting factor on implementing such an approach would be DNS know-how, as whilst it is probably a two line change for most DNS servers to forward to their ISPs DNS server (or zone transfer "."), many sites probably lack the inhouse skills to make that change at short notice. In practical terms I'd be more worried about smaller attacks against specific CC domains, I could imagine some people seeing disruption of "il" as a more potent (and perhaps less globally unpopular) political statement, than disrupting the whole Internet. Similarly an attack on a commercial subdomain in a specific country could be used to make a political statement, but might have significant economic consequences for some companies. Attacking 3 or 4 servers is far easier than attacking 13 geographically diverse, well networked, and well protected servers. Similarly I think many CC domains, and country based SLD are far more "hackable" than many people realised due to the extensive use of out of bailiwick data, as described by DJB. At some point the script kiddies will realise they can "own" a country or two instead of one website, by hacking one DNS server, and the less well secured DNS servers will all go in a week or two.