False information: CEO of Versign facts are wrong
http://news.com.com/2008-7347-5092590.html Quotes Stratton Sclavos: "The DDOS (distributed denial-of-service) attacks last October on the root system--hey, there are 13 global copies of that, and they're all operating. It should scare people that nine of the 13 went down. It's time for the Internet infrastructure to go commercial. On the core services of the infrastructure, it's time to pull the root servers away from volunteers who run them out of a university or lab or some other level. That's going to be an unpopular decision." This factoid has been proven false multiple times, in multiple forums over the last year. Its incredible that a CEO of a company that claims DNS expertise wouldn't know this was false. One particular "internet security" company was PINGing the root servers, and some of the root server operators turned off ping. The root servers themselves were unaffected (except maybe one operated by the US Military). Historically, the only wide-spread failures have been due to NSI operators screwing up the COM or NET zone files. Historically, the other network operators have needed to pick up the load when NSI fell down. NSI controls two root servers. Perhaps its time to split those up among different organizations. There is no reason why NSI must operate any root name severs. NSI moved all the COM and NET zones to seperate GTLD servers controlled SOLELY by NSI years ago.
This factoid has been proven false multiple times, in multiple forums over the last year. Its incredible that a CEO of a company that claims DNS expertise wouldn't know this was false. One particular "internet security" company was PINGing the root servers, and some of the root server operators turned off ping. The root servers themselves were unaffected (except maybe one operated by the US Military).
It might be a matter of interpretation. According to http://d.root-servers.org/october21.txt: 2.1. Some root name servers were unreachable from many parts of the global Internet due to congestion from the attack traffic delivered upstream/nearby. While all servers continued to answer all queries they received (due to successful overprovisioning of host resources), many valid queries were unable to reach some root name servers due to attack- related congestion effects, and thus went unanswered. While I'm not trying to act as Sclavos' apologist, I think you have to be careful about how you respond to this particular claim of his. You can't dismiss it out-of-hand. Misleading? Yes. Flat out false? You'd have to be more convincing.
On Fri, 17 Oct 2003, Mark Boolootian wrote:
This factoid has been proven false multiple times, in multiple forums over the last year. Its incredible that a CEO of a company that claims DNS expertise wouldn't know this was false. One particular "internet security" company was PINGing the root servers, and some of the root server operators turned off ping. The root servers themselves were unaffected (except maybe one operated by the US Military).
It might be a matter of interpretation. According to http://d.root-servers.org/october21.txt:
2.1. Some root name servers were unreachable from many parts of the global Internet due to congestion from the attack traffic delivered upstream/nearby. While all servers continued to answer all queries they received (due to successful overprovisioning of host resources), many valid queries were unable to reach some root name servers due to attack- related congestion effects, and thus went unanswered.
While I'm not trying to act as Sclavos' apologist, I think you have to be careful about how you respond to this particular claim of his. You can't dismiss it out-of-hand. Misleading? Yes. Flat out false? You'd have to be more convincing.
Can Sclavos prove that the same thing did not happen to Verisign's root servers? bye, ken emery
http://d.root-servers.org/october21.txt:
2.1. Some root name servers were unreachable from many parts of the global Internet due to congestion from the attack traffic delivered upstream/nearby. While all servers continued to answer all queries they received (due to successful overprovisioning of host resources), many valid queries were unable to reach some root name servers due to attack- related congestion effects, and thus went unanswered.
While I'm not trying to act as Sclavos' apologist, I think you have to be careful about how you respond to this particular claim of his. You can't dismiss it out-of-hand. Misleading? Yes. Flat out false? You'd have to be more convincing.
Can Sclavos prove that the same thing did not happen to Verisign's root servers?
no. first, because it's impossible to prove a negative. second and moreso, because rob thomas and other public root server monitors showed congestion and loss toward a-root and j-root during that attack, depending on where they were coming from. that was true of all 13 server addresses, and the question is one of impact and degree, not one of 9 vs 13. but that's not even relevant. a ddos is as much an attack on its roads than on its destination. if there's a DS3 bottleneck somewhere between a querier and a responder, and if that DS3 has to carry more than ~45Mbits/second of ddos traffic due to the placement of attacking drones, then that querier is going to experience congestion and loss toward that responder. it makes no difference how much money is spent on the endpoints, there's no way to upgrade OPN's (other people's networks). that's why ultradns, and nominum before that, and several root server operators, are using anycast routing. (and even with anycast there can still be path congestion/loss, but those effects will be more isolated than without anycast.) by casting robustness in terms of investment, sclavos in his interview blurred three important points. first, that point-source investment cannot scale as well as multipoint investment -- i'm sure that more money is spent on f-root than on j-root, it's just that there are now 15 companies worldwide doing the paying, and we don't have a way to account for it. secondly, there have been many cases where less total investment in a root name server has led to higher observed robustness -- so investment isn't a direct issue. finally, sclavos described their investment in their gtld servers and then acted as if this investment had been solely for the benefit of their a-root and j-root servers, which is not the case at all. all in all a most disappointing exposition. -- Paul Vixie
oops! vixie@vix.com (me) wrote:
... that's why ultradns, and nominum before that, and several root server operators, are using anycast routing.
i meant "ultradns, and nominum before they sold their dns ops biz to ultradns" obviously ultradns was doing it before nominum was doing it. sorry rodney. sloppy editing. -- Paul Vixie
----- Original Message ----- From: "Sean Donelan" <sean@donelan.com> To: <nanog@merit.edu> Sent: Friday, October 17, 2003 8:26 AM Subject: False information: CEO of Versign facts are wrong
http://news.com.com/2008-7347-5092590.html
Quotes Stratton Sclavos: "The DDOS (distributed denial-of-service) attacks last October on the root system--hey, there are 13 global copies of that, and they're all operating. It should scare people that nine of the 13 went down. It's time for the Internet infrastructure to go commercial. On the core services of the infrastructure, it's time to pull the root servers away from volunteers who run them out of a university or lab or some other level. That's going to be an unpopular decision."
----- Original Message ----- From: "Sean Donelan" <sean@donelan.com> To: <nanog@merit.edu> Sent: Friday, October 17, 2003 8:26 AM Subject: False information: CEO of Versign facts are wrong
http://news.com.com/2008-7347-5092590.html
Quotes Stratton Sclavos: "The DDOS (distributed denial-of-service) attacks last October on the root system--hey, there are 13 global copies of that, and they're all operating. It should scare people that nine of the 13 went down. It's time for the Internet infrastructure to go commercial. On the core services of the infrastructure, it's time to pull the root servers away from volunteers who run them out of a university or lab or some other level. That's going to be an unpopular decision."
Methinks that one comment is going to make them even more hated then Microsoft or SCO (who both rank right up there with being universally despised on the Internet). They are digging themselves a grave thats a few miles deep. Lets hope ICANN sees this and makes the right decision on how to deal with this growing problem. I'm going to play journalist for a while and make some calls. I'll let you know what kind of 'official' statements I can drag out of these idiots. -------------------------- Brian Bruns The Summit Open Source Development Group Open Solutions For A Closed World / Anti-Spam Resources http://www.sosdg.org ICQ: 8077511
I'm going to play journalist for a while and make some calls.
Ok, first part of my mission is a success. I spoke with a Jim Hock from Bite Communications (Verisign's PR firm), very nice conversation, started out with Verisign's concerns, then we spoke a little bit on the issues people have brought up here. He will be comminicating with me over the next week or so, as well as putting me in touch with some technical people there. So here is where I need your guys help. Put together a list of questions, comments, etc that you feel are appropriate (about the general issues of verisign, its implementation of sitefinder, its handling of the root servers, and other things of importance) in an e-mail to me and send it off. I'll compile a list of questions and pose them to the people I talk to. Don't worry, unless you ask me to, I won't mention who these questions are from. I'm not siding with Verisign on this issue - not by far. But one thing that I discussed with my admins today was the need for better communication between Verisign and the tech community. Thus, I'm going to put aside my misgivings about the past with them and try to hopefully open a worthwhile dialog between everyone who wants to be heard. Verisign has admitted they made mistakes in their handling of the issue, and it sounds like they want to try to do things right this time. ICANN has a job to do, and I'm sure they will do the right thing, but there is a rift forming between the community and Verisign, and thats not going to help the situation at all. You all may not like me, or agree with me, but this is hopefully an oppertunity where you can get some of your voices heard outside of an official process like the SECSAC, and that might result in a better understanding on both sides. I will of course keep everyone who wants to know up on how things are going and what I talk about with them, and you are all welcome to comment to me about anything. The worst that can happen is that we get nowhere with talking and everyone is still divied with nothing accomplished. But, heres to hoping that something good might come out of this. -------------------------- Brian Bruns The Summit Open Source Development Group Open Solutions For A Closed World / Anti-Spam Resources http://www.sosdg.org ICQ: 8077511
Sean, SD> Historically, the only wide-spread failures have been due to NSI operators SD> screwing up the COM or NET zone files. Historically, the other network SD> operators have needed to pick up the load when NSI fell down. SD> NSI controls two root servers. Perhaps its time to split those up among SD> different organizations. There is no reason why NSI must operate any SD> root name severs. NSI moved all the COM and NET zones to seperate GTLD SD> servers controlled SOLELY by NSI years ago. Hmmm. Let's see. Verisign spreads its public relations message aggressively among the media, and those countering their errors talk on nanog, or equivalent. In case no one has noticed, Versign has been quite successful in getting the media to cast the issues (eg., "prevention of innovation") in terms that Verisign is promoting. Discussion on nanog might feel good, but it does not affect the public relations campaign that Verisign is conducting. d/ -- Dave Crocker <dcrocker-at-brandenburg-dot-com> Brandenburg InternetWorking <www.brandenburg.com> Sunnyvale, CA USA <tel:+1.408.246.8253>
participants (6)
-
Brian Bruns
-
Dave Crocker
-
ken emery
-
Mark Boolootian
-
Paul Vixie
-
Sean Donelan