http://www.washingtonpost.com/wp-dyn/articles/A828-2002Oct22.html The heart of the Internet sustained its largest and most sophisticated attack ever, starting late Monday, according to officials at key online backbone organizations.
http://www.washingtonpost.com/wp-dyn/articles/A828-2002Oct22.html
The heart of the Internet sustained its largest and most sophisticated attack ever, starting late Monday, according to officials at key online backbone organizations.
when uunet or at&t takes many customers out for many hours, it's not a problem when an attack happens that was generally not even perceived by the users, it's a major disaster i love the press randy
But the press learned long ago the more isolated an incident is to the average consumer, the more horrific they can make it sound without scaring anyone personally. Appealing to the "glad that wasn't me!" emotion that also causes slowdowns around every wreck on the road and live coverage of police pursuits, your chance to see the horror from the comfort of you air-condition land yacht/armchair. :) Best regards, _________________________ Alan Rowland Former member of the fourth estate. -----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf Of Randy Bush Sent: Tuesday, October 22, 2002 3:54 PM To: Sean Donelan Cc: nanog@merit.edu Subject: Re: WP: Attack On Internet Called Largest Ever
http://www.washingtonpost.com/wp-dyn/articles/A828-2002Oct22.html
The heart of the Internet sustained its largest and most sophisticated
attack ever, starting late Monday, according to officials at key online backbone organizations.
when uunet or at&t takes many customers out for many hours, it's not a problem when an attack happens that was generally not even perceived by the users, it's a major disaster i love the press randy
On Tue, 22 Oct 2002, Randy Bush wrote: :when an attack happens that was generally not even perceived by the :users, it's a major disaster : :i love the press A close read of the article shows that the quotes are actually moderate and accurate, it's just the reporting style that is breathless and suggestive. Honestly, if it was CNN or Fox reporting, we would have seen an epic Geraldo Rivera special, standing outside Al Gore's office with an excavation team waiting to sift through the rubble of the Internet for clues to the whereabouts of Bin Laden, with hourly updates and opinion from various Survivor contestants. There are worse things. I get a number of regular briefings regarding these sort of things, and sadly, many of them are taken from press reports. To many executives, it doesn't matter what actually happened, as much as who said it happened, and how large an expenditure they said we can justify to our investors to mitigate the threat. The only useful recommendations I can think of to give to regular users would be to increase the TTL's on their zones to longer than a day if they are worried about root servers making their domains unresolvable, maybe expect occasional delays in name resolution when surfing the net, and to remind them to ensure their machines are locked down. Any others? -- batz
On Tue, 22 Oct 2002, batz wrote:
The only useful recommendations I can think of to give to regular users would be to increase the TTL's on their zones to longer than a day if they are worried about root servers making their domains unresolvable, maybe expect occasional delays in name resolution when surfing the net, and to remind them to ensure their machines are locked down.
Last year I tried to explain to several people the most critical part of DNS is the part closest to you. The attention on the root servers is distracting folks from were the problems actually are. For most users, their local caching infrastructure is more important. Most used names are likely to still be in the cache, assuming people aren't using tiny-TTL load balancing. DNS clients "need" to communicate with root servers infrequently. CAIDA (http://www.caida.org/projects/dns-analysis/) data measurements show an average (50th-percentile) DNS client contacts the root name servers less than 8 times in a week.
Root servers wouldn't make their zones unavailable. Loosing the root servers would make their parent zones unavailable. end users should worry about their local name servers and the TTL's for them. Please make sure you understand the difference between Root-Servers and Non-Root Servers. Its important john brown Le Geek On Tue, Oct 22, 2002 at 07:58:45PM -0400, batz wrote:
The only useful recommendations I can think of to give to regular users would be to increase the TTL's on their zones to longer than a day if they are worried about root servers making their domains unresolvable, maybe expect occasional delays in name resolution when surfing the net, and to remind them to ensure their machines are locked down.
Any others?
-- batz
* randy@psg.com (Randy Bush) [Wed 23 Oct 2002, 00:54 CEST]:
when uunet or at&t takes many customers out for many hours, it's not a problem
when an attack happens that was generally not even perceived by the users, it's a major disaster
The BBC website has an article with rather more nuance than some other online news outlets appear to have. http://news.bbc.co.uk/2/hi/technology/2352667.stm | "As best we can tell, no user noticed and the attack was dealt with | and life goes on," said Louis Touton, vice president for the Internet | Corporation for Assigned Names and Numbers, which oversees the running | of the root servers and the net's addressing system. The article calls it a "failed attack" and features a picture of a few big sea waves. It also features a link to an article named "Fighting zombie machines" - this also says something good about the clue level at BBC News, I think. Regards, -- Niels.
On Tue, Oct 22, 2002 at 05:15:21PM -0400, Sean Donelan wrote:
http://www.washingtonpost.com/wp-dyn/articles/A828-2002Oct22.html
The heart of the Internet sustained its largest and most sophisticated attack ever, starting late Monday, according to officials at key online backbone organizations.
Looked like a pretty piddly and unintelligent smurf/ping flood combo to me. The state of the so-called "experts" saddens me more with each passing day. -- Richard A Steenbergen <ras@e-gerbil.net> http://www.e-gerbil.net/ras PGP Key ID: 0x138EA177 (67 29 D7 BC E8 18 3E DA B2 46 B3 D8 14 36 FE B6)
On Tue, Oct 22, 2002 at 05:15:21PM -0400, Sean Donelan wrote:
http://www.washingtonpost.com/wp-dyn/articles/A828-2002Oct22.html
The heart of the Internet sustained its largest and most
sophisticated
attack ever, starting late Monday, according to officials at key online backbone organizations.
Looked like a pretty piddly and unintelligent smurf/ping flood combo to me. The state of the so-called "experts" saddens me more with each
Does that include Paul, who was quoted? (Okay Paul - here's your chance to rant about how badly they misquoted you! <Grin>) *********** REPLY SEPARATOR *********** On 10/22/2002 at 7:11 PM Richard A Steenbergen wrote: passing
day.
-- Richard A Steenbergen <ras@e-gerbil.net> http://www.e-gerbil.net/ras PGP Key ID: 0x138EA177 (67 29 D7 BC E8 18 3E DA B2 46 B3 D8 14 36 FE B6)
-- Jeff Shultz Network Support Technician Willamette Valley Internet Not speaking for anyone but myself here.
On Tue, Oct 22, 2002 at 04:17:22PM -0700, Jeff Shultz wrote:
Does that include Paul, who was quoted? (Okay Paul - here's your chance to rant about how badly they misquoted you! <Grin>)
Ok I take it back, after actually reading the article. The quote is: This was the largest and most complex DDOS attack ever against the root server system," said a source at one of the organizations responsible for operating the root servers. Which is probably completely accurate, and is certainly believable. Just because noone ever bothered to attack all the root servers at once before doesn't make the attack used anything more than piddly. Yay to creative editing though. -- Richard A Steenbergen <ras@e-gerbil.net> http://www.e-gerbil.net/ras PGP Key ID: 0x138EA177 (67 29 D7 BC E8 18 3E DA B2 46 B3 D8 14 36 FE B6)
On Tue, 2002-10-22 at 19:41, Paul Vixie wrote:
(Okay Paul - here's your chance to rant about how badly they misquoted you! <Grin>)
I think it's clear that editors were involved. -- Paul Vixie
I did notice that Paul was quoted as stating essentially that F was not impacted. From my own experience and numerous folks who monitor DNS performance this seems true. However, I did notice that several of the servers which are operated by VeriSign were not responding to at least a large, 50% or greater, fraction of test queries. Even so, VeriSign was good enough to chime in that their root servers were unaffected. Did I mis-perceive this, or is it another bold-faced lie from VeriSign? -- Jeff S Wheeler <jsw@five-elements.com>
Let me chime in with some of what I've been telling reporters all day.
I did notice that Paul was quoted as stating essentially that F was not impacted. From my own experience and numerous folks who monitor DNS performance this seems true. However, I did notice that several of the servers which are operated by VeriSign were not responding to at least a large, 50% or greater, fraction of test queries. Even so, VeriSign was good enough to chime in that their root servers were unaffected.
Did I mis-perceive this, or is it another bold-faced lie from VeriSign?
I had congestion-free access to A and J throughout yesterday, so from my point of view VeriSign's servers were just fine. (A and J are not in this building nor even in this state or timezone, so it wasn't a locality issue.) DDoS attacks often end up hurting intermediate links in the path more than the destination of the flow. Determining whether a root name server has "reachability" requires dozens, or hundreds, of diverse monitors. Yesterday's attack was only visible to people who monitor root servers or whose backbones feed root servers -- whereas the average person who just wanted to use DNS to get their work done didn't seem to notice it at all. -- Paul Vixie
On 23 Oct 2002, Paul Vixie wrote:
Did I mis-perceive this, or is it another bold-faced lie from VeriSign?
I had congestion-free access to A and J throughout yesterday, so from my point of view VeriSign's servers were just fine. (A and J are not in this building nor even in this state or timezone, so it wasn't a locality issue.)
paul, show us a traceroute from f to a and j. ;)
On Tue, 22 Oct 2002 20:35:06 EDT, Jeff S Wheeler <jsw@five-elements.com> said:
performance this seems true. However, I did notice that several of the servers which are operated by VeriSign were not responding to at least a large, 50% or greater, fraction of test queries. Even so, VeriSign was good enough to chime in that their root servers were unaffected.
Did I mis-perceive this, or is it another bold-faced lie from VeriSign?
If a server that can handle 500K packets/sec is sitting behind a pipe that maxes out at 400K packets/sec, it won't be affected when the pipe is flooded. Most likely, half your packets were being dropped 2 or 3 hops from the server (where the DDoS starts converging from multiple sources). So we probably can't pin a "bold-faced lie" on VeriSign this time. Dissembling and misleading perhaps, but not a total lie (unless somebody can prove that the pipe still had capacity and wasn't dropping stuff) -- Valdis Kletnieks Computer Systems Senior Engineer Virginia Tech
i think we would benefit from a traceroute - paul - f to a and j? paul may very well be correct - but what if their internetworked with each other. paul? On Wed, 23 Oct 2002 Valdis.Kletnieks@vt.edu wrote:
On Tue, 22 Oct 2002 20:35:06 EDT, Jeff S Wheeler <jsw@five-elements.com> said:
performance this seems true. However, I did notice that several of the servers which are operated by VeriSign were not responding to at least a large, 50% or greater, fraction of test queries. Even so, VeriSign was good enough to chime in that their root servers were unaffected.
Did I mis-perceive this, or is it another bold-faced lie from VeriSign?
If a server that can handle 500K packets/sec is sitting behind a pipe that maxes out at 400K packets/sec, it won't be affected when the pipe is flooded.
Most likely, half your packets were being dropped 2 or 3 hops from the server (where the DDoS starts converging from multiple sources). So we probably can't pin a "bold-faced lie" on VeriSign this time. Dissembling and misleading perhaps, but not a total lie (unless somebody can prove that the pipe still had capacity and wasn't dropping stuff)
Agreed...I worked these attacks on UUNET's backbone and quite honestly none of them was over 100mbit worth of traffic. We see this everyday, this was nothing out of the ordinary except the destination... Shrug...fear is an easy weapon to wield, eh? On Tue, 22 Oct 2002, Richard A Steenbergen wrote:
On Tue, Oct 22, 2002 at 05:15:21PM -0400, Sean Donelan wrote:
http://www.washingtonpost.com/wp-dyn/articles/A828-2002Oct22.html
The heart of the Internet sustained its largest and most sophisticated attack ever, starting late Monday, according to officials at key online backbone organizations.
Looked like a pretty piddly and unintelligent smurf/ping flood combo to me. The state of the so-called "experts" saddens me more with each passing day.
-- Richard A Steenbergen <ras@e-gerbil.net> http://www.e-gerbil.net/ras PGP Key ID: 0x138EA177 (67 29 D7 BC E8 18 3E DA B2 46 B3 D8 14 36 FE B6)
Aha! But remember that we are constantly being told that there is no longer a shortage of qualified network engineers and security professionals... I guess the definition of "qualified" has changed... I wonder where all of the people who use to yell "We need more CISSP's!!!!" have gone? Yet another in a long series of worthless certifications... When the volume (instead of the level of sophistication) of an attack becomes the only meaningful measure of its severity, perhaps we are being shown that just maybe there still IS a shortage of qualified network engineers and security professionals... It's a terrible thing when the most "competent" assessment of an attack comes from a "company spokesperson", rather than someone just a little more technical... Oh, well... Jamie ----- Original Message ----- From: "dies" <dies@pulltheplug.com> To: "Richard A Steenbergen" <ras@e-gerbil.net> Cc: "Sean Donelan" <sean@donelan.com>; <nanog@merit.edu> Sent: Wednesday, October 23, 2002 1:05 AM Subject: Re: WP: Attack On Internet Called Largest Ever
Agreed...I worked these attacks on UUNET's backbone and quite honestly none of them was over 100mbit worth of traffic. We see this everyday, this was nothing out of the ordinary except the destination...
Shrug...fear is an easy weapon to wield, eh?
On Tue, 22 Oct 2002, Richard A Steenbergen wrote:
---- Jamie C. Pole Co-Founder & Principal Consultant J.C. Pole & Associates, Inc. Email: jpole@jcpa.com Web: http://www.jcpa.com/ Office: 203.338.0901 Fax: 203.576.1355 Toll-Free: 866.338.0901 ICQ: 8630771 (PGP Capable) Pager: 888.894.3183 Cell: 203.395.7737 Purveyors of global commercial intelligence and counterintelligence services * Information Security * Information Warfare * Information Forensics * * Secure Electronic Commerce * Industrial Espionage Countermeasures * * Corporate Fraud Investigation * Professional Tiger Team Assessments * * Transportation Security Systems * Airport Security Evaluations & Certification * * Non-Lethal Law Enforcement Technologies * Firearms Certification * * Comprehensive Litigation & Law Enforcement Support Services * PGP Fingerprint: 6F18 A0E2 DF95 B0F0 A954 A333 B3C4 663E 893A D6F2 ----
At 07:50 AM 10/23/2002, Jamie C. Pole wrote:
It's a terrible thing when the most "competent" assessment of an attack comes from a "company spokesperson", rather than someone just a little more technical...
In my reality the shop floor is not allowed to comment on something that is seen as vital to a corporation's interests at all. This in order not to destroy carefully crafted statements by the spokespeople vetted by the lawyerpeople. Such statements tend to be designed to hide the bad news and amplify whatever snippets of good news can be found. The *perceived* "affluence" of *comptetent* technical people has an effect on this: It makes the shop floor *much less* likely to talk even to peers for fear of their jobs. Daniel
On Wed, Oct 23, 2002 at 01:32:59PM +0200, Daniel Karrenberg wrote:
At 07:50 AM 10/23/2002, Jamie C. Pole wrote:
It's a terrible thing when the most "competent" assessment of an attack comes from a "company spokesperson", rather than someone just a little more technical...
In my reality the shop floor is not allowed to comment on something that is seen as vital to a corporation's interests at all. This in order not to destroy carefully crafted statements by the spokespeople vetted by the lawyerpeople. Such statements tend to be designed to hide the bad news and amplify whatever snippets of good news can be found.
The *perceived* "affluence" of *comptetent* technical people has an effect on this: It makes the shop floor *much less* likely to talk even to peers for fear of their jobs.
Gee... And for some reason today's [10/23] "Helen, Sweeheart of the Internet" <http://www.comicspage.com/helen/index.html> comic strip seems sooo relavent to this discussion... :->
Daniel
Mike -- Michael H. Warfield | (770) 985-6132 | mhw@WittsEnd.com /\/\|=mhw=|\/\/ | (678) 463-0932 | http://www.wittsend.com/mhw/ NIC whois: MHW9 | An optimist believes we live in the best of all PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it!
http://www.washingtonpost.com/wp-dyn/articles/A828-2002Oct22.html
The heart of the Internet sustained its largest and most sophisticated attack ever, starting late Monday, according to officials at key online backbone organizations.
Can someone point out to me where the heart of Internet is? Last time I looked, the Internet looked more like a bunch of spiders having an orgy. Alex
The heart of the Internet sustained its largest and most sophisticated attack ever, starting late Monday, according to officials at key online backbone organizations.
Can someone point out to me where the heart of Internet is?
Oh, the heart of the Internet? Its at WorldCom headquarters, right next to the employee cafeteria. You must have missed that press release. It was the one released right after the notice officially proclaiming that UUNet is The Internet. - D
http://www.washingtonpost.com/wp-dyn/articles/A828-2002Oct22.html
The heart of the Internet sustained its largest and most sophisticated attack ever, starting late Monday, according to officials at key online backbone organizations.
Can someone point out to me where the heart of Internet is? Last time I looked, the Internet looked more like a bunch of spiders having an orgy.
You must admit, that if you are into spiders having sex, some of those pictures are damned sexy. ;) DJ
participants (21)
-
Al Rowland
-
alex@yuriev.com
-
amar
-
batz
-
Daniel Karrenberg
-
Deepak Jain
-
dies
-
Drew Linsalata
-
Hank Nussbacher
-
Jamie C. Pole
-
Jeff S Wheeler
-
Jeff Shultz
-
John M. Brown
-
lordb@nomad.tallship.net
-
Michael H. Warfield
-
Niels Bakker
-
Paul Vixie
-
Randy Bush
-
Richard A Steenbergen
-
Sean Donelan
-
Valdis.Kletnieks@vt.edu