tear it out, root and branch
December 19, 2015 11:26 AM   Subscribe

 
Someone's trying to win the "worlds most pointless thing to attack" award.
posted by Talez at 11:28 AM on December 19, 2015 [3 favorites]


This post could use some better context, or an explanation, or something.
posted by shmegegge at 11:33 AM on December 19, 2015 [15 favorites]


I think "pointless thing" is the wrong description. The root servers are very important! But they're also highly resilient. Better to say "futile thing".
posted by sbutler at 11:34 AM on December 19, 2015 [1 favorite]


Some group attacks name servers. Name server admins say "whoa that's a lot of traffic" but it fails to actually accomplish anything given the roots are both anycasted and ridiculously over provisioned. Security expert thinks this mild annoyance at best is a reason to implement esoteric security solution.
posted by Talez at 11:35 AM on December 19, 2015 [5 favorites]


as an unreasonable, irrational, paranoid comments thread denizen with pointlessly eccentric political ideas, I have to give credit where credit is due to the commenters on Schneier's blog. Those guys (the gendered language here is used deliberately) are next level unreasonable, irrational, and paranoid.
posted by You Can't Tip a Buick at 11:40 AM on December 19, 2015 [14 favorites]


I like how Schneier's last two links are about something that happened in 2002. He sure spent a lot of time on that post.

And yeah, that third comment is something extra.
posted by effbot at 11:42 AM on December 19, 2015


What's been disclosed is a denial of service attack; a flood of traffic. This is obnoxious and potentially harmful, but nowhere near as harmful as a penetration attack where someone would try to subvert the DNS roots. No subversion attack has been disclosed.

My first reaction was like Schneier's; someone's testing their DDOS capabilities. But it could also be a more active attack. Enough attack traffic might delay legitimate responses, which could allow for spoofed responses to arrive first at the target.

I'm surprised Schneier highlighted BCP 38 ingress filtering as a solution for "source address validation in the DNS system". My understanding is that this kind of filtering is a good thing for the Internet as a whole in that it makes it harder for bad guys to forge source addresses for packets. If it were widely deployed, DNS DDOS would be harder. But it's not something the DNS system can implement itself to protect itself; the filters have to be implemented at every single ISP.
posted by Nelson at 11:44 AM on December 19, 2015


The notable phrase in the first sentence of comment 3, "deep state attacks", appears on a lot of websites that also include phrases such as "false flag". The rest of the comment reads like the output of a markov chatbot.
posted by DancingYear at 12:08 PM on December 19, 2015 [6 favorites]


Say you had access to an illicit botnet but were disappointed with the blackmarket rates that bad actors were willing to spend? How can you demonstrate the strength and power and get a lot of publicity? Whack the king in the knee, make news, let stuff settle down, under the covers tell your buyers that you were using 5% of your bots.

3. Make Money.
posted by sammyo at 12:16 PM on December 19, 2015 [8 favorites]


Don't remember where I saw it and am not finding the reference but at least one of the attacks were supposedly coming from cell phone apps.
posted by sammyo at 12:21 PM on December 19, 2015


Now that most of the important online services are using TLS, would successfully attacking the root servers cause much more than an inconvenience? After all, as soon as they hypothetically start sending out forged name resolutions, certificate validations start failing and everyone's browser/mail client/etc. goes all, "whoops, you'd better wait this one out".
posted by indubitable at 12:41 PM on December 19, 2015


I read the source address validation paper that Schneier linked to. It appears to me to be just a wish for packet filtering further up the line from networks that don't packet filter on source addresses they own. Is that any more possible than expecting networks to be responsible, or am I missing something in the details?

It would be nice if Juniper/Cisco had source filtering based on BGP. I'd filter everything if that was the case. Instead we have to muck around and build filters outside the router and import them in.
posted by pashdown at 12:46 PM on December 19, 2015 [1 favorite]


Yeah. As much as those commentators are crazy, it's probably reasonable to assume that this was a demonstration of some sort.

Attaching the DNS root servers is simultaneously very difficult and very pointless.

This wasn't the government though. They've got their own gigantic data centers they can attack if they want to internally demonstrate that variability.

Dream bigger with your conspiracy theories, guys.
posted by schmod at 1:44 PM on December 19, 2015 [4 favorites]


"The queries were well-formed, valid DNS messages for a single domain name."

Normally you want to induce as much variation as possible into the mix, so that filtering out the attack is harder. Here, the attackers used a single domain. I'm assuming that since they chose not to filter it out, it was also something pretty central to the internet at large. Probably Google or update.microsoft.com.
posted by pwnguin at 2:58 PM on December 19, 2015


I like how the endgame in Schneier's comment #3 is a new global currency. There's all this setup, with the EMP, the mercenaries, the NSA. But his greatest fear is not genocide, forced relocation, slavery, or nuclear holocaust. No, his worst-case scenario is using a different unit of money.
posted by foobaz at 3:05 PM on December 19, 2015 [10 favorites]


Now that most of the important online services are using TLS, would successfully attacking the root servers cause much more than an inconvenience?
Every time someone types "google" into a web browser, their web browser hits "http://google.com" in the clear, which then redirects on to the https site. (Except for rare users of https anywhere, and maybe chrome has some specific hack for google.com but probably not for yourbank.com.) So there's still vast potential to attack via DNS spoofing.

A full DNS root server DOS attack would not be pretty at all, either.
posted by joeyh at 3:43 PM on December 19, 2015 [1 favorite]


I like how the endgame in Schneier's comment #3 is a new global currency. There's all this setup, with the EMP, the mercenaries, the NSA. But his greatest fear is not genocide, forced relocation, slavery, or nuclear holocaust. No, his worst-case scenario is using a different unit of money.

I thought THAT was just set-up for everyone then begging for the "totalitarian Marxist regime" which is his real fear: Commies! Internet commies!
posted by Dysk at 4:26 PM on December 19, 2015


This is why I do all my browsing with IP addresses and host-headers only.
posted by blue_beetle at 4:29 PM on December 19, 2015 [9 favorites]


Weirdly, with Time Warner here in LA, unresolved DNS errors are the most frequent problem I encounter. Like, several times a day. Their theory is that it's my router setup, but I use one of their approved routers, and when I eliminated that from my setup, I still get regular unresolved DNS problems. I know that they have their own DNS servers (and since my router is a Netgear, nominally they have their own DNS servers too that I could reroute to), but nothing seems to work. I was hoping to be able to pin my problems on this attack, but from y'all's comments, it doesn't seem likely.
posted by klangklangston at 6:05 PM on December 19, 2015


klangklangston, have you tried using Google DNS instead?
posted by indubitable at 7:26 PM on December 19, 2015 [3 favorites]


klangklangston: "Weirdly, with Time Warner here in LA, unresolved DNS errors are the most frequent problem I encounter. Like, several times a day. Their theory is that it's my router setup, but I use one of their approved routers, and when I eliminated that from my setup, I still get regular unresolved DNS problems. I know that they have their own DNS servers (and since my router is a Netgear, nominally they have their own DNS servers too that I could reroute to), but nothing seems to work. I was hoping to be able to pin my problems on this attack, but from y'all's comments, it doesn't seem likely."

You must be on AT&T where their default setup times out almost constantly for their own servers. Also, check out OpenDNS. Good robust DNS with optional security features. I use it in conjunction with my (NotOnAPi) Pihole.
posted by Samizdata at 8:14 PM on December 19, 2015


Is this why Google stopped working?
posted by Jacqueline at 8:36 PM on December 19, 2015


8.8.8.8
8.8.4.4
posted by jenkinsEar at 9:16 PM on December 19, 2015 [1 favorite]


Vaguely off topic: I've been reading about Jekyll and about how people keep raving about it. "This is how you can blog like a hacker. Just plain text."

Oh yeah? You sure about that? Because as can be seen from RFCs and articles like this, The Internet Guys just release actual plain text files.
posted by wwwwolf at 11:38 PM on December 19, 2015 [2 favorites]


It's all in the phrasing:

"Someone is attacking DNS root servers." - Wow, that's serious.

"Someone is attacking the Internet." - pffffhaha they're haxoring all the ips

Hah, I just reminded myself of when I guy I know uploaded a torrent of an archive of all IP addresses. He programmed it to spit out a text file that started 0.0.0.0 and ended 255.255.255.255.
posted by BiggerJ at 4:14 AM on December 20, 2015 [3 favorites]


I'm assuming that since they chose not to filter it out, it was also something pretty central to the internet at large. Probably Google or update.microsoft.com.

If it was indeed update.microsoft.com, there's a better than even chance that this was not in fact any kind of attempted DDOS attack, just Windows Update finding yet another way to screw up migrating a bunch of Windows installations to Windows 10.
posted by flabdablet at 4:47 AM on December 20, 2015


The Internet Guys just release actual plain text files

Oh it's not just that, it's plain text files with page breaks. All formatted by a 20+ year old program, something both simpler and yet somehow more abstruse than TeX.
posted by Nelson at 7:31 AM on December 20, 2015 [4 favorites]


joeyh: Every time someone types "google" into a web browser, their web browser hits "http://google.com" in the clear, which then redirects on to the https site.

This used to be the case, but with the use of HSTS most major web properties (and lots of minor ones too) are immune to this type of attack, in all of the major browsers; the standard is open and any site can easily opt in without any communication or approval from Google or anyone else. The EFF's SSL Observatory and Google's Certificate Transparency also protect against DNS spoofing, even in the case when the attacker is somehow able to obtain a valid certificate for the site they're spoofing.

Basically, the browser vendors (largely led by Google) have collectively decided that DNS is untrustworthy and have engineered around it.
posted by bbuda at 7:56 AM on December 20, 2015 [1 favorite]


pwnguin: "Normally you want to induce as much variation as possible into the mix, so that filtering out the attack is harder."

This also introduces the possibility that somebody accidentally released some non-malicious code into the wild that pointed a ton of devices at the root servers for some reason.

If, say, the Android Facebook app released an update that caused everybody to bypass the OS's DNS capabilities for someone, and looks up facebook.com via the root servers, the resulting traffic pattern would probably look a lot like this attack.

Of course, this is a far-fetched scenario, but the details of this attack are a little odd.
posted by schmod at 2:10 PM on December 20, 2015


BiggerJ:
Hah, I just reminded myself of when I guy I know uploaded a torrent of an archive of all IP addresses. He programmed it to spit out a text file that started 0.0.0.0 and ended 255.255.255.255.
Hahaha. That sounds like a slightly amusing prank, but on first read it seemed said guy believed he was achieving something useful. Which reminds me of a guy I knew back in high school. He'd programmed a calculator in C, but instead of using the language's built-in operators and maybe writing an expression parser he had written functions to re-implement the built-in operators and hardcoded the return values for pairs of inputs.

It was like some unbelievable attempt at combinatorial masochism. We subsequently discouraged him from pursuing programming as a hobby.
posted by iffthen at 8:27 AM on December 21, 2015


shmegegge: I tried to write up a post giving some context here but it's been a shit week and what I wrote turned out a bit too sarcastic. I'll come back to it if you like, but of the Schneier-linked articles this one is probably the most informative.

Has anyone seen what the actual domain name being queried was?

Also, the International Business Times article that Schneier links to is utter, utter crap.
posted by iffthen at 10:39 AM on December 21, 2015


Mr. Gibson over at grc.com has had a solution to denial of service attacks for a while but no one seems to pay attention to him. He has come up with a system he calls Genesis: Gibson's ENcryption-Enhanced Spoofing Immunity System. I have not been there for a while but his Spinrite product has saved my butt a couple times.
posted by GrimJack at 6:53 PM on December 21, 2015


He has come up with a system he calls Genesis: Gibson's ENcryption-Enhanced Spoofing Immunity System.

SYN cookies will not help here because:

1. The servers accept UDP, and basically can't stop accepting UDP.
2. The packets are the problem, not the connection handling resources on the server.

It's likely the servers still had those protections, and it did nothing to stop the DDoS. Today's DoS doesn't attack you. It attacks the bandwidth delivered to you. It doesn't matter how smart your endpoint is when it comes to TCP packets, the problem is that any given medium for digital communication can only provide so many packets per second (bandwidth). Your ISP needs to somehow know not to forward the packet on to you, while forwarding other, legitimate packets on still.

DNS solves this by having like, more internet pipes than Jesus, spread out across the globe, and anycasted such that a packet destined for a root server is delivered to multiple servers that can respond to requests for the given root server. CDNs apply the same technique to web services.
posted by pwnguin at 7:21 PM on December 21, 2015 [1 favorite]


« Older Fluffin' the holiday squees-un   |   I Love You All The Time Newer »


This thread has been archived and is closed to new comments