[GTER] Feds Investigating "Largest Ever" Attack on Internet
Jeronimo de A Barros
jero at i2.com.br
Thu Oct 24 10:48:00 -03 2002
Oi...
Pelo oque me consta ja' e' distribuido: Rio (2), Sampa (1), EUA
(1) e Franca (1).
Mas parece que somente os do Rio e Sao Paulo que respondem por
todos os DPNs .BR.
Abracos, Jero
On Thu, 24 Oct 2002, Kleber Carriello de Oliveira wrote:
> Date: Thu, 24 Oct 2002 09:38:11 -0300
> From: Kleber Carriello de Oliveira <kco at embratel.net.br>
> Reply-To: gter at eng.registro.br
> To: gter at eng.registro.br
> Subject: RE: [GTER] Feds Investigating "Largest Ever" Attack on Internet
>
> Talvez seja hora de pensarmos em uma estrutura mais distribuida de DNS.
> Os servers da FAPESP poderiam ser distribuidos em regioes do Brasil.
>
> --
> Kleber Carriello de Oliveira
> Gerência de Segurança Internet
> Embratel - Rio de Janeiro
>
> -----Original Message-----
> From: gter-admin at eng.registro.br [mailto:gter-admin at eng.registro.br]On
> Behalf Of Andre Fucs de Miranda
> Sent: Wednesday, October 23, 2002 13:52
> To: gter
> Subject: [GTER] Feds Investigating "Largest Ever" Attack on Internet
>
>
> Ao ler isso eu pergunto... atualmente qual a chance real dos servidores
> de DNS Brasileiros serem afetados por um ato semelhante? Apenas como
> curiosidade... são ou já foram feitas simulações nesse sentido?
>
> +++ início +++
> Feds Investigating "Largest Ever" Attack on Internet
>
>
> By Kevin Murphy
>
> US Federal authorities are investigating an attack on the internet that has
> been described as the "largest and most complex" in history. Rather than a
> specific entity, the attack was aimed at the domain name system's root
> servers,
> essentially at the internet itself.
>
> In a distributed denial of service attack that began 5pm US Eastern time
> Monday
> and lasted one hour, seven of the 13 servers at the top of the internet's
> domain name system hierarchy were rendered virtually inaccessible,
> sources told
> ComputerWire.
>
> "We're aware of that [the attack] and the National Infrastructure
> Protection
> Agency is addressing the matter," an FBI spokesperson told ComputerWire. No
> more information on the investigation was available.
>
> According to a source that preferred not to be named, the recently formed
> Department of Homeland Security is involved in the investigation, as
> well as
> the FBI, suggesting that authorities are concerned the attack may have
> originated overseas.
>
> "It was the largest and most complex DDoS attack on all 13 roots," a source
> familiar with the attacks said. "Only four of the primary 13 root
> servers were
> up during the attack. Seven were completely down and two were suffering
> severe
> degradation."
>
> The source said each of the servers was hit by two to three times the load
> normally born by the entire 13-server constellation. Paul Vixie,
> chairman of
> the Internet Software Consortium, which manages one of the servers, said
> he saw
> 80Mbps of traffic to the box, which usually only handles 8Mbps.
>
> In a DDoS flood attack, hackers take control of dozens or hundreds of
> "slave"
> or "drone" machines, then instruct them remotely to simultaneously flood
> specified IP addresses. The attack is believed to have been an ICMP
> (Internet
> Control Message Protocol) ping flood, which stops networked devices
> responding
> to traffic by pounding them with spurious packets.
>
> Freely downloadable hacker tools such as Tribe Flood Network, Trinity and
> Stacheldraht can be used to launch ICMP floods. One such tool was used
> memorably against Amazon, eBay and other big sites in the Mafiaboy
> attacks of
> February 2000. Mafiaboy, a Canadian schoolboy, was eventually caught after
> bragging to friends about the attacks.
>
> The DNS root servers are the master lists of domain names and IP
> addresses on
> the internet, the machines from which all DNS lookup information flows.
> If they
> were taken offline or became inaccessible, any application that uses domain
> names (email and browsers at the low end) would ultimately stop functioning
> properly.
>
> The best way to counter these kinds of attacks is "massive
> over-provisioning",
> said the ISC's Vixie. He added that the attack did not actually crash
> any of
> the root servers, rather it congested devices upstream of the servers
> themselves, so that very little legitimate traffic could get through.
>
> A spokesperson for VeriSign Inc, which manages another root server, said:
> "VeriSign expects that these sort of attacks will happen, and VeriSign was
> prepared. VeriSign responded quickly, and we proactively cooperated with
> fellow
> providers and authorities."
>
> Louis Touton, VP of the Internet Corp for Assigned Names and Numbers
> (ICANN)
> which runs another server, said that these types of attacks against root
> servers are common, but that the scale and the fact that all 13 servers
> were
> targeted set Monday's incident apart. He pointed out that no end users were
> affected.
>
> DDoS attackers operate with at least one degree of separation from their
> targets, and use spoofed source IP addresses to make tracing them virtually
> impossible. According to Vixie, the only way to stop such attacks
> happening in
> future is to make it too hard to execute them and get away with it.
>
> "The most important thing to come to light here has been known for some
> time.
> We've got to find a way to secure all the end stations that forge this
> traffic," Vixie said. "There's an army of drones sitting out there on DSL
> lines... There's no security at the edge of the network. Anyone can send
> packets with pretty much any source address."
>
> Richard Probst, VP of product management at DNS specialist Nominum Inc,
> observed the attacks, and said it was interesting that the hacker chose to
> attack the root servers for only one hour.
>
> Only a sustained attack on the root servers would have had an impact on end
> users, which tend to do DNS lookups in the first instance on data cached
> locally at their ISP. It is only after a longer period, when cached data
> starts
> to purge, that an offline root server could cause problems.
>
> "The root servers don't actually get as much traffic as others, such as
> those
> that handle .com, " Probst said. "It makes you wonder whether they were
> trying
> to stop things, or to show their knowledge of the system. It's almost as if
> these folks were exploring to see how the system would respond to this
> level of
> attack."
>
>
>
>
> © Computer Business Review Online 2002
>
> http://www.cbronline.com/cbr.nsf/printweb/546816D8B69C048680256C5B00107E53?O
> pendocument
> http://www.washingtonpost.com/wp-dyn/articles/A828-2002Oct22.html
> +++ fim +++
>
> --
> !
> assine o -do-not-cross-
> segurança, informação e opinião
> http://www.cfsec.com.br/dnc/
> !
>
> --
> GTER list http://eng.registro.br/mailman/listinfo/gter
>
> --
> GTER list http://eng.registro.br/mailman/listinfo/gter
>
More information about the gter
mailing list