As I hadn't seen it discussed here, I'll have to assume that many
NANOGers haven't seen the latest rant from Anonymous:
"To protest SOPA, Wallstreet, our irresponsible leaders and the
beloved bankers who are starving the world for their own selfish
needs out of sheer sadistic fun, On March 31, the Internet will go
Black.
In order to shut the Internet down, one thing is to be done. Down the
13 root DNS servers of the Internet. Those servers are as follow:"
http://pastebin.com/XZ3EGsbc
13 servers. Sshhhhh! Don't anybody mention anycast - it's a secret.
I really don't think Anonymous is dumb enough to forget about anycast. If
i remember right, another group tried to take down the root servers within
the past 5 or 6 years and only took out around 20 or 25.
-Grant
As is TCP, which requires a 3-way handshake, oh and the 41 day TTL on the . zone
2 day TTL on the served data pointing to the com zone, so any well-behaved server should only touch the root once every ~172800 seconds.
This means the activity would have to be sustained and unmitigated for many hours (days) to have a significant impact.
- Jared
They could just mess with BGP announcements. If you can't route to the root servers they may as well not exist.
-Eric
Or just slave the root zone. 1 million root servers is more robust
than the hundred or so we have today and given the root is signed
you can verify the answers returned.
One can have your own, offical, F root server instance if you want.
A number of ISP already have one. I think a number of the other
root server operators do something similar.
One can hijack one of the official address and replace the A and AAAA
records with local address. This one does cause issues for any one
wanting to lookup the hijacked address.
One can use static-stub in named and simlar mechanisms in other
nameservers to send root zone traffic to a local instance.
On can use multiple views, match-recursive and forwarder zones in
forward first mode to validate answer from the other view using
tsig to reach the other view. You can also us this to get AD set
on answers from your local zones.
Mark
Mark Andrews wrote:
Or just slave the root zone. 1 million root servers is more robust
than the hundred or so we have today
Good, I was serious to have said "not thousands but millions of"
servers when I proposed anycast root servers.
and given the root is signed
you can verify the answers returned.
With anycast, you can reach only a single server among servers
sharing an address even if you find some server compromised,
though you can try others with different addresses.
But, as most attacks will be DOS, DNSSEC capable servers are
weaker.
Masataka Ohta
I really don't think Anonymous is dumb enough to forget about anycast.
Given their track record, it does seem advisable to take the threat seriously, whatever taking it seriously might mean...
If
i remember right, another group tried to take down the root servers within
the past 5 or 6 years and only took out around 20 or 25.
Some discussions about that I recall guessed that it was an experimental probe, for learning how to do a better attack. (Remember that 9/11 was a revision of a prior attack on the towers.)
d/
a message of 13 lines which said:
As I hadn't seen it discussed here, I'll have to assume that many
NANOGers haven't seen the latest rant from Anonymous:
There's nothing proving that it comes from the Anonymous (the name is
itself quite fuzzy, anyone can say "I am the Anonymous"). It may be a
student playing, it may be a security vendor trying to raise more
security awareness, etc.
A post on pastebin means nothing.
a message of 23 lines which said:
If i remember right, another group tried to take down the root
servers within the past 5 or 6 years and only took out around 20 or
25.
No need to remember, Wikipedia does it for you
<http://en.wikipedia.org/wiki/Distributed_denial_of_service_attacks_on_root_nameservers>\.
the zionist usa regime does a far better job at taking icann out of the loop as a resolvable root than anonymous will ever able to do 
(time to change the root.hints to a competing root 
the internet treats censorship as damage and routes around it, remember that one
so can special agent retard of ICE put all those domains back nao pls
you know the ones that say "seized" (must be american english for "we don't care about the souvereignity of other countries and confiscate assets of their citizens nontheless
Not only do we remember it, I believe John's on this list.
Cheers,
-- jra