http://www.washingtonpost.com/wp-dyn/articles/A828-2002Oct22.html
The heart of the Internet sustained its largest and most sophisticated
attack ever, starting late Monday, according to officials at key online
backbone organizations.
http://www.washingtonpost.com/wp-dyn/articles/A828-2002Oct22.html
The heart of the Internet sustained its largest and most sophisticated
attack ever, starting late Monday, according to officials at key online
backbone organizations.
when uunet or at&t takes many customers out for many hours, it's not
a problem
when an attack happens that was generally not even perceived by the
users, it's a major disaster
i love the press
randy
But the press learned long ago the more isolated an incident is to the
average consumer, the more horrific they can make it sound without
scaring anyone personally. Appealing to the "glad that wasn't me!"
emotion that also causes slowdowns around every wreck on the road and
live coverage of police pursuits, your chance to see the horror from the
comfort of you air-condition land yacht/armchair. 
Best regards,
Looked like a pretty piddly and unintelligent smurf/ping flood combo to
me. The state of the so-called "experts" saddens me more with each passing
day.
Does that include Paul, who was quoted? (Okay Paul - here's your chance
to rant about how badly they misquoted you! <Grin>)
*********** REPLY SEPARATOR ***********
http://www.washingtonpost.com/wp-dyn/articles/A828-2002Oct22.html
The heart of the Internet sustained its largest and most
sophisticated
attack ever, starting late Monday, according to officials at key
online
backbone organizations.
Looked like a pretty piddly and unintelligent smurf/ping flood combo
to
me. The state of the so-called "experts" saddens me more with each
passing
day.
--
Richard A Steenbergen <ras@e-gerbil.net>
PGP Key ID: 0x138EA177 (67 29 D7 BC E8 18 3E DA B2 46 B3 D8 14 36 FE
B6)
Ok I take it back, after actually reading the article. The quote is:
This was the largest and most complex DDOS attack ever against the root
server system," said a source at one of the organizations responsible for
operating the root servers.
Which is probably completely accurate, and is certainly believable. Just
because noone ever bothered to attack all the root servers at once before
doesn't make the attack used anything more than piddly. Yay to creative
editing though.
(Okay Paul - here's your chance to rant about how badly they misquoted
you! <Grin>)
I think it's clear that editors were involved.
:when an attack happens that was generally not even perceived by the
:users, it's a major disaster
:
:i love the press
A close read of the article shows that the quotes are actually
moderate and accurate, it's just the reporting style that is
breathless and suggestive.
Honestly, if it was CNN or Fox reporting, we would have seen
an epic Geraldo Rivera special, standing outside Al Gore's office
with an excavation team waiting to sift through the rubble
of the Internet for clues to the whereabouts of Bin Laden, with
hourly updates and opinion from various Survivor contestants.
There are worse things.
I get a number of regular briefings regarding these sort of
things, and sadly, many of them are taken from press reports.
To many executives, it doesn't matter what actually happened,
as much as who said it happened, and how large an expenditure
they said we can justify to our investors to mitigate the
threat.
The only useful recommendations I can think of to give to
regular users would be to increase the TTL's on their zones
to longer than a day if they are worried about root servers
making their domains unresolvable, maybe expect occasional
delays in name resolution when surfing the net, and to remind
them to ensure their machines are locked down.
Any others?
I did notice that Paul was quoted as stating essentially that F was not
impacted. From my own experience and numerous folks who monitor DNS
performance this seems true. However, I did notice that several of the
servers which are operated by VeriSign were not responding to at least a
large, 50% or greater, fraction of test queries. Even so, VeriSign was
good enough to chime in that their root servers were unaffected.
Did I mis-perceive this, or is it another bold-faced lie from VeriSign?
Let me chime in with some of what I've been telling reporters all day.
I did notice that Paul was quoted as stating essentially that F was not
impacted. From my own experience and numerous folks who monitor DNS
performance this seems true. However, I did notice that several of the
servers which are operated by VeriSign were not responding to at least a
large, 50% or greater, fraction of test queries. Even so, VeriSign was
good enough to chime in that their root servers were unaffected.Did I mis-perceive this, or is it another bold-faced lie from VeriSign?
I had congestion-free access to A and J throughout yesterday, so from my
point of view VeriSign's servers were just fine. (A and J are not in this
building nor even in this state or timezone, so it wasn't a locality issue.)
DDoS attacks often end up hurting intermediate links in the path more than
the destination of the flow. Determining whether a root name server has
"reachability" requires dozens, or hundreds, of diverse monitors.
Yesterday's attack was only visible to people who monitor root servers or
whose backbones feed root servers -- whereas the average person who just
wanted to use DNS to get their work done didn't seem to notice it at all.
Last year I tried to explain to several people the most critical
part of DNS is the part closest to you. The attention on the root
servers is distracting folks from were the problems actually are. For
most users, their local caching infrastructure is more important. Most
used names are likely to still be in the cache, assuming people aren't
using tiny-TTL load balancing.
DNS clients "need" to communicate with root servers infrequently.
CAIDA (http://www.caida.org/projects/dns-analysis/) data measurements
show an average (50th-percentile) DNS client contacts the root name
servers less than 8 times in a week.
Agreed...I worked these attacks on UUNET's backbone and quite honestly
none of them was over 100mbit worth of traffic. We see this everyday,
this was nothing out of the ordinary except the destination...
Shrug...fear is an easy weapon to wield, eh?
Aha!
But remember that we are constantly being told that there is no longer a
shortage of qualified network engineers and security professionals...
I guess the definition of "qualified" has changed... I wonder where all of
the people who use to yell "We need more CISSP's!!!!" have gone? Yet
another in a long series of worthless certifications...
When the volume (instead of the level of sophistication) of an attack
becomes the only meaningful measure of its severity, perhaps we are being
shown that just maybe there still IS a shortage of qualified network
engineers and security professionals...
It's a terrible thing when the most "competent" assessment of an attack
comes from a "company spokesperson", rather than someone just a little more
technical...
Oh, well...
Jamie
paul, show us a traceroute from f to a and j.
If a server that can handle 500K packets/sec is sitting behind a pipe that
maxes out at 400K packets/sec, it won't be affected when the pipe is flooded.
Most likely, half your packets were being dropped 2 or 3 hops from the
server (where the DDoS starts converging from multiple sources). So we
probably can't pin a "bold-faced lie" on VeriSign this time. Dissembling
and misleading perhaps, but not a total lie (unless somebody can prove that
the pipe still had capacity and wasn't dropping stuff)
i think we would benefit from a traceroute - paul - f to a and j? paul
may very well be correct - but what if their internetworked with each
other.
paul?
In my reality the shop floor is not allowed to comment on something
that is seen as vital to a corporation's interests at all. This
in order not to destroy carefully crafted statements by the spokespeople
vetted by the lawyerpeople. Such statements tend to be designed to
hide the bad news and amplify whatever snippets of good news can be found.
The *perceived* "affluence" of *comptetent* technical people has an effect on this:
It makes the shop floor *much less* likely to talk even to peers for fear of
their jobs.
Daniel
* randy@psg.com (Randy Bush) [Wed 23 Oct 2002, 00:54 CEST]:
when uunet or at&t takes many customers out for many hours, it's not
a problemwhen an attack happens that was generally not even perceived by the
users, it's a major disaster
The BBC website has an article with rather more nuance than some other
online news outlets appear to have.
"As best we can tell, no user noticed and the attack was dealt with
and life goes on," said Louis Touton, vice president for the Internet
Corporation for Assigned Names and Numbers, which oversees the running
of the root servers and the net's addressing system.
The article calls it a "failed attack" and features a picture of a few
big sea waves. It also features a link to an article named "Fighting
zombie machines" - this also says something good about the clue level
at BBC News, I think.
Regards,
-- Niels.
http://www.washingtonpost.com/wp-dyn/articles/A828-2002Oct22.html
The heart of the Internet sustained its largest and most sophisticated
attack ever, starting late Monday, according to officials at key online
backbone organizations.
Can someone point out to me where the heart of Internet is? Last time I
looked, the Internet looked more like a bunch of spiders having an orgy.
Alex
Can someone from AOL contact me off list?
TIA
-- amar