Y Safle

Steve Gibson is several years out of date in his Security Now podcast, episode 47. He says:

[The October 2002 DDoS against the DNS]  was directed at all 13 of the main DNS servers, the so-called “root servers,” which maintain the master directories of domain names. Nine of the 13 DNS servers were brought down. Only four of the servers managed to stay on the ‘Net. [...] There really is no defense. The only thing that can be done is that – and this is what some of the commercial anti-denial-of-service service providers have done, is they could have servers connected to very large pipes

Mr Gibson’s analysis is wrong. There is no need for very large pipes to the DNS servers, because since 2002 a program of anycasting has been rolled out for the DNS servers whereby a number of the servers are essentially cloned around the net, and special BGP routes are announced to routers at multiple points across the Internet, such that traffic from a client will be routed to the nearest (in networking terms) DNS root server. This works because packets will be routed to the lowest cost route. It provides failover, because if one server dies, then the next least costly route will be used (which may be another anycast clone).

October 2002 was not the only DDOS attack against the DNS, but of late no attacks have succeeded, because instead of just 13 root servers, we now have many times that number, and we have very successful over provisioning of the root servers.

Last year I wrote this post: http://safle.org/wordpress/?p=4. In particular I looked up the current locations of the root name servers and used the Google Maps API to create this map of where the root name servers are located. The smaller pins show anycast IP duplicate servers. (Note that these are not accurate all the way down to the street level)

The effect of this is that any DDoS against the DNS will be diluted amongst all name servers, and is unlikely to succeed. With every additional anycast clone server, the chances of a successful attack on the DNS are further reduced (and DNS resolution for the new geographic area covered is imporved).

Mr Gibson’s explanation of what the root servers do is also sloppy. These servers do not hold master copys of the domain names. They merely hold data for the TLDs (top level domains) such as uk., us., to., tv., es., ru., … as well as the gTLDs such as com., org.

They used to hold  the next level of edu. I believe, although a quick dig for the edu. name servers quickly reveals this is no longer the case.

Whilst we are talking about this podcast, Steve Gibson gets onto his pet subject - raw sockets in Windows XP. His argument was that raw sockets were a bad idea because they allow someone with admin priveleges (the default user in XP home edition) to run programs that can become worms and the like.

To an extent he was right - but the problem is not raw sockets. The problem is the brain dead decision of Microsoft to continue allowing technically illiterate users run with full admin priveleges on their network connected boxes by default. In Mr Gibson’s dialogue with Microsoft he claims that raw sockets were his one problem with Windows XP. But these were not the problem.

Yes its hard to have backward compatibility without admin priveleges - especially if you are using NT as your operating system. But look at what Apple did with OS X, and you can see how it is quite possible (for a little pain) to make an astoundingly good OS, with backward compatibility and security designed in (thanks to the use of UNIX).

So enough self congratulation in spotting a problem with raw sockets. The question Mr Gibson should be asking is when will Microsoft release an O.S. with security designed in? When will users no longer be logged in with admin priveleges?