GeorgeK
TheBest.com
Registered: Feb 2003
Location: Toronto, Canada
Posts: 2978
Transaction Feedback: (0)
Pos: 0%
Neg: 0%
|
 Disinformation about DNS attacks
ICANN has posted a *cough* "factsheet" *cough* on the recent DNS attacks, see:
http://blog.icann.org/?p=37
http://www.icann.org/announcements/...ack-08mar07.pdf
The timing of the report is perfect, as I just posted:
http://gnso.icann.org/mailing-lists...a/msg06114.html
Everytime I see these reports of "attacks", my wallet starts to tingle, as the scaremongering seems to always result in later demands for "more money".
I'll take issue with 1 specific example of disinformation. On page 2, it says "In theory, if even one of the 13 root servers is up and running, then the Internet will continue to run unhindered as the directory will still be visible to the network."
This is very misleading. Indeed, due to caching, the internet can function with only minor hiccups if ZERO root servers are up and running. The root zone file is very tiny. You can see a copy of it at:
http://www.internic.net/zones/root.zone
How long did that file take to load? Not long, since it is only 68 KBytes in size! And, if you ignore all the minor banana republic countries and TLDs, there really is much less "important" information in that 68 KByte file (i.e. due to Zipf's law, see:
http://nms.lcs.mit.edu/papers/dns-ton2002.pdf
http://www.cs.cornell.edu/people/eg...ns-prenanog.pdf
http://en.wikipedia.org/wiki/Zipf's_law
i.e. for most people, .com, .net, .org, .gov, and a few major ccTLDs matter most).
What's really important is what happens when the "cache" is stale (i.e. the time-to-live (TTL) of the data has expired). Using a telephone book analogy, the "TTL" is related to "how often you should check to make sure that a phone number has changed." DNS itself can be considered like a hierarchical directory of phonebooks, i.e. the root is the directory of addresses of where to find the white pages for each country (or city), all the way down to the local city phonebook which is typically published once per year.
Of course, with DNS, the "TTL" is typically a lot less than the 1 year of physical phonebooks. However, this notion that the internet "breaks" if zero root servers are available is like saying that the telephone system will break if you don't get a copy of this year's phonebook.
An expired cache is similar to using the 2006 phonebook, instead of the current 2007. If you look up my phone number in 2006's phonebook, or even 2005's whitepages, you'll be fine, as the number is the same as it for me in 2007. For a few people, though, the number will be incorrect. In a DNS context, thus, having expired cache data need not be greatly costly. For example, the IP address for ICANN's website has been the same for the past 2 years:
http://whois.domaintools.com/icann.org
IP History: 1 change. Using 1 unique IP address in 2 years.
I suspect you'll find ICANN's website at 192.0.34.163 tomorrow, and the day after that too...these things don't change very often.
For its nameservers: NS History: 6 changes. Using 3 unique name servers in 6 years.
Our pals at VeriSign:
http://whois.domaintools.com/verisign.com
IP History: 1 change. Using 1 unique IP address in 2 years
NS History: 2 changes. Using 2 unique name servers in 5 years.
So, what *really* matters is how often the data in the root zone file changes. That will determine how much damage occurs if a stale cache is used (i.e. like the damage that would occur if you used 2006's phonebook instead of 2007's). I suspect most TLD operators are not constantly renumbering their networks, so the root zone file should be changing very slowly over time, and ICANN should provide data to prove otherwise. Indeed, if the root zone was static, and non changing, we'd have no need for root zone servers at all. Since memory and hard disks are cheap these days, caching is *very* cheap (68 KB is trivial), indeed one can have a basically infinite cache (or multi-Gigabytes at the very least).
The 2nd prong is distribution of the root zone file. Back in the early days of the internet, there was no BitTorrent. There was no RSS. There is no reason that the 68 KB file at the heart of the internet could not be distributed to the biggest ISPs using alternative measures. e.g. do you really think that AOL couldn't get a copy of the 68 KB root zone file (to serve its 20 million users) through some "push" mechanism like RSS or even email, or "pull" methods like FTP or BitTorrent? Heck, you can even have a dialup modem distribute the 68 KB file to AOL just like the Fidonet BBS days of the 1980's. The same goes for other big ISPs. The reliability of those torrent networks in serving up movies and music show that they're highly scalable and resilient to attacks (if they were easily attacked, I assume the MPAA and RIAA would have taken them down by now). How difficult would it be to serve up 68 KB files (signed appropriately, to ensure authenticity) to thousands, if not millions of users? Too trivial to ponder, if there's a will to do so. What percentage of the internet worldwide users would be represented by the top 1000 ISPs? I suspect more than half, and if not, it wouldn't be hard to scale this to the top 10,000 or 100,000. How many millions of people receive multi-megabyte Windows or Mac operating system security updates daily, without incident?
Instead of fear-mongering and trying to justify its exploding $30+ million annual budget:
http://gnso.icann.org/mailing-lists...a/msg06091.html
with pretty graphs, ICANN should talk about real solutions. Real solutions don't put caviar on the table for lazy bureaucrats, but they definitely benefit the public through lower costs and greater reliability.
__________________
George Kirikos - (416) 588-0269
Report this post to a moderator | IP: Logged
|
03-08-2007 10:35 PM
)
