DOS Attacks On DNS Provider 224
Greedo writes "Seems like UltraDNS was hit with a denial of service attack this weekend. Since these are the guys who are supposed to be running the .ORG DNS, and in light of recent attacks on the gTLD roots, attacks against DNS servers should be treated very seriously. What kind of protection can be had? What happens when an attack like this brings down an entire TLD? Do you want to give control of an entire gTLD to one organization? Read a follow-up discussion on comp.protoocols.dns.std."
Why attack the DNS-servers? (Score:5, Funny)
"Yes, I brought the entire DNS-system crashing down! I'm l337! Now, all I have to do is to go online and brag about my exploits... Hmmm... There seems to be something wrong with my net-connection..."
Re:Why attack the DNS-servers? (Score:3, Funny)
Re:Why attack the DNS-servers? (Score:2, Informative)
Re:Why attack the DNS-servers? (Score:3, Informative)
Watch and learn:
$ telnet 1.2.3.4 80
Connected to 1.2.3.4...
GET / HTTP/1.1
Host: www.somesite.org
[enter]
[enter]
[stream of html follows]
Easy no?
Re:Why attack the DNS-servers? (Score:2)
For some reason that doesn't seem much like 'surfing' to me...
Now, a method that a) would work and b) would prove to me that you actually more than just a lamer, is to add the hostname to your /etc/hosts file or %SystemRoot%\system32\drivers\etc\hosts file
Re:Why attack the DNS-servers? (Score:4, Interesting)
But as the world becomes more dependant on the internet, expect more attacks to resemble this one. Take down the infrastructure, and watch the rest tumble without it.
Plus you don't have to commit suicide to terrorize the public. - Of course that means no virgins for you by dying in a holy war...
Re:Why attack the DNS-servers? (Score:3, Interesting)
So the question to ask is, "who would benefit from the demise of UltraDNS?"
Re:Why attack the DNS-servers? (Score:3, Informative)
The rationale behind this is simple: the dns boxes get dumb quite quickly when they lose their upstream connection. Once this happens, the dns for everything starts to fail, and even the internal hosts start having problems communicating. By using
Re:Why attack the DNS-servers? (Score:4, Interesting)
I'd say it's your DNS administrators that are dumb. I've been maintaining DNS systems for years, and I've never had a DNS server so much as hesitate to serve authoritative addresses, no matter what was happening to the upstream connection.
Re:Why attack the DNS-servers? (Score:5, Insightful)
The DNS system was designed for redundancy; if it can withstand a direct nuclear attack on 60% of its facilities (vis; 6-7 of the root servers), it can withstand a DoS attack. Considering the upstream providers of each of the root servers are responsive enough to throttle the traffic to a more reasonable level, and the caching, heirarchal nature of the DNS system (except for mickey-mouse systems who query the root nameservers only with no fallback support), it would take days to notice an outage. In that time, the root servers could set up spare boxes and have the system back up and running with relatively minimal disruption.
To truly affect the operation of "the internet" as a whole, a DDoS attack would have to be sustained for days on end.
Nukes and Freenet (Score:5, Insightful)
Just one thought -- does Freenet use DNS at all? I *think* it doesn't. Because if not, it provides an existing, easy-to-migrate-to solution in case of such a catastrophic event. Just kick over to Freenet, no DNS required.
The DNS system...can withstand a direct nuclear attack on 60% of its facilities
As opposed to, say, those pesky indirect nuclear attacks?
Re:Nukes and Freenet (Score:2)
So, bottom line is: Freenet relies on DNS some of the time right now, but will not by the 0.5.1 release which is due shortly. In the case of DNS failure, however, the current infrastructure would still work -- heck, Freenet 0.3 would still work. (Sorta...)
How to ensure free speech forever (Score:2)
Consider all the "security" grants that are being thrown left and right at companies. They're lapping up all those tax dollars in the form of goverment contracts. If Freenet can grab just one, that would fund development for a long, long time. Lots of improvements, and I'd have a hard time imagining a more worthy cause than a more robust, secure, attack-resistant, private system that makes for more efficient transfers over the network.
The overwhelming majority of my university's CS research funding comes from the Department of Defense. Freenet couldn't snag just a few of that flood of dollars going to organizations aroudn the country?
Re:How to ensure free speech forever (Score:2)
Unfortunately, Freenet is currently being used by a large number of child pornographers and could also easily be used (if it's not already) by people opposed to the DoD, so they would much rather not attract attention from the government...
How? (Score:2)
Where am I gonna download a client without DNS?
Re:Why attack the DNS-servers? (Score:4, Insightful)
Nobody has yet claimed responsibility. Makes it sound kind of noble, doesn't it? What nobody has yet done is admitted guilt. I have always taken extreme exception to the media's convention that terrorists and criminals claim responsibility for murder. It's not a prize. Confessed to slaughter or declared lack of conscience or asserted no concern for fellow human beings might be more appropriate. Criminals shouln't be allowed--or worse, invited--to claim responsibility, only admit guilt.
Re:Why attack the DNS-servers? (Score:2)
it's not just a semantic or legal issue, the simple truth is that 45 people can't all be guilty of a shooting, but 45 people can all claim responsibility, so that's all any reporter could honestly say.
Source and motivation (Score:5, Interesting)
Whereas these attacks, as well as some of the worms that have surfaced recently, strike me more as testing of new techniques and probing of defenses by an organized group that is working on techniques to cause widespread disruption.
sPh
Re:Source and motivation (Score:2, Insightful)
I am very glad that this kind of attack is being discussed in the open; rather than being hidden from public view. Much better that it discussed now rather than after somebody attempts to render the internet useless.
Re:Source and motivation (Score:5, Insightful)
OMG! The Weekly World News was right! (Score:3, Funny)
The subheads are:
* Computer virus will destroy US economy!
* The US Military will be paralyzed!
* Electricity, food and water supplies vanish!
Clearly, we're ignoring these attacks at our own peril, when as technical a publication as the Weekly World News has picked up the story.
(Back to reality, I literally burst out laughing and almost dropped my Mountain Dew when I saw that headline. Blow up "The Internet". Sounds like my daughter's friends... they come over and ask if her computer "has the Internet on it". No, it doesn't, but it has *access* to the Internet. "Oh, you mean AOL?" Grrr...)
Re:OMG! The Weekly World News was right! (Score:2)
But I especially like this part:Lake Michigan is of course so thick with Coast Guard (and Chicago Fire Dept, and Milwaukee Fire Dept etc.) helicopers and ships rescuing newbie and ocean sailors who think that [lake] == [easy sailing] that a submarine would be probably be run into the bottom in a matter of minutes!
sPh
Re:OMG! The Weekly World News was right! (Score:2)
The skript k1dDi3 conspiracy (Score:2)
Re:Source and motivation (Score:3, Insightful)
Frightening as it is, I would agree with you. It seems that bragging rights would be much better for taking down amazon, yahoo, msn, or some other big name company. Attacks on infrastructure components which are not widely known to the public at large do strike me as a probe to see where the vulnerabilities of the network lie.
After this period of explosive internet growth, we need to start addressing the vulnerabilies of the network. Whether the network can still withstand a massive physical attack or not, we know it is vulnerable to network attacks. I had a friend who used to work for MIT Lincoln Labs, he told me there were at least a dozen ways to take down the internet.
Re:Source and motivation (Score:3, Funny)
I had a friend who used to work for MIT Lincoln Labs, he told me there were at least a dozen ways to take down the internet.
I had a friend who worked for Dunkin Dounuts that told me the same thing.
The case for kids. (Score:2)
The answer: WHY
Kids.. it's fun, it's destructive, it's a sense of power.. the reasons go on. I shouldn't have to explain them.. go back, I'm sure many of you can understand.
Adults.. and I'm not talking about big kids who never grew up here... need a finanical reason to do this. Could organized, intelligent hackers with financial backing to some serious damange to the internet? You better believe it. What would they have to gain? Not much. Prison. Hatred. Being labeled as terrorists, maybe killed.
What are you going to do? Hold the Interent for ransom? I doubt it.
That's why this stuff is chiefly done by kids, not grownups.
Re:Why attack the DNS-servers? (Score:2, Insightful)
Well of course it's unproductive -- that's the hallmark of crackers, script kiddies and virus developers. These dregs of our society do these things just for the perverse pleasure of seeing how much havoc they can cause...
These people are degenerates, delighting in the misery of others. Such are not worthy of life.
Re:Why attack the DNS-servers? (Score:5, Insightful)
isn't that a bit counterproductive?
Absolutely.
OTOH, if you were in the business of providing a spoofed name service, then this would be the first step in doing so.
At any rate, it sure seems like access to a critical top level DNS should be filtered to a big white list of mirror machines, which could then handle general purpose inquiries.
That, or increase the number of TLDs, but that's already an insolubly bad political problem.
Re:Why attack the DNS-servers? (Score:3, Informative)
This is different - needs broader support. (Score:2)
4of12's suggestion would let the rootservers run a server that's only accessible from known (and presumably important) addresses, such as the DNS servers for the big ISPs. That would take care of the most important uses of DNS, since most people get their DNS queries answered by their ISP's servers, either from cache or from recursive queries. Letting the big ISPs do zone transfers from a protected net would preserve that. (Without zone transfers, an obvious attack is for the zombies to look for bogus000001.com, bogus000002.com, etc.)
Beyond that, DNS queries and zone transfers aren't the only way to send the information around. DNS A-record data compresses well (Unfortunately, DNSSEC data doesn't, and it's much bulkier.) And everybody wants the same data, so multicasting can be an efficient way to transmit it (using your favorite reliable-multicast application.) A back-of-the-envelope guess is that the dot-com namespace would compress to somewhere between 100-300MB, which would take 10-30kbps to transmit it in a day - and most of it has a TTL that's much longer, so you could handle it efficiently with incremental updates. Another alternative to multicast would be a peer-to-peer app that's designed for handling big files, like BitTorrent [bitconjurer.org]. (BitTorrent's designed more for static content rather than dynamic, so you'd need some file naming scheme for fetching today's version.)
Re:Why attack the DNS-servers? (Score:2)
Does not actually help at all. Basically there is no value to the dot unless the TLDs under it are also up. If someone can take out the root they can take out dotCOM, dotNET and probably anything else they choose.
The major TLDs are replicated many times with very sophisticated and comprehensive setups that are considerably more robust than the various ad hoc proposals being made to replace them. Bernstein's suggestion of using USENET being a particularly clueless example. In the first place USENET is not even reachable as a general purpose infrastructure, secondly the architecture is exceptionally vulnerable to DoS. One compromised node could bring down the whole USENET. The only reason that people don't attack it is that it simply isn't important enough, use it to distrivbute the root zone and you make it a target.
What we should really do is can ICANN and simply open up the root zone for registrations at a reasonable rate (i.e. $500, not $50,000). The dotCOM infrastructure can easily be scaled to handle the load. The registration fee would allow for up front verification of trademark claims. There could be a rational complaints procedure based on prior review, registrations in the TLD would be subject to a 12 month public comment & objection period before being activated. Failure to complain during that comment period would result in a strong presumption in favor of the registrant. Registration of a TLD would automatically block further registrations in the other TLD zones at the option of the cc operators.
It's not a problem (Score:5, Insightful)
And in all honesty, I would say that if the "offical" root servers can't protect themselves, they really have no business being root servers (TLD or otherwise) in the first place.
Re:It's not a problem (Score:2)
Raising the question, how many of us actually noticed this before reading about it?
It's a good warning (Score:2)
7 or the 13 servers went down for a bit. And because of caching and redundancy this wasn't really a notticable thing.
It might be, however if a million windows boxes were comenced such an attack over days.
When it comes right down to it, I think the root operators are doing a pretty good job all things considered. (they're allready approaching ways in which to protect themselves)
However, if this had been an attack on verisign's
Their was a lot of force behind the blow, but the punch wasn't aimed well.
What's bothersome is that if this was used by somone who knew what they were doing. (That's assuming it was an attack and not a warning, or a test of some sort)
Re:It's not a problem (Score:2)
How exactly do you protect against an attack whose "payload" is sheer data volume? Make sure your pipe is bigger than the aggregate bandwidth available to every previously compromised host on the internet? How feasible is that? Aside from that, the attack wasn't even against a root server, it was against a DNS provider.
maru
ISOC? (Score:1)
Thank you very much!
Re:ISOC? (Score:4, Informative)
http://www.ultradns.com/news/021028.html
Good thing MS is killing DOS in december (Score:5, Funny)
too violent these days.
Not that dangerous... (Score:3, Informative)
But, still, we should catch these DOSers and throw them into a federal pound-me-in-the-ass prison.
Damned arab terrorist scum! Down with Saudi Arabia!!!
Re:Not that dangerous... (Score:3, Informative)
The most recent attack wasn't on the root nameservers, it was on UltraDNS, which is a large-scale commercial DNS hosting provider. A lot of big sites rely on their DNS service
And here I thought... (Score:1, Funny)
.ORG TLD... (Score:5, Funny)
In IE, I entered ORG and hit enter, just to see what would happen. Although highly unlikely, they could arrange some page there. Instead, MS search brough up a list of possible alternatives. Number one on the list?
Mozilla.org
Thanks, Bill
Re:.ORG TLD... (Score:5, Funny)
I just tried the same thing. Number two on the list?
Number three?Somebody at MSN likes us.
Re:.ORG TLD... (Score:2)
MSN's search results are the standard Inktomi fare. Same stuff you see on Lycos, Hotbot, Yahoo, etc.
maru
What the?! (Score:1)
Oh the irony (Score:4, Funny)
At least one company is riding the FUD wave (Score:2)
Very surprising (Score:5, Informative)
Basically, they urge large important Web sites to outsource its DNS needs to another company (them). Before this DOS attack on their servers, they provided near perfect stability, security, and performance. If I recall correctly, Hotmail [ultradns.com], Forbes [ultradns.com], and Oracle [ultradns.com] have already used the services of UltraDNS.
It's a shame that such a wonderful resource (the Internet) is so often abused by a few rowdy hackers and trolls [slashdot.org].
Here is a whitepaper [ultradns.com] that describes their services in depth and explains the reasons for outsourcing one's DNS needs.
Re:Very surprising (Score:3, Insightful)
Is it a question of just providing global geographic and network diversity for a site's nameservice, or is there something here that I'm missing?
If I was example.com and I had an office in two locations with a T1 in each, NY and LA and I had three NS records, ns-la.exmaple.com, ns-ny.example.com and ns.myisp.com what are they going to offer me that I don't already have?
Proprietary firewall technology? OC-192s to 10 providers? Some home-brewed nameserver software more immune to hack attacks? Some kind of latency measure that replies with better A records?
They're all nice, but they're all expensive, although maybe I'm missing out on something I should have.
Re:Very surprising (Score:2)
Re:Very surprising (Score:5, Informative)
The service provides a couple of advantages:
Better latency. They use an anycast routing network which guarantees that a query to their DNS servers will be received and answered by the closest server based on the network topology. Even though there is only 2 published IP's for nameservers. There are some 16 servers scattered around the globe to answer on those IP's.
Near real time database updates. They use an Oracle advanced replication network to get updates out to the other servers in near real time.
Proprietary software. The only significant advantage here is that it's not BIND.
All in all, it's about as good as DNS will get. Do you need it for your personal domain? Hardly. Do you need it for a popular domain like slashdot.org? Probably not.
It works best for really large and really popular zones, like TLDs.
However, it's still going to be better (albeit not as significantly) for your personal domain too.
Anyway, bandwidth isn't really the issue with DNS. It's latency and availability.
The problem with your example is that chances are, your DNS server in LA will be getting queries for Europe, which isn't all that ideal. Once again, is it that important? Not really.
But it will work obviously.
Re:Very surprising (Score:2)
All the protection *I* need... (Score:4, Funny)
66.35.250.150 slashdot.org
Re:All the protection *I* need... (Score:2, Informative)
Re:All the protection *I* need... (Score:2)
I'd get rid of the smiley if I were you.
not just UltraDNS - others too (Score:4, Informative)
Seems this was as distrubuted DDoS (DDDOS - sounds like a stemmer:-), many people got this..
http://www.merit.edu/mail.archives/nanog/msg053
Re:not just UltraDNS - others too (Score:2)
being the the first D in that means "Distributed."
so it's a Distributed Denial of Service attack.
Re:not just UltraDNS - others too (Score:2)
Multiple Distributed Denial of Service
ie attacking more than one site with the same 'attack'
Re:not just UltraDNS - others too (Score:2)
DDoS: Distributed Denial of Service
DDDoS: Distributed Distributed Denial of Service? Brought to you by the Department of Redundancy Dept.? Or just a very, -very- distributed attack?
Don't mind me, I'm just easily amused.
Re:not just UltraDNS - others too (Score:2)
I thought DDoS was distributed denial of service? What the fuck is DDD?
Should be? (Score:2)
Should be? They are. The FBI and the Department of Homeland Security are already investigating this.
Progress? (Score:2, Interesting)
DNS Servers (Score:4, Informative)
Generally each "server" has multiple seperate internet connections. The server it self is usally a set of two or machines acting as one. The servers are distributed around the internet. They are not concentrated in one place eigther geographically, or network topographically.
Re:Progress? (Score:3, Insightful)
Re:Progress? (Score:2, Interesting)
If DNS goes away, how is that mail going to get routed? How will people browse all the other sites people only know by name? Sure, you can have an updated
Sure, you have the redundancy of secondary DNS servers.. but what if someone takes most of the root servers down, and compromises the others to start giving out the wrong IP's? Ok, this is a little contrived, but I see what registered_user is getting at. We ARE awfully dependent on DNS.
I'm jus sayin!
Re:Progress? (Score:2, Interesting)
So using the IP of a smaller site is likely to get a "Default" install page for the web server software, or to the hosting company's own web site. (Using a http://###.###.###.### request to an IP is one of the tricks that can be used to track down who is hosting some site you don't like, spammers or whatever.)
The only way to visit one of those without the DNS system would be to use a hosts file on the local machine so the HTTP header comes into the web server correctly. DNS servers are left out of the loop entirely in that case.
For small web sites, "no DNS" means "not on the net". (Big web sites probably have only one IP, so the IP address would work just fine in a browser, but how much database driven stuff looks at the URL to make sense about what to do...)
DNS and IP are complimentary system for allowing data transfer. DNS has a very different function; routing meaningful traffic (not just packets, but web sites and other services) to people, that sits over the IP stuff, which just cares about getting packets from one place to another.
Is it realistic? (Score:3, Interesting)
Bringing down the TLD? (Score:3, Insightful)
Not decentralized (Score:2, Informative)
Re:Not decentralized (Score:2)
Re:Bringing down the TLD? (Score:3, Insightful)
DNS isn't really that decentralized. OK, you don't need access to the root zone itself that often. It's the big TLDs like
For DHCP say, you refresh before the timeout, so there is a minimum downtime of your DHCP server before the clients lease times out altogether. AFAIK, for DNS when the TTL expires that's it; so some sites will start dropping out the cache as soon as authorative DNS becomes unavailable.
another DoS attack (Score:2, Funny)
artaxerxes
There's something at internettrafficreport.com (Score:5, Informative)
Seems suspicious, although that site hasn't put up any news about it like they did with the major DNS attack a copule of weeks ago.
Dan Bernstein (Score:4, Insightful)
Dan, you want people to take you more seriously, try being human once in a while. You don't need to prove just how damn intelligent you are by beating other people over the head with their own "ignorance". You might want to work on your own ignorance in the social skills department first.
That said, transmitting the entire root zone over Usenet and other means sounds like a good suggestion. I hope you can start sounding like less of a lunatic so people will listen to the idea.
Re:Dan Bernstein (Score:4, Interesting)
Personally I liked the suggestion in the Usenet thread to return expired DNS cache data when the authoritative servers are unreachable, at least as an option. 99% of the time when you can't do a host lookup, the old cached data would still be right. All the DNS purists hated the idea of using expired data, like it's unclean or something. But if it's all you've got, isn't it better to use old information than to give up on letting the net work at all?
Re:Dan Bernstein (Score:2, Insightful)
I had even ran into an individual IRL who had this genius complex as he was trying to sell me on an Open Source project he was working on. He was so unbearable I don't want to work with.
To people with such complexes, I suggest you have them read Nietzsche. He has a lot to say about "the cult of the genius". Though I disagree with him on many counts and feel he suffered from the same delusions he denounced, I have to agree with his reasoning in this matter.
He may have mentioned this in serveral of his writings, but in particular, I am referencing _Human, all too Human_.
Re:Dan Bernstein (Score:2)
Also he's prepared to tell dicks that they are dicks - something that is unfortunately rare these days.
ISP's responsibility. (Score:4, Insightful)
Re:ISP's responsibility. (Score:2, Insightful)
Maybe that's why the weird addresses (Score:2)
Alternative DNS providers (Score:2)
Time for a new model (Score:5, Interesting)
Of course, ultimately you have to have some sort of root server. But in a distributed model, they could be essentially insulated from DOS attacks, because they just need to get the master list out to a few systems for it to propagate all over. There could be a redundant distribution mechanism whereby the root servers send the list out through normal channels, but also send it to some randomly selected servers by phone call as a backup. At that stage hosing the root servers (or more accurately their connections, I doubt anyone is gonna ping one of those things to lockup) would not only be difficult and dangerous, but pointless. You cut off its connection via the internet, but the list still gets out and immediately spreads to so many DNS servers you couldn't possibly shut them all down, and you would have to shut down most of the world's DNS servers to have any impact on users.
Ultimately it wouldn't change things too much, since we're already pretty insulated from these attacks. But it does have a nice "just in case" factor to prevent some megaworm or Y2k-style OS-pervasive glitch from knocking us on our butts. And it would take the wind out of the sails for a bunch of the script kiddies (and the odd genuine hacker) out there trying to crash the net, which is almost worht it in and of itself.
Re:Time for a new model (Score:3, Insightful)
Set your nameserver to forward all your request to your ISP's DNS instead of having a
Of course, ultimately you have to have some sort of root server. But in a distributed model, they could be essentially insulated from DOS attacks, because they just need to get the master list out to a few systems for it to propagate all over.
Isn't that what we have now?
There is an elegant solution (Score:5, Interesting)
Here's a quick overview I found: http://www.pch.net/documents/tutorials/ipv4-anycas t/ipv4-anycast.ppt [pch.net]
Now if we can just get all or most of the root-servers and gtld-servers moved to anycast, then there should be at least minor performance gains, and fairly large stability/resilience-to-DOS gains.
Re:There is an elegant solution (Score:3, Interesting)
Doh! (Score:5, Funny)
Phone rings.
"Bob, the web server is under attack again, and this one's coming from all around the globe. Game over man, game over."
Slashdot's a bitch.
central control (Score:2)
Hmm.. trolling for ICANN haters? I see no particular security problem with a central authority managing a TLD, provided that their backup servers are distributed widely in both the geographical and topological senses. We shouldn't confuse this particular issue with that of whether a central authority like ICANN should have the right to control who can and cannot create new TLD's.
I still wonder.... (Score:2)
The UltraDNS infrastructure has 16 or so machines on the same IP number. So it's harder to hit all of them. And it's not BIND, so it may be harder to bring down. (not sure it matters - the root DDOS didn't crash BIND either).
And of course UltraDNS is typically not serving all of the secondaries for a zone.
If anyone has real info....
Re:Shameless plug for UltraDNS (Score:3, Informative)
Re:Shameless plug for UltraDNS (Score:4, Interesting)
You're right about their ease of use, it's definitely a strong point.
I've never had any issues with them, and come to think of it, I dodn't have any problems this weekend either. In fact, I got -more- spam than usual, so I'm going to assume that if the spammers didn't have a problem resolving my domain name, neither did anyone else.
everydns (Score:4, Interesting)
Re:Maybe not a DoS? (Score:3, Funny)
Not only are the hosting companies after the anti-terror funds. The sysadmin's orchastrate these 'attacks' to gain 'relations' with the investigating FBI Special Agents. If you have not seen the women agents in the FBI's Computer Crimes Division do yourself a huge favor. Most of these 'attacks' orginated from internal addresses and it was typically on one of the sysadmin's birthday treats. I personally of gotten '7-digits' from these agents on numerous occasions and one of these lucky agents will be the mother of my children.
Re:From the author of qmail comes.... (Score:5, Informative)
Denial-of-service attacks. (BIND 9's fragility makes denial of service completely trivial; but an attacker can easily take down the Domain Name System without using any of BIND's bugs. The DNS architecture needs to be decentralized.)
Seems to me like DJBDNS wouldn't help a lick!
-D
Re:From the author of qmail comes.... (Score:5, Insightful)
Not really... what are you trying to say? Can DJBDNS prevent thousands of trojaned Windows systems from pinging it incessantly? I didn't think so, and you had no point.
Why allow ping? (Score:2)
Re:Why allow ping? (Score:2)
Right, some high profile sites do just that. www.microsoft.com, for example, does not reply to ICMP echo-requests. It goes along with the idea of only allowing what's absolutely necessary, in terms of daemons and open ports.
I suppose pinging might suck bandwidth
Yeah, even if they decide not to respond to the pings, the ICMP traffic is still coming down the wire. In that case, the traffic can be filtered upstream. However, from what I read, it sounds like this attack was not echo requests, but apparently syn packets. Whether they were TCP or UDP and what port is unknown, but if they were UDP port 53, there wouldn't be much anybody could do to separate DDOS traffic from legitimate traffic.
Re:SURPRISE GIRLS! KEITAROU'S SPECIAL BED TREATMEN (Score:2, Funny)
Re:The Edge of the Internet (Score:4, Informative)
If you visualize the Internet as a graph where lines represent each communication link, each computer has various numbers of lines to its neighbors.
Usually the systems which have the most connections are shown on such a graph as being deep inside the web. Those which have only one connection, such as home computers and others which use one ISP, tend to be a frilly edge all around the web.
"Securing the edge" means protecting against misbehavior of servers around the edge, particularly servers other than communication devices inside ISPs. A common example is ingress filtering, where an ISP rejects packets from customers when the origin address (the computer's IP address) is not one of the ISP's addresses; this shouldn't happen because the ISP knows the proper addresses of its customers. Ingress filtering keeps "the edge" from sending in garbage.
Re:Counter-Hacking (Score:2)
Um, does the fact that I just suggested this make me a terrorist?