Home page logo
/

nanog logo nanog mailing list archives

Re: Anonymous planning a root-servers party
From: Mark Andrews <marka () isc org>
Date: Thu, 16 Feb 2012 10:13:57 +1100


In message <5F40C962-FF7E-4197-BBA5-5E891104B17C () puck nether net>, Jared Mauch 
writes:

On Feb 15, 2012, at 5:36 PM, George Bakos wrote:

As I hadn't seen it discussed here, I'll have to assume that many
NANOGers haven't seen the latest rant from Anonymous:
=20
"To protest SOPA, Wallstreet, our irresponsible leaders and the
beloved bankers who are starving the world for their own selfish
needs out of sheer sadistic fun, On March 31, the Internet will go
Black.=20
In order to shut the Internet down, one thing is to be done. Down the
13 root DNS servers of the Internet. Those servers are as follow:"
=20
http://pastebin.com/XZ3EGsbc
=20
13 servers. Sshhhhh! Don't anybody mention anycast - it's a secret.

As is TCP, which requires a 3-way handshake, oh and the 41 day TTL on =
the . zone

2 day TTL on the served data pointing to the com zone, so any =
well-behaved server should only touch the root once every ~172800 =
seconds.

This means the activity would have to be sustained and unmitigated for =
many hours (days) to have a significant impact.

- Jared

Or just slave the root zone.  1 million root servers is more robust
than the hundred or so we have today and given the root is signed
you can verify the answers returned.

One can have your own, offical, F root server instance if you want.
A number of ISP already have one.  I think a number of the other
root server operators do something similar.

One can hijack one of the official address and replace the A and AAAA
records with local address.  This one does cause issues for any one
wanting to lookup the hijacked address.

One can use static-stub in named and simlar mechanisms in other
nameservers to send root zone traffic to a local instance.

On can use multiple views, match-recursive and forwarder zones in
forward first mode to validate answer from the other view using
tsig to reach the other view.  You can also us this to get AD set
on answers from your local zones.

Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka () isc org


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]