|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical RE: WP: Attack On Internet Called Largest Ever
> The problem is making absolutely sure that the root zone
> that is served is authentic. For AS112 this is
> not really important because the queries it syphons off
> are all bogus anyways. So I could not care less if they
> received bogus answers. For the root this is an entirely
> different matter! Of course if we had DNSSEC widely deployed
> it would be a no-brainer. But I am afraid that is going to
> take a long time; I hope it happens before DNS itself
> becomes obsoleted.
I had some similar thoughts/worries. But then I realized, they apply to the
current infrastructure just as well as to an anycast infrastructure.
The security implications that I see come down to a few (I'm sure there are
more)
first, what happens if someone starts announcing bogus paths to the anycast
AS/network? Can't they hijack the root nameservers?
answer: Yes. Until nameservers on anycast networks are in place, the same
attackers will have to do this by announcing the ip address of
{all}.root-servers.net/32 (or /24 if their upstream won't accept a /32).
The reason this doesn't happen every day is that providers generally are
fairly good at not accepting clearly bogus advertisements from their
customers, and (legitimately) trust that the providers they peer with have
similar policies. This will work just as well with anycast.
second, right now there are a few dozen physical machines that are the root
name servers. They are, generally, fairly tough nuts, security-wise. What
happens when we have to secure a few hundred machines instead of a few
dozen?
answer: if you can build one very secure single-purpose server, it's not
all that much harder to build 100. The flip side of that is, if you've got
a few hundred servers on anycast networks, then if one of them gets
compromised, the "damage" is limited to those networks that see that server
as "closest". And, as an extra added bonus, there's the neat feature that
if an attacker is attacking a server across the network, and is attacking
its anycast address, then which server he ends up attacking can tell you a
lot about where he's coming from.
third, physically securing more servers.
answer: this actually is harder the more servers you have (well, it's
harder if their redundancy is going to do you any good.) But, once again,
the damage is limited to a smaller scope.
fourth, what about attacks against the synchronization of the root server
zone files?
answer: first off, this probably (I'm not sure) doesn't happen very often.
The root zone files don't change much. at least that's my understanding
(the gtld-server zone files, on the other hand, do.) Also, this is already
a problem. It's just a matter of scale. If you can build it right for a
dozen servers, you can probably build it right for a hundred.
There are probably other problems, but those are the ones I thought of when
thinking about this...
-Joe
|