Anonymous planning a root-servers party

Mark Andrews marka at isc.org
Wed Feb 15 23:13:57 UTC 2012


In message <5F40C962-FF7E-4197-BBA5-5E891104B17C at puck.nether.net>, Jared Mauch 
writes:
> 
> On Feb 15, 2012, at 5:36 PM, George Bakos wrote:
> 
> > As I hadn't seen it discussed here, I'll have to assume that many
> > NANOGers haven't seen the latest rant from Anonymous:
> >=20
> > "To protest SOPA, Wallstreet, our irresponsible leaders and the
> > beloved bankers who are starving the world for their own selfish
> > needs out of sheer sadistic fun, On March 31, the Internet will go
> > Black.=20
> > In order to shut the Internet down, one thing is to be done. Down the
> > 13 root DNS servers of the Internet. Those servers are as follow:"
> >=20
> > http://pastebin.com/XZ3EGsbc
> >=20
> > 13 servers. Sshhhhh! Don't anybody mention anycast - it's a secret.
> 
> As is TCP, which requires a 3-way handshake, oh and the 41 day TTL on =
> the . zone
> 
> 2 day TTL on the served data pointing to the com zone, so any =
> well-behaved server should only touch the root once every ~172800 =
> seconds.
> 
> This means the activity would have to be sustained and unmitigated for =
> many hours (days) to have a significant impact.
> 
> - Jared

Or just slave the root zone.  1 million root servers is more robust
than the hundred or so we have today and given the root is signed
you can verify the answers returned.

One can have your own, offical, F root server instance if you want.
A number of ISP already have one.  I think a number of the other
root server operators do something similar.

One can hijack one of the official address and replace the A and AAAA
records with local address.  This one does cause issues for any one
wanting to lookup the hijacked address.

One can use static-stub in named and simlar mechanisms in other
nameservers to send root zone traffic to a local instance.

On can use multiple views, match-recursive and forwarder zones in
forward first mode to validate answer from the other view using
tsig to reach the other view.  You can also us this to get AD set
on answers from your local zones.

Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org




More information about the NANOG mailing list