RE: Root Server DDoS Attack: What The Media Did Not Tell You
Good Morning Joe, everyone -Original Message- From: Joe Baptista [mailto:[EMAIL PROTECTED]] Sent: 25 November 2002 18:50 To: Joe Touch Cc: Paul Vixie; [EMAIL PROTECTED] Subject: Re: Root Server DDoS Attack: What The Media Did Not Tell You I always support my allegations. Proof of Hi-jacking GO HERE the email: http://www.law.miami.edu/~froomkin/articles/icann-notes.htm#F175 the event: http://www.law.miami.edu/~froomkin/articles/icann-body.htm#B175 regards Joe Baptista Having taken the time to read this document in it's entirety I don't actually see your name mentioned. So please forgive my ignorance of Internet history and please explain to us mortals not involved in running the Internet, where your involvement was. Many thanks Sean Jones
Re: Root Server DDoS Attack: What The Media Did Not Tell You
vint, the thing you're not including in your analysis is that mr. baptista is a dns pirate and his article in circleid was entirely self-serving and politically based. The issue is less the size of the file than the problem of updating many copies of it reliably. The root server operators find it a challenge to assure that even the modestly sized root zone file is correctly distributed to all root servers accurately and in a timely fashion. that's our issue. mr. baptista's issue is that he wants everyone on the net to have their own unique root, each with a set of tld's seasoned to local tastes, ideally with many of them pointing at tld's he controls. this is no different in its end result from what new.net wants, it's just a different method of achieving it. the thing that surprised me was that circleid actually published his article, including URL at the end (http://www.dot-god.com/resources/ROOT.html) which points to mr. baptista's activism/piracy site. i had not thought of circleid as a tabloid until yesterday. (what's worse, i think that we are both now guilty of feeding the trolls.) -- Paul Vixie
Re: Root Server DDoS Attack: What The Media Did Not Tell You
I ask that you refrain from this shameful conduct. Ahem. As amusing as all this isn't, operational issues really don't belong on the ietf mailing list. Let me add my voice to the growing chorus of people who have asked you to take it elsewhere. Melinda
Re: Root Server DDoS Attack: What The Media Did Not Tell You
On Mon, 25 Nov 2002, Melinda Shore wrote: I ask that you refrain from this shameful conduct. Ahem. As amusing as all this isn't, operational issues really don't belong on the ietf mailing list. Let me add my voice to the growing chorus of people who have asked you to take it elsewhere. melinda - my appoligies. i've been ignoring the regular insults which are to be expected when one challenges the establishment. However one can not ignore paul vixie when he comes out and calls one a dns pirate. That borders on slander and liable - after all mr. vixie is worshipped far and wide. his pebbles of wisdom are scattered on the masses infrequently. paul and i also enjoy a very long history. unfortunately as far as the history is concerned for much of that time paul has been a very unappy camper. now i appreciate this group. very little sillyness goes on here. i personally am no longer responding to the thread - unless of course some other net god cares to make libelous statements. i am no dns pirate - i consider myself and am a dns pioneer. cheers joe baptista
Re: Root Server DDoS Attack: What The Media Did Not Tell You
Joe Baptista wrote: On 23 Nov 2002, Paul Vixie wrote: vint, the thing you're not including in your analysis is that mr. baptista is a dns pirate and his article in circleid was entirely self-serving and politically based. Paul baby - it's a honour to get such recognition from you. But where's your Proof? Now Paul - I find it somewhat entertaining that you would crawl out of your wintering hole and growl at me and make false accusation i can use againts you. Thats not nice Paul. And frankly it's my opinion that such baseless jibberish is below you. Your a recognized leader in this community. A root server operator. You even went along with postel on the hi-jacking (or was that test) if the root servers. Paul your a legend in internet history. What you have to say carries weight here. Yet your so quick to anger and libel. I ask that you refrain from this shameful conduct. or give me proof of your claims? How about proof of the hi-jacking? (sauce for the gander) Until then, please keep your attacks those who are still able to defend themselves. Joe Touch Director, Postel Center for Experimental Networking USC/ISI
Re: Root Server DDoS Attack: What The Media Did Not Tell You
On Mon, 25 Nov 2002, Joe Touch wrote: community. A root server operator. You even went along with postel on the hi-jacking (or was that test) if the root servers. Paul your a How about proof of the hi-jacking? (sauce for the gander) Until then, please keep your attacks those who are still able to defend themselves. I always support my allegations. Proof of Hi-jacking GO HERE the email: http://www.law.miami.edu/~froomkin/articles/icann-notes.htm#F175 the event: http://www.law.miami.edu/~froomkin/articles/icann-body.htm#B175 Gordon Cook I understand can attest to this. He trolls here from time to time. He overheard Postels end of the conversation. This of course is well know internet history. Gordon Cook also has reported on it - see his home page - www.cookreport.com. regards joe baptista
Re: Root Server DDoS Attack: What The Media Did Not Tell You
At 05:02 24/11/02, Michael Froomkin - U.Miami School of Law wrote: The issue is less the size of the file than the problem of updating many copies of it reliably. The root server operators find it a challenge to assure that even the modestly sized root zone file is correctly distributed to all root servers accurately and in a timely fashion. Are there statistics on this? Certainly the published info I've seen is more of the patting-self-on-back variety. This is why the only long term viable solution is to get the root file used by a root server - or small group of root servers - asynchronously rebuilt by its operator from the very autroritative data of the TLD Managers, and to have them mutually crosschecked for consistency among root servers systems. Obviously this means to consider the Internet as a distributed network of cooperating - or even concerting - (instead of coordinated) systems, probably not what IETF and ICANN share as a network subsidiairity culture as yet. Maye be what an appropriate analysis of the requirments for a real and stable global security may change? jfc
Re: Root Server DDoS Attack: What The Media Did Not Tell You
On Sat, 23 Nov 2002, vinton g. cerf wrote: where are these statistics from - I cannot believe that more than a few percent of the net uses non-USG root. It's much more then that Vint. The last poll I conducted on the dns showed at least 5%. But that was a few years ago. The 30% comes from various discussions we had concerning new.net. At the time the internet had about 300 million users - estimated by various sources and new.net claimed some 80 million users. The bulk of the argument was held on the opensrs discussion lists hosted by tucows. So I have no doubt the estimate of 30% is now very conservative considering new.net now claims over 156 million users - but i don't know the user stats for current user population. However I suspect their market share has grown significantly since the 30% estimates. So there you have it - new.net is your competition by market share. the other alt.roots are peanuts in comparison. Now mind you new.net has purchased the right to be the navigator of record for those 156 million users. Unlike the USG root system which does not buy the publics affections. regards joe baptista Vint At 09:10 AM 11/23/2002 -0500, Joe Baptista wrote: The root servers struck by the attack assist computers in translating Internet domain names, such as www.circleid.com, to numeric equivalents used by computers. These servers provide the primary roadmap for 70% of all Internet communications. The remaining 30% of the net now uses competing root service providers who bypass the USG root system. They were not under attack. Vint Cerf SVP Architecture Technology WorldCom 22001 Loudoun County Parkway, F2-4115 Ashburn, VA 20147 703 886 1690 (v806 1690) 703 886 0047 fax
Re: Root Server DDoS Attack: What The Media Did Not Tell You
On Sat, 23 Nov 2002, vinton g. cerf wrote: Louis Touton is Vice President and General Counsel of ICANN. Sorry about that. Must be a cut and paste typo I missed. I'll have it fixed. ICANN has had a root server advisory committee from early days, working on root server placement to improve resilience; the security and stability advisory committee was created in the wake of 9/11 and has increased the priority of root server security evaluation. I know. It a very patriotic committee - but what exactly has it done concerning root security. I'd like to examine the documents the committee presented in shanghai - but i can't find it on the web site. Basically I'm interested to know if they addressed these recent attacks. Like everyone else I heard the rumour - Informed sources at ICANN expect that the committee will initially recommend that ISPs take steps to prevent packets with forged IP addresses from being used in DDOS attacks. But I've seen nothing so far. regards joe baptista At 09:10 AM 11/23/2002 -0500, Joe Baptista wrote: The attack, however, should come as no surprise to ICANN (Internet Corporation for Assigned Names and Numbers), the Department of Commerce contractor responsible for root security. Over the years, ICANN has been warned that the existing root infrastructure was vulnerable to attack, but the warnings have been largely ignored. Now, however, ICANN President Louis Touton insists that the attacks make it important to have increased focus on the need for security and stability of the Internet. ICANN's Security and Stability Advisory Committee quickly moved in to investigate the incident. The committee is expected to produce a report on securing the edge of the USG Domain Name System network. Vint Cerf SVP Architecture Technology WorldCom 22001 Loudoun County Parkway, F2-4115 Ashburn, VA 20147 703 886 1690 (v806 1690) 703 886 0047 fax
Re: Root Server DDoS Attack: What The Media Did Not Tell You
On Sat, 23 Nov 2002, vinton g. cerf wrote: joe, this makes no sense to me - the cacheing mechanisms are essentially doing what you suggest. That's one of the reasons the system is resilient. I agree and beutifully so. I take my hat off to the crew which put the dns together in the first place. A good example is discussed from time to time on the [EMAIL PROTECTED] mailing lists. As you may know ICANN has refused to update some cctld records - but those cctlds continue to resolve. SO yes I agree it is very resilient. But you need to invalidate the cache to deal with changes to the binding of domain name and IP address. Simply mirroring everything doesn't improve things, in my estimation. In fact, trying to mirror everything everywhere has a massive update problem. Cacheing spreads the update process over time. But does it matter. We both agree it's a resilient system. Eventually the updates are done. I don't see an issue here. Like I said before the USG root file has carried incorrect information on cctlds and the system still resolved. The USG doesn't actually run the root server (although some of the root servers are in fact housed at USG supported laboratories). The Dept of Commerce in effect delegates the actual operation to the root server operators. Well who owns this monopoly. Whoever has control of the roots has control of the 70% USG monopoly. The issue is less the size of the file than the problem of updating many copies of it reliably. The root server operators find it a challenge to assure that even the modestly sized root zone file is correctly distributed to all root servers accurately and in a timely fashion. well .. maybe the root committee or the security committee could investigate sponsoring root servers systems worldwide and work on solving the update issue and the ietf i'm sure can help. After all the icann through GAC is an international organization - or at least wants to be. Your mission should be to reduce international dependence on a US centric root system. I feel the single root approach that stuart lynn advcated and established as icann policy is a bit lame for todays high speed web servers. Of course I always appreciate your views on this. regards joe baptista At 09:10 AM 11/23/2002 -0500, Joe Baptista wrote: To survive a sustained DDOS attack against the roots, the best solution an ISP has is to run its own system and eliminate any dependence on the US government for basic internet services. It would also be prudent for other primary namespaces like .com. Unfortunately, though, it would require a considerable amount of resources -- the .com zone file alone is well over a gigabyte in size. But the root file is very manageable and can easily be run on an ISP's local domain name servers. Vint Cerf SVP Architecture Technology WorldCom 22001 Loudoun County Parkway, F2-4115 Ashburn, VA 20147 703 886 1690 (v806 1690) 703 886 0047 fax
Re: Root Server DDoS Attack: What The Media Did Not Tell You
On Sun, 24 Nov 2002, Joe Baptista wrote: where are these statistics from - I cannot believe that more than a few percent of the net uses non-USG root. It's much more then that Vint. The last poll I conducted on the dns showed at least 5%. But that was a few years ago. The 30% comes from various discussions we had concerning new.net. At the time the internet had about 300 million users - estimated by various sources and new.net claimed some 80 million users. The bulk of the argument was held on the opensrs discussion lists hosted by tucows. So I have no doubt the estimate of 30% is now very conservative considering new.net now claims over 156 million users - but i don't know the user stats for current user population. However I suspect their market share has grown significantly since the 30% estimates. So there you have it - new.net is your competition by market share. the other alt.roots are peanuts in comparison. Now mind you new.net has purchased the right to be the navigator of record for those 156 million users. Unlike the USG root system which does not buy the publics affections. I don't think any source related to new.net regarding this can be treated as reliable. Do you have independent estimates or some rough data? -- Pekka Savola Tell me of difficulties surmounted, Netcore Oy not those you stumble over and fall Systems. Networks. Security. -- Robert Jordan: A Crown of Swords
Re: Root Server DDoS Attack: What The Media Did Not Tell You
On Sun, 24 Nov 2002, Pekka Savola wrote: I don't think any source related to new.net regarding this can be treated as reliable. Do you have independent estimates or some rough data? No - and I can confirm that non exists or at least i have not seen any in the public arena. But I would not discount new.net's claims. I'm sure they can support their claims. At the very least they do have market share in root server operations irrespective of the means used to calculate it. I've cc'ed new.net on this - let's see if they respond. regards joe baptista
Re: Root Server DDoS Attack: What The Media Did Not Tell You
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - --On Saturday, November 23, 2002 23:02:15 -0500 Michael Froomkin - U.Miami School of Law [EMAIL PROTECTED] wrote: The issue is less the size of the file than the problem of updating many copies of it reliably. The root server operators find it a challenge to assure that even the modestly sized root zone file is correctly distributed to all root servers accurately and in a timely fashion. Are there statistics on this? Certainly the published info I've seen is more of the patting-self-on-back variety. There is a certain amount of work required to keep a large number of servers in sync. Developements such as IXFR, Notify and TSIG all help in speeding up convergence and assuring correctness of data. Still, if the ship is to be run as tight as can be, one needs to perform a significant admin and monitoring work to ensure that these functions actually function. I agree with Valdis that this is not IETF list material; it should be taken to the operations community ASAP. Måns, running DNS servers for fun and public benefit. - -- Måns Nilssonhttp://vvv.besserwisser.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.7 (OpenBSD) iD8DBQE94IaL02/pMZDM1cURAvfzAJ4iFmDxp60u+TCk/coD/MmtyC9CUwCbBsZt svIxKF/bR1R7q7zG/A3f7WU= =JV8U -END PGP SIGNATURE-
Re: Root Server DDoS Attack: What The Media Did Not Tell You
On Sun, 24 Nov 2002 10:56:51 EST, Joe Baptista said: No - and I can confirm that non exists or at least i have not seen any in the public arena. So there's *NO* public data to back it up that you know of.. They claim to have several times more customers/users/whatever than even AOL, and *there is no data* to back that up? The truly interesting question would be: How much of their traffic is value-added, and not just acting as a caching name server for the current root? If they have 150M users, but only 379 of them use it as anything other than a cache for the existing root, they're no more interesting than any of the other alt.roots that you label peanuts. But I doubt we'll get any hard data of *that* detail when they haven't even quantified how many users they have. But I would not discount new.net's claims. I'm sure they can support their claims. At the very least they do have market share in root server operations irrespective of the means used to calculate it. No data, but they want you to believe them anyhow. It's called Snake Oil, Joe -- Valdis Kletnieks Computer Systems Senior Engineer Virginia Tech msg09420/pgp0.pgp Description: PGP signature
Re: Root Server DDoS Attack: What The Media Did Not Tell You
From: [EMAIL PROTECTED] ... The truly interesting question would be: How much of their traffic is value-added, and not just acting as a caching name server for the current root? If they have 150M users, but only 379 of them use it as anything other than a cache for the existing root, they're no more interesting than any of the other alt.roots that you label peanuts. ... It seems likely for several reasons that spammers would be among the organizations most likely to buy names from the other roots if they were usable or even just popular. Every day I read several 100 unsolicited bulk mail messages that land in spam traps while looking domain names to add to my blacklists. Since I don't use the fraudulent roots, non-colliding names in the fraudulent roots are undefined for me. I rarely find undefined names and do not recall ever seeing a name in .love or other bogus top level domain. Almost all of the undefined names I do see are either obvious typos or develop definitions via odd registrars within a day or two. In the last month or two, I've seen only one name that might be in an alternate .com universe, and I suspect it is a typo. Because SMTP servers that reject undefined domain names in the Mail_From command, are extremely common, you would expect that not even spammers are likely to be stupid enough to buy a name in one of the fraudulent roots for use with email. It's possible that the other domain names would be useful if confined to HTTP, but I suspect that's only a little more likely than the possibility that there is any substance to IPv8. (Note that the names I check in spam are mostly in URLs, and that my traps do collect mail from bogus SMTP sender domains. I check the advertised URLs to ensure that they are not being attacked with a joe job.) In other words, I think you ought to adjust your kook filters. Vernon Schryver[EMAIL PROTECTED]
Re: Root Server DDoS Attack: What The Media Did Not Tell You
On Sun, 24 Nov 2002, Vernon Schryver wrote: From: [EMAIL PROTECTED] ... The truly interesting question would be: How much of their traffic is value-added, and not just acting as a caching name server for the current root? If they have 150M users, but only 379 of them use it as anything other than a cache for the existing root, they're no more interesting than any of the other alt.roots that you label peanuts. ... It seems likely for several reasons that spammers would be among the organizations most likely to buy names from the other roots if they were oh no spam. no one was talking about spam. were just talking about root. your the first to mention spam and your right no one would buy domains in the alt universe for smtp service. http for sure is used today. the alternative roots have spam free domains on the internet. but then how many spammers use ficticious domain names in the USG internet. Alot! And I take exception to you claiming these roots are ficticious. They are the future of root service. regards joe baptista
Re: Root Server DDoS Attack: What The Media Did Not Tell You
On Sun, 24 Nov 2002 [EMAIL PROTECTED] wrote: On Sun, 24 Nov 2002 10:56:51 EST, Joe Baptista said: No - and I can confirm that non exists or at least i have not seen any in the public arena. So there's *NO* public data to back it up that you know of.. They claim to have several times more customers/users/whatever than even AOL, and *there is no data* to back that up? I accept their claim. Much like I accept most data I get on the net - including my own. Basically I feel most data - including public - can be challenged. Postel once described the net as a very big space. And i feel the space is very hard to quantify. I've seen many attempts and i'm not that confident of their accuracy - at best the methodologies employed show trends. If I had time i'd investigate the claim myself. But if you go to their web page you will see the isp's who they pay to carry their part of the namespace universe - which see www.new.net. There are some big names there and i'm sure a poll of those companies on their user bases can validate or invalidate new.net's claims. The truly interesting question would be: How much of their traffic is value-added, and not just acting as a caching name server for the current root? If they have 150M users, but only 379 of them use it as anything other than a cache for the existing root, they're no more interesting than any of the other alt.roots that you label peanuts. Exactly. I'm in 100% agreement overall here. The .god and .satan top level domain registries have over 8,000 domains registered this past year. And most of them are parked. They have been paid for but only a few hundred resolve. And this considering we have over 1000 users and a majority of domains are registered to two bulk users. And much of the same applies to most of the domains in the alt.root universes. alot of domains at namespace seem to be attached to something - usually a web site - but most of those are web spaces set up by namespace or namespace friends. But I doubt we'll get any hard data of *that* detail when they haven't even quantified how many users they have. Well the one thing that really bother me about new.net is that they don't do more. OK - so let say their 156 M figure is bullshit. I can live with that. But still whatever figure it is - I still think it's significant. Even if they just have a 10% market share - it's still significant. But the users of these ISP's are mainly ignorant of the fact that these additional namespace options exist. I find it surprising they have not effectively marketed themselves through their existing user population. Maybe i'm missing something here. 156 M people could easily start a trend. But I would not discount new.net's claims. I'm sure they can support their claims. At the very least they do have market share in root server operations irrespective of the means used to calculate it. No data, but they want you to believe them anyhow. It's called Snake Oil, Joe it's all snake oil Valdis. I see no difference between the ICANN or new.net snake oil. it's simply a snake oil of a different colour. regards joe baptista
Re: Root Server DDoS Attack: What The Media Did Not Tell You
let put this back in public. You've made a very good point. On Mon, 25 Nov 2002, [ISO-8859-1] Måns Nilsson wrote: So why are you using a real domain name for email? Try eating your own dog food and don't bother the rest of us. We have a working Internet to run. Backward compatibility. It's as simple as that. Now if the ietf is will to resolve .god on their mailservers I would be pleased to start posting with [EMAIL PROTECTED] We could call it a test of some sort. Should we vote on that. I'm all for it. regards joe baptista
Re: Root Server DDoS Attack: What The Media Did Not Tell You
Valdis, Sunday, November 24, 2002, 2:51:16 PM, you wrote: Valdis On Sun, 24 Nov 2002 10:56:51 EST, Joe Baptista said: No - and I can confirm that non exists or at least i have not seen any in the public arena. Valdis So there's *NO* public data to back it up that you know of.. They claim to There is also no data to support continuance of this denial of service attack on the ietf list. d/ -- Dave Crocker mailto:[EMAIL PROTECTED] TribalWise http://www.tribalwise.com t +1.408.246.8253; f +1.408.850.1850
Re: Root Server DDoS Attack: What The Media Did Not Tell You
Folks, please don't feed the trolls. S Thus spake Joe Baptista [EMAIL PROTECTED] let put this back in public. You've made a very good point. On Mon, 25 Nov 2002, [ISO-8859-1] Mns Nilsson wrote: So why are you using a real domain name for email? Try eating your own dog food and don't bother the rest of us. We have a working Internet to run. Backward compatibility. It's as simple as that. Now if the ietf is will to resolve .god on their mailservers I would be pleased to start posting with [EMAIL PROTECTED] We could call it a test of some sort. Should we vote on that. I'm all for it. regards joe baptista
Re: Root Server DDoS Attack: What The Media Did Not Tell You
As a technical, legal, and historical matter the USG does not delegate root server management to anyone. Root server operators are volunteers and self-organizing. The USG lacks the authority to tell them what to do, or to fire them. Exactly correct. Of course, various people in the USG may be deluded to the point of believing that USG has the authority. The USG thinks it has the authority to decide who can or cannot rule other countries, so it's hardly surprising it thinks it can decide who runs the DNS root. Keith
Re: Root Server DDoS Attack: What The Media Did Not Tell You
where are these statistics from - I cannot believe that more than a few percent of the net uses non-USG root. Vint At 09:10 AM 11/23/2002 -0500, Joe Baptista wrote: The root servers struck by the attack assist computers in translating Internet domain names, such as www.circleid.com, to numeric equivalents used by computers. These servers provide the primary roadmap for 70% of all Internet communications. The remaining 30% of the net now uses competing root service providers who bypass the USG root system. They were not under attack. Vint Cerf SVP Architecture Technology WorldCom 22001 Loudoun County Parkway, F2-4115 Ashburn, VA 20147 703 886 1690 (v806 1690) 703 886 0047 fax
Re: Root Server DDoS Attack: What The Media Did Not Tell You
joe, this makes no sense to me - the cacheing mechanisms are essentially doing what you suggest. That's one of the reasons the system is resilient. But you need to invalidate the cache to deal with changes to the binding of domain name and IP address. Simply mirroring everything doesn't improve things, in my estimation. In fact, trying to mirror everything everywhere has a massive update problem. Cacheing spreads the update process over time. The USG doesn't actually run the root server (although some of the root servers are in fact housed at USG supported laboratories). The Dept of Commerce in effect delegates the actual operation to the root server operators. The issue is less the size of the file than the problem of updating many copies of it reliably. The root server operators find it a challenge to assure that even the modestly sized root zone file is correctly distributed to all root servers accurately and in a timely fashion. At 09:10 AM 11/23/2002 -0500, Joe Baptista wrote: To survive a sustained DDOS attack against the roots, the best solution an ISP has is to run its own system and eliminate any dependence on the US government for basic internet services. It would also be prudent for other primary namespaces like .com. Unfortunately, though, it would require a considerable amount of resources -- the .com zone file alone is well over a gigabyte in size. But the root file is very manageable and can easily be run on an ISP's local domain name servers. Vint Cerf SVP Architecture Technology WorldCom 22001 Loudoun County Parkway, F2-4115 Ashburn, VA 20147 703 886 1690 (v806 1690) 703 886 0047 fax
Re: Root Server DDoS Attack: What The Media Did Not Tell You
Louis Touton is Vice President and General Counsel of ICANN. ICANN has had a root server advisory committee from early days, working on root server placement to improve resilience; the security and stability advisory committee was created in the wake of 9/11 and has increased the priority of root server security evaluation. At 09:10 AM 11/23/2002 -0500, Joe Baptista wrote: The attack, however, should come as no surprise to ICANN (Internet Corporation for Assigned Names and Numbers), the Department of Commerce contractor responsible for root security. Over the years, ICANN has been warned that the existing root infrastructure was vulnerable to attack, but the warnings have been largely ignored. Now, however, ICANN President Louis Touton insists that the attacks make it important to have increased focus on the need for security and stability of the Internet. ICANN's Security and Stability Advisory Committee quickly moved in to investigate the incident. The committee is expected to produce a report on securing the edge of the USG Domain Name System network. Vint Cerf SVP Architecture Technology WorldCom 22001 Loudoun County Parkway, F2-4115 Ashburn, VA 20147 703 886 1690 (v806 1690) 703 886 0047 fax
Re: Root Server DDoS Attack: What The Media Did Not Tell You
Louis Touton is Vice President and General Counsel of ICANN. yes true ICANN has had a root server advisory committee from early days, working on root server placement to improve resilience; would you be kind enough to offer a url that points to what this group has done? they had a CRADA to do something. I am unaware that they ever did anything. but perhaps I missed the announcement. the security and stability advisory committee was created in the wake of 9/11 and has increased the priority of root server security evaluation. Vint said has increased the priority of root server security evaluation This is an interesting comment. Again Vint please be concrete. What precisely have they done? Where is their report? Have they ever actually had a meeting? URL. Press releasesome definite citation please. -- The COOK Report on Internet, 431 Greenway Ave, Ewing, NJ 08618 USA (609) 882-2572 (phone fax) [EMAIL PROTECTED] Subscription info prices at http://cookreport.com/subscriptions.shtmlSummary of content for 10 years at http://cookreport.com/past_issues.shtml Info on Economics of Peering, Transit IXs November - December 118 pages available at http://cookreport.com/11.08-09.shtml
Re: Root Server DDoS Attack: What The Media Did Not Tell You
first of all I don't think this belongs in the IETF forum. Vint said has increased the priority of root server security evaluation This is an interesting comment. Again Vint please be concrete. What precisely have they done? Where is their report? Have they ever actually had a meeting? URL. Press releasesome definite citation please. see http://www.icann.org/committees/security/ for a list of the documents the group has produced and presented to date. -rick
Re: Root Server DDoS Attack: What The Media Did Not Tell You
Rick writes: first of all I don't think this belongs in the IETF forum. That's what delete keys are for. It seems relevant to me.
Re: Root Server DDoS Attack: What The Media Did Not Tell You
Rick, first of all I don't think this belongs in the IETF forum. why? the DNS is a key piece of internet infrastrucure, as i'm sure you are well aware. if it is in danger, then all of us are in danger. what group is better equipped to deal with such problems than the ietf? scott Vint said has increased the priority of root server security evaluation This is an interesting comment. Again Vint please be concrete. What precisely have they done? Where is their report? Have they ever actually had a meeting? URL. Press releasesome definite citation please. see http://www.icann.org/committees/security/ for a list of the documents the group has produced and presented to date. -rick -- Revolt now. +++ GMX - Mail, Messaging more http://www.gmx.net +++ NEU: Mit GMX ins Internet. Rund um die Uhr für 1 ct/ Min. surfen!
Re: Root Server DDoS Attack: What The Media Did Not Tell You
On Sat, 23 Nov 2002, Rick Wesson wrote: see http://www.icann.org/committees/security/ for a list of the documents the group has produced and presented to date. there's not much there. it's lacking any response to the ddos incident. regards joe baptista
Re: Root Server DDoS Attack: What The Media Did Not Tell You
On Sun, 24 Nov 2002 00:51:49 +0100, [EMAIL PROTECTED] said: why? the DNS is a key piece of internet infrastrucure, as i'm sure you are well aware. if it is in danger, then all of us are in danger. what group is better equipped to deal with such problems than the ietf? That's an OPERATIONAL issue rather than a PROTOCOL issue. As such, it probably belongs over in NANOG or similar forums. NANOG had much operational discussion about the DDOS attack on the root servers recently, as it did about the operational impact of 9/11 on sites like 60 Hudson. -- Valdis Kletnieks Computer Systems Senior Engineer Virginia Tech msg09410/pgp0.pgp Description: PGP signature
Re: Root Server DDoS Attack: What The Media Did Not Tell You
On Sat, 23 Nov 2002, vinton g. cerf wrote: The USG doesn't actually run the root server (although some of the root servers are in fact housed at USG supported laboratories). The Dept of Commerce in effect delegates the actual operation to the root server operators. As a technical, legal, and historical matter the USG does not delegate root server management to anyone. Root server operators are volunteers and self-organizing. The USG lacks the authority to tell them what to do, or to fire them. Indeed, as you note, some are not affiliated with the US in any way. Nit-picking, yes, but fairly important when sorting out who has authority over what. (Cf. http://personal.law.miami.edu/~froomkin/articles/formandsubstance.pdf for a discussion of the legal import of the root sever operator's legal position.) The issue is less the size of the file than the problem of updating many copies of it reliably. The root server operators find it a challenge to assure that even the modestly sized root zone file is correctly distributed to all root servers accurately and in a timely fashion. Are there statistics on this? Certainly the published info I've seen is more of the patting-self-on-back variety. -- Please visit http://www.icannwatch.org A. Michael Froomkin |Professor of Law| [EMAIL PROTECTED] U. Miami School of Law, P.O. Box 248087, Coral Gables, FL 33124 USA +1 (305) 284-4285 | +1 (305) 284-6506 (fax) | http://www.law.tm --It's hot here.--