I think I'm jinxed. When I put my anti-DoS article up on this site the root name servers were attacked. Then
O'Reilly put the article on ONLAMP
and the next day there was the MS SQL worm...
A worm in a single 404 byte UDP packet: the net certainly wasn't prepared for that. This worm didn't really harm
infected systems all that much: it's the incredible amount of traffic generated by each infected system that
caused so much trouble. Obviously dozens of megabits worth of traffic for each affected host will lead to congestion in many places, but it was worse than that: Cisco routers that were doing fast switching rather than Cisco Express Forwarding (CEF) ran out of memory and CPU. It also seems Riverstone routers, which are supposed to be able to do this in hardware, fell flat on their faces. (But I haven't seend this myself.)
Have a look at an article I wrote for the O'Reilly Network about the impact of this worm:
Network Impact of the MS SQL Worm. (Note: the link doesn't work anymore, but I saved the article here.) And CAIDA has an in-depth
analysis.
Permalink - posted 2003-02-14
This is a post I wrote for O'Reilly back in January 2003 when the SQL Slammer worm hit. It seems it's gone from their site now, so I'm putting it here, including the comments.
Permalink - posted 2003-01-28
At the end of September, the White House published a
National Strategy to Secure Cyberspace.
It seems that at the last moment, a lot of text was cut and the 60 odd pages PDF document offered for download was made a draft, with the government actively soliciting comments. One of the prime recommendations in the document
is:
R4-1 |
A public-private partnership should refine and accelerate the adoption of improved security for Border Gateway Protocol, Internet Protocol, Domain Name System, and others.
|
Some people say the government wants
Secure BGP (S-BGP) to be adopted. It is unclear how reliable these claims are. In any event, S-BGP has been a draft for two years, with no sign of becoming an RFC or implementations being in the works.
In 2001 4th quarter interdomain routing news I ranted about the general problems with strong crypto in the routing system.
It is widely assumed BGP is insecure because "anybody can inject any information into the global routing table." It is true that the protocol itself doesn't offer protection against abuse, but since BGP has many hooks for implementing policies, it is not a big problem to create filters that only allow announcements from customers or peers that are known to be good. However, the Routing Registries that are supposed to be the source of this information aren't always 100% accurate and although their security has greatly improved the last few years, it is not inconceivable that someone could enter false information in a routing database.
In an effort to make BGP more secure, S-BGP goes way overboard. Not only are BGP announcements supposed to be cryptographically signed (this wouldn't be the worst idea ever, although it remains to be seen whether it is really necessary), routers along the way are also supposed to sign the data. And the source gets to determine who may or may not announce the prefix any further. I see three main problems with this approach:
- The CPU time needed to do all this asymmetric crypto
- The storage needed for the signatures and related information
- The interface between the public key infrastructure and the routers and the circular dependency between the PKI on the routers
And even if all of these problems can be solved, it gets much, much harder to get a BGP announcement up and running. This will lead to unreachability while people are getting their certificates straightened out. Also, routers in colo facilities aren't the best place to store private keys.
Permalink - posted 2002-10-28
In the first week of May, a message was posted on the NANOG list by someone
who had a dispute with one of his ISPs.
When it became obvious this dispute wasn't going to
be resolved, the ISP wasn't content with no longer providing any service,
but they also contacted the other ISP this network connected to, and asked
them to stop routing the /22 out of their range the (ex-)customer was using.
The second ISP complied and the customer network was cut off from the internet.
(This all happened on a sunday afternoon, so it is likely there is more to
the story than what was posted on the NANOG list.)
The surprising thing was that many people on the list didn't think this
was a very unreasonable thing to do. It is generally accepted that a network
using an ISP's address space should stop using these addresses when it no
longer connects to that ISP, but in the cases I have been involved with there
was always a reasonable time to renumber. Obviously
depending on such a grace period is a very dangerous thing to do. You have
been warned.
Permalink - posted 2002-06-30
During the second week of April there was some discussion on reordering
of packets on parallel links at Internet Exchanges. Equipment vendors try
very hard to make sure this doesn't happen, but this has the risk that
balancing traffic over parallel links doesn't work as good as it should.
It is generally accepted that reordering leeds to inefficiency or even
slowdowns in TCP implementations, but it seems unlikely reordering will
happen much hosts are connected at the speed of the parallel links (ie,
Gigabit Ethernet) or there is significant congestion.
Permalink - posted 2002-06-29
►
April fools day is coming up again! Don't let it catch you by surprise.
Over the years, a number of RFCs have been published on April first, such as...
Full article / permalink - posted 2002-04-01
▼
April fools day is coming up again! Don't let it catch you by surprise.
Over the years, a number of RFCs have been published on April first, such as:
0894
Standard for the transmission of IP datagrams over Ethernet
networks. C. Hornig. Apr-01-1984. (Format: TXT=5697 bytes) (Also
STD0041) (Status: STANDARD)
But not all RFCs stubbornly ignore their publishing day. The first
"fools day compatible" RFC dates back to 1978:
0748
Telnet randomly-lose option. M.R. Crispin. Apr-01-1978. (Format:
TXT=2741 bytes) (Status: UNKNOWN)
Probably the most famous of all is RFC 1149, which was updated in RFC 2549:
1149
Standard for the transmission of IP datagrams on avian carriers.
����
D. Waitzman. Apr-01-1990. (Format: TXT=3329 bytes) (Updated by
����
RFC2549) (Status: EXPERIMENTAL)
2549
IP over Avian Carriers with Quality of Service. D. Waitzman.
����
Apr-01-1999. (Format: TXT=9519 bytes) (Updates RFC1149) (Status:
����
INFORMATIONAL)
It took some time, but in 2001 the Bergen Linux User Group
implemented
RFC 1149 and carried out some tests.
Can't get enough? Here are more April first RFCs:
RFC 1097,
RFC 1217,
RFC 1313,
RFC 1437,
RFC 1438,
RFC 1605,
RFC 1606,
RFC 1607,
RFC 1776,
RFC 1924,
RFC 1925,
RFC 1926,
RFC 1927,
RFC 2100,
RFC 2321,
RFC 2323,
RFC 2324,
RFC 2550,
RFC 2551,
RFC 2795.
Permalink - posted 2002-04-01
older posts
- newer posts