Skip navigation
Help

Domain name system

warning: Creating default object from empty value in /var/www/vhosts/sayforward.com/subdomains/recorder/httpdocs/modules/taxonomy/taxonomy.pages.inc on line 33.
Original author: 
Sean Gallagher

Aurich Lawson

A little more than a year ago, details emerged about an effort by some members of the hacktivist group Anonymous to build a new weapon to replace their aging denial-of-service arsenal. The new weapon would use the Internet's Domain Name Service as a force-multiplier to bring the servers of those who offended the group to their metaphorical knees. Around the same time, an alleged plan for an Anonymous operation, "Operation Global Blackout" (later dismissed by some security experts and Anonymous members as a "massive troll"), sought to use the DNS service against the very core of the Internet itself in protest against the Stop Online Piracy Act.

This week, an attack using the technique proposed for use in that attack tool and operation—both of which failed to materialize—was at the heart of an ongoing denial-of-service assault on Spamhaus, the anti-spam clearing house organization. And while it hasn't brought the Internet itself down, it has caused major slowdowns in the Internet's core networks.

DNS Amplification (or DNS Reflection) remains possible after years of security expert warnings. Its power is a testament to how hard it is to get organizations to make simple changes that would prevent even recognized threats. Some network providers have made tweaks that prevent botnets or "volunteer" systems within their networks to stage such attacks. But thanks to public cloud services, "bulletproof" hosting services, and other services that allow attackers to spawn and then reap hundreds of attacking systems, DNS amplification attacks can still be launched at the whim of a deep-pocketed attacker—like, for example, the cyber-criminals running the spam networks that Spamhaus tries to shut down.

Read 16 remaining paragraphs | Comments

0
Your rating: None

CloudFlare's CDN is based on Anycast, a standard defined in the Border Gateway Protocol—the routing protocol that's at the center of how the Internet directs traffic. Anycast is part of how BGP supports the multi-homing of IP addresses, in which multiple routers connect a network to the Internet; through the broadcasts of IP addresses available through a router, other routers determine the shortest path for network traffic to take to reach that destination.

Using Anycast means that CloudFlare makes the servers it fronts appear to be in many places, while only using one IP address. "If you do a traceroute to Metallica.com (a CloudFlare customer), depending on where you are in the world, you would hit a different data center," Prince said. "But you're getting back the same IP address."

That means that as CloudFlare adds more data centers, and those data centers advertise the IP addresses of the websites that are fronted by the service, the Internet's core routers automatically re-map the routes to the IP addresses of the sites. There's no need to do anything special with the Domain Name Service to handle load-balancing of network traffic to sites other than point the hostname for a site at CloudFlare's IP address. It also means that when a specific data center needs to be taken down for an upgrade or maintenance (or gets knocked offline for some other reason), the routes can be adjusted on the fly.

That makes it much harder for distributed denial of service attacks to go after servers behind CloudFlare's CDN network; if they're geographically widespread, the traffic they generate gets spread across all of CloudFlare's data centers—as long as the network connections at each site aren't overcome.

0
Your rating: None

The inside of Equinix's co-location facility in San Jose—the home of CloudFlare's primary data center.

Photo: Peter McCollough/Wired.com

On August 22, CloudFlare, a content delivery network, turned on a brand new data center in Seoul, Korea—the last of ten new facilities started across four continents in a span of thirty days. The Seoul data center brought CloudFlare's number of data centers up to 23, nearly doubling the company's global reach—a significant feat in itself for a company of just 32 employees.

But there was something else relatively significant about the Seoul data center and the other 9 facilities set up this summer: despite the fact that the company owned every router and every server in their racks, and each had been configured with great care to handle the demands of CloudFlare's CDN and security services, no one from CloudFlare had ever set foot in them. All that came from CloudFlare directly was a six-page manual instructing facility managers and local suppliers on how to rack and plug in the boxes shipped to them.

"We have nobody stationed in Stockholm or Seoul or Sydney, or a lot of the places that we put these new data centers," CloudFlare CEO Matthew Prince told Ars. "In fact, no CloudFlare employees have stepped foot in half of the facilities where we've launched." The totally remote-controlled data center approach used by the company is one of the reasons that CloudFlare can afford to provide its services for free to most of its customers—and still make a 75 percent profit margin.

Read 24 remaining paragraphs | Comments

0
Your rating: None

michael mann

A 45-year-old Delaware resident, Mike Mann, became a multi-millionaire by being an obsessive, compulsive, domain buyer.

Last week he acquired 14,962 domain names in less than 24 hours, reports CNET. He sells them shortly after purchasing for hundreds, sometimes thousands, of dollars.

"I'm just really greedy," he tells CNET. "I want to own the world."

His domain kick started in the late '90s, when he paid $70 for Menus.com and was offered $50,000 to sell it.

Check out the Most Expensive Domain Names Of All Time >

Mann has since made a multi-million dollar business out of snatching up domains. He created BuyDomains and sold it to Highland Capital in 2005 for $80 million.

His newest domain business, DomainMarket.com, generates $400,000 every month.  Mann buys roughly 300 domains per day.

For more on how Mann created a business buying and selling domains, head over to CNET >

Please follow SAI on Twitter and Facebook.

Join the conversation about this story »

0
Your rating: None

An anonymous reader writes "Back in early 95 I registered a domain name and built a website for a hobby of mine. Over time the website (and domain) name have built a small but steady stream of traffic but my interest in the hobby is essentially gone and I've not been a visitor to my own site in well over two years. I'd like to sell the site/domain to a long time member who has expressed interest in taking over and trying to grow the site, however I use the domain for my own personal email including banking, health insurance, etc. How have fellow readers gone about parting ways from a domain that they've used for an email address?" More generally, what terms would you like to include (or have you included) in a domain transfer? Old horror stories could help prevent new horror stories.


Share on Google+

Read more of this story at Slashdot.

0
Your rating: None

An anonymous reader writes "Details of the tools, techniques and procedures used by the hackers behind the RSA security breach have been revealed in a research paper (PDF) published by Australian IT security company Command Five. The paper also, for the first time, explains links between the RSA hack and other major targeted attacks. This paper is a vendor-neutral must-read for any network defenders concerned by the hype surrounding 'Advanced Persistent Threats.'"


Share on Google+

Read more of this story at Slashdot.

0
Your rating: None

wiredmikey writes "It's not news that some of the underlying foundations of the DNS protocol are inherently weak, especially what they call the "last mile" — or the part of the internet connection between the client and the ISP. To address this, OpenDNS has released a preview of DNSCrypt, a tool that enables encrypted DNS traffic, much in the same way SSL enables encrypted HTTP traffic. DNSCrypt will stop DNS replay, observation, and timing attacks, as well as Man-in-the-Middle attacks and resolver impersonation attacks. The tool, available already compiled for OS X, will also run on OpenBSD, NetBSD, Dragonfly BSD, FreeBSD, and Linux. There is no Windows client, which is odd considering a majority of the 30 million OpenDNS users run Microsoft's operating system."

Read more of this story at Slashdot.

0
Your rating: None

bs0d3 writes "Last year, piratebay co-founder Peter Sunde gathered coders to begin a decentralized dns system. This is a direct result of the increasing control which the US government has over ICANN. The project is called P2P-DNS and according to the project's wiki, this is how the project is described: 'P2P-DNS is a community project that will free internet users from imperial control of DNS by ICANN. In order to prevent unjust prosecution or denial of service, P2P-DNS will operate as a distributed and less centralized service hosted by the users of DNS. Today the project continues, barely. A majority of interest shifted to namecoin once the idea was realized, but coder Caleb James DeLisle continues on the first project. So far he has DHT nodes and routers worked out, and awaits help on his IRC channel whenever volunteers are willing to join."

Read more of this story at Slashdot.

0
Your rating: None