You probably heard that there was an outage on Friday that affected some high profile websites. This comes hot on the heels of John Kerry’s threat to start a cyberwar with Russia with devestating effect. Today’s attack was done by someone trying to clobber a company in New Hampshire used by Twitter, NY Times and others that are frequent targets of denial of service attacks.
The Internet was designed to be scalable to grow indefinitely, resilient and able to survive nuclear war. To explain how DNS works and how it was broken, some foundation is necessary. The Telephone system of the 1960s is a pretty close, as many of the same minds designed both.
Let’s say you want to call your Aunt Mary who lives in SAN Francisco. She works at Wells Fargo creating fake bank accounts.
Here is the process you would go to contact Aunt Mary (remember we are in the 1960s, not today). First we need to get a telephone number. This would be the process, more or less:
– if we call Aunt Mary a lot, we might know her number without looking it up
– if we don’t, we get our address book in the desk and look her up
– if we don’t have her number, maybe a relative has her number so we call them
– if she isn’t there, we look her up in the San Francisco phone book
– if still no luck, we dial 411 if we live in SAN Francisco and give the operator her name
– if we don’t live locally, we look up the area code for San Francisco and find it is 415 – then dial (415) 555-1212 and call long distance directory assistance.
Eventually, we find her phone number and call. The actual route AT&T uses to connect your call is completely independent from knowing the number to call. That’s an important point – the ability to connect may go down, but without knowing the right number, you will get nowhere.
So you call, the phone rings, but nobody answers. Answering machines don’t exist yet. You suddenly realize she probably is at work. She has an extension at work, but the phone company doesn’t know who sits at which desk – only Wells Fargo knows that. Keeping track of phones inside a company is “delegated” to the customer to keep track of. You may need to repeat the first process to get the phone number of the Wells Fargo switchboard, call that number and ask the switchboard operator for Aunt Mary’s extension or to just connect you to her.
It’s the very last part of that process that was attacked today.
So let’s say I try to reach www.twitter.com – I want to reach Aunt www that works for Twitter in the .com area code. Off to the races
How much of this process is used varies a lot based on how many people want to make contact. Less popular relatives might take more work.
So following our telephone model
– if our computer / device went recently, it just remembers. No need to ask again
– if your computer doesn’t remember, your internet provider probably knows. It keeps a big database so it doesn’t have to keep asking for Twitter 20 million times an hour
– if your Internet provider doesn’t know (or the information is stale), it looks up the area code for .com – since that rarely changes, the internet provider remembers it. Your ISP contacts the .com long distance directory and asks hey .com, do you know Twitter? Assuming the NSA hasn’t deleted it, the .com directory gives out the phone number (IP address) of the Twitter main switchboard. .com isn’t responsible for knowing Aunt www’s phone number or even what country she is in.
So now we call the twitter.com switchboard and ask for www – the “Authoritative” directory for Twitter.com hands over the exact phone number(s) to contact www.twitter.com. So now we can twit!
If you want to see how this works in practice and can tolerate being geeked out, asking the web server in Texas, we get:
*PROD* supersekrit@localhost /home/radiotest >dig www.twitter.com ; <<>> DiG 9.9.5-3ubuntu0.9-Ubuntu <<>> www.twitter.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33091 ;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 4, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;www.twitter.com. IN A ;; ANSWER SECTION: www.twitter.com. 285 IN CNAME twitter.com. twitter.com. 35 IN A 199.59.150.7 twitter.com. 35 IN A 199.59.148.10 twitter.com. 35 IN A 199.59.148.82 twitter.com. 35 IN A 199.59.149.198 ;; AUTHORITY SECTION: twitter.com. 46611 IN NS ns3.p34.dynect.net. twitter.com. 46611 IN NS ns1.p34.dynect.net. twitter.com. 46611 IN NS ns2.p34.dynect.net. twitter.com. 46611 IN NS ns4.p34.dynect.net. ;; Query time: 1 msec ;; SERVER: 72.14.191.5#53(72.14.191.5) ;; WHEN: Sat Oct 22 02:43:36 EDT 2016 ;; MSG SIZE rcvd: 208 *PROD* supersekrit@localhost /home/radiotest >
We got the answer in 1/1000th of a second, so clearly aunt www in the Twitter family is well known. 72.14.191.5 is the local copy in the data center. Until the information there goes stale, today’s attack would have had no effect for hours – for people or computers using that data center.
It remembered four different authoritative servers for Twitter – while it remembered www, if we asked for aunt www2, it might have to actually ask. So it also remembered 4 different answers to “what is the number for www.twitter.com?” Sometimes the first one doesn’work. If all 4 are broken, only then do we get the server not found error in the browser.
Dynetc.net was the target today – twitter could run its own authoritative servers, but this is a very specialized service, especially useful for companies that experience cyber attacks. Today, instead of flooding the Twitter phone system with millions of calls, they flooded the Twitter switchboard operator. She got very very busy for anyone who forget www’s extension and had to ask again. Because this service is offered to many different customers, it clobbered them all. One obvious improvement would be different authoritative servers for each customer, so only the one target is affected, and the motive is clearer.