Kuro5hin.org: technology and culture, from the trenches
create account | help/FAQ | contact | links | search | IRC | site news
[ Everything | Diaries | Technology | Science | Culture | Politics | Media | News | Internet | Op-Ed | Fiction | Meta | MLP ]
We need your support: buy an ad | premium membership

[P]
ICANN Jump on the Terrorist Bandwagon

By Arkady in Internet
Fri Nov 16, 2001 at 09:47:52 AM EST
Tags: Culture (all tags)
Culture

The Internet Corporation for Assigned Names and Numbers (ICANN) have jumped on the "we must protect our way of life from these nasty terrorists" bandwagon in a big way lately, even going so far as to cancel their annual meeting this fall and replace it with a festival on Domain Name System (DNS) security. In doing this, they've managed to redirect attention from important issues of how the DNS is administered and drawn attention away from the single greatest threat to the system's stability: ICANN itself.


One root to rule them all;
One root to find them;
One root to bring them all
And in the darkness BIND them
In the land of Herndon
Where the shadows lie.

Choosing Targets

The attraction in bringing down the global DNS for a terrorist (or for a high-school student with a modem, for that matter) is obvious: without it, only those of us who already know the Internet Protocol (IP) address numbers for the machines we use could still operate on the Net. This type of attraction is a known and natural risk for any important piece of infrastructure, and is certainly not unique to the DNS or the Net in general. With ICANN in charge, however, there are two much more compelling motives for terrorists (and not high-school students) to hit the DNS: ICANN is a U.S. government operation run by and for large global businesses.

For those of you who thought ICANN was a global standards and technical coordinating body, this may come as something of a shock, but ICANN was created by the U.S. government and operates under the auspices of (and by a contract from) the U.S. Department of Commerce (DoC). In fact, all major decision by ICANN (such as which new Top-Level Domains (TLDs) to add to their root system) are subject to approval by the DoC though this only receives minimal notice by even the technical press.

Add to this the fact that ICANN is structured to provide large commercial entities control over its decision-making processes and you give potential terrorists exactly the same reasons to attack their DNS as they had to attack the Pentagon and the World Trade Center: the U.S. government and global capital.

As many people have said, but few in the American media have reported, who owns a system and by and in whose interests it is operated is a major factor in whether it will be attacked. ICANN's in-built subservience to the American State and to global capital merely serve to attract attacks to the DNS.

Monolithism

It is a well established fact that a well designed distributed system is far more stable in the face of attack or damage than a monolithic one. The Net itself was designed with this understanding and the goal of continuing operation after a nuclear attack on the United States. The National Science Foundation (NSF) DNS infrastructure, which is now the ICANN system, only partially implemented this.

While it is true that there are 13 root DNS servers in their system, and these are well distributed on different networks, the actual TLD data often resides on only a few machines thus offering fewer critical points to attack, and the management of their system is quite centralized, being in the hands of ICANN and VeriSign. This element of centralization makes the system more vulnerable to attack (and less responsive to its millions of users) than it should be.

With the data and management centralized on 13 servers and two corporations, the ICANN DNS system can be disabled by any of the common Distributed Denial of Service (DDoS) attack programs. With this centralization of services, an attack on ICANN can disable all DNS resolution for the vast majority of Internet users, thus rendering the Net functionally useless to them. Similarly, the centralization of management creates the opportunity for an attack on the managing organization to disable the system. A single anthrax-hoax at VeriSign's offices could block updates to the system (and the administrators' ability to respond to a concurrent network-based attack) for several days, also rendering the system unusable.

Without DNS resolution, the Net is usable only by those who actually know the IP numbers of the machines they want to use (and with the growth in name-based virtual hosting, even that's no longer a guarantee).

Distributing Control/Distributing Risk

There are at least 10 different DNS systems, other than ICANN's, operating on the Net at this point. Needless to say, an attack on ICANN's systems (or on any one root operator's systems) wouldn't affect users of these other DNS networks.

The "independent" root operators are (slowly, I admit) working towards a truly distributed DNS, where the system is operated by a variety of autonomous organizations and managed by collaboration between these groups. Such a system is, even with all other factors being equal, much more resistant to attack as the risk and damage is compartmentalized; were an attacker to bring down one system, the others are still functioning normally and would be available to take over providing service for the affected system's users and data.

This gain in stability is available without any modification to the base software on which the system runs; with some modifications to the DNS protocols and software (which is not out of the question, as ICANN is considering that for their own system already), the service could be made even more distributed and more robust. DNS is, at heart, a distributed database of name to number mappings and, as such projects as FreeNet have demonstrated, the technology for distributing databases has come a long way since BIND was first released, though BIND and the DNS protocols have changed only slightly in all that time.

The 11th Parallel

Of all the DNS systems on the Net, only ICANN objects to a more distributed model, and for an obvious reason: they are the one which is currently the default used by new installations of the common DNS software (BIND and djbDNS) and are thus the root used by the vast majority of the Net. As the major power on the Net, they stand to lose the most (in both control and wealth) in a move to a more distributed environment. They are, therefore, ignoring this issue entirely in their discussion on "securing" DNS.

In this, ICANN's attitude and response are much the same as those made to terrorist attacks in the Real World by their sponsors and beneficiaries, the State and Capital. Just as the U.S. government has refused to discuss the centralization of wealth and power in their organization which gave rise to the September 11th attacks (and has gone so far as to request the American media not air the statements from alQuaeda as to what those motives were), ICANN has always refused to discuss the centralization of wealth and power in their organization which make it an attractive, and less resistant, target (and have even gone so far as to submit an RFC which describes the independent root operators as a threat to the DNS system's stability).

This parallel response is unsurprising; ICANN is a creation of the government, and is run by appointees and employees of some very large global businesses. It would only be surprising were ICANN to actually consider stepping down from their position of control over the Net in order to benefit the DNS system, just as it would only be surprising if the U.S. were to step down from its position of control over the Real World to improve the quality of life there.

Sponsors

Voxel dot net
o Managed Hosting
o VoxCAST Content Delivery
o Raw Infrastructure

Login

Related Links
o Also by Arkady


Display: Sort:
ICANN Jump on the Terrorist Bandwagon | 31 comments (20 topical, 11 editorial, 1 hidden)
ICANN an interesting issue... (4.00 / 5) (#4)
by grout on Thu Nov 15, 2001 at 05:16:35 PM EST

... and though the analogy with the U.S. is inflammatory, it's apt. The U.S. may do quite a bit of good (along with the bad) with its worldwide influence, but its influence doesn't issue from morality. Morality is usually something you promote with power, not to get power. "ICANN, why do you control the world DNS space from one country's power base?" "Because I CAN."
--
Chip Salzenberg, Free-Floating Agent of Chaos

ROFL (4.71 / 7) (#5)
by aphrael on Thu Nov 15, 2001 at 05:52:26 PM EST

This is interesting. It seems to me that this statement: Add to this the fact that ICANN is structured to provide large commercial entities control over its decision-making processes and you give potential terrorists exactly the same reasons to attack their DNS as they had to attack the Pentagon and the World Trade Center: the U.S. government and global capital. implies that an attack on DNS would be terrorism, which implies that the inclusion of hacking in the list of crimes subject to new legal proceedings pursuant to the domestic anti-terrorism bill is reasonable.

OK, that's funny (4.00 / 3) (#6)
by Arkady on Thu Nov 15, 2001 at 06:02:29 PM EST

I certainly wasn't thinking that when I wrote it. ;-)

It's got some truth to it, though. Just as the WTC is a valuable target for its symbolic display of American capital's power, ICANN's DNS system is definitely viewable a symbol of America's domination over the "medium of the future" (it's also a practical display of that domaination), so an attack on it is attractive for its symbolic (as well as practical) repurcussions.

And if you define terrorism as the Feds just did, then it's certainly possible for hacking to fall in that definition.

-robin

Turning and turning in the widening gyre
The falcon cannot hear the falconer;
Things fall apart; the centre cannot hold;
Mere Anarchy is loosed upon the world.


[ Parent ]
Nope, no motivation here, move along. (4.00 / 11) (#8)
by Kasreyn on Thu Nov 15, 2001 at 06:57:19 PM EST

"As many people have said, but few in the American media have reported, who owns a system and by and in whose interests it is operated is a major factor in whether it will be attacked."

The reason this is not reported is because there is a conscious effort under way to make the terrorists look like random madmen, and to make their attacks look wholely unmotivated by any possible wrongdoing on our part. Let's face it: any mass media outlet that says otherwise will quickly have several million self-righteous capitalism-worshipping New Yorkers on its ass, at the very least.

You're advising us of some already-well-known facts. No one likes to admit error. In particular, authoritarian hierarchies (of which our government and any corporation are examples) are especially loathe to ever admit a mistake or wrongdoing. Allowing americans to hear OBL's grievances might make some of them think about US foreign policy, which is something they'd rather citizens be ignorant of. One can almost imagine the playbook: "Remember, every enemy grievance aired is another sign-waving protestor you'll have to tear-gas!"


-Kasreyn


"Extenuating circumstance to be mentioned on Judgement Day:
We never asked to be born in the first place."

R.I.P. Kurt. You will be missed.
One Question (4.00 / 4) (#12)
by joecool12321 on Fri Nov 16, 2001 at 02:27:19 AM EST

The only question I have after reading your article: is ICANN doing anything at all to protect from attack? I understand your argument for what they should be doing, and I agree. But are they doing anything they claim will help protect themselves?

--Joey

hard to say (4.00 / 2) (#13)
by Arkady on Fri Nov 16, 2001 at 02:54:47 AM EST

First, they're just wrapping up their "security"-focused replacement for their annual meeting today, so not much could have been done yet. You can always check their web site to see what they want you to think they're doing. ;-)

More useful, though, would be to follow the articles about it, say by Kevin Poulson (who wrote the article that got me ticked off enough to write this) who writes for SecirityFocus.

More importantly, though, you have to remember that there's not a lot ICANN can do directly anyway, since they don't have direct control over those root servers. Those boxen are run by several different organization who've been operating them since the NSF days. ICANN can push policy at them, but hasn't actually got the root passwords to them (I would think). And the gtld-server.net TLD servers (for .com &co.) are run by VeriSign, now they've taken over NSI, so ICANN only has contractual control over them, too. For being so centralized, it seems ICANN doesn't likely have the direct access necessary to enforce their policy decisions (though, of course, the Feds could do it for them since ICANN's a U.S. government contractor). ;-)

-robin


Turning and turning in the widening gyre
The falcon cannot hear the falconer;
Things fall apart; the centre cannot hold;
Mere Anarchy is loosed upon the world.


[ Parent ]
So what do you suggest we DO about it (3.60 / 5) (#17)
by sfischer on Fri Nov 16, 2001 at 07:36:13 AM EST

While I may not agree with your style and the analogies to our current terro-political situation, I believe it is worth considering how best to resolve the problem. As currently packaged, your article is nothing more than a whine. I'd give it much more credence if you referenced the other DNS providers and made suggestions (technical, management and political) on what to do differently and how.

Don't just complain. Help educate us on how to fix it.

-swf

Aargh! (2.00 / 1) (#18)
by Sanityman on Fri Nov 16, 2001 at 11:49:06 AM EST

how best to resolve the problem
PLEASE tell me this is accidental. Please...

;o)

OBTopic: are the others of the Thirteen (which really does sound like a LOTR reference) obliged to do everything/anything that ICANN says? Who gives a US Govt-appointed body authority over a cooperative global network? Some of those tld DNS servers may even be in other countries...

Sanityman



Disclaimer: Whatever organisation you had in mind, I'm not representing it.
If you don't see the fnords, they can't eat you.
[ Parent ]
Not whining. (3.00 / 3) (#19)
by The Great Satan on Fri Nov 16, 2001 at 12:02:18 PM EST

I would much rather have the problem out in the open and being discussed. I would rather know about a problem than have to discover it on my own "the hard way."

More info on the alternative DNS providers would be good. Because k5 is an interactive medium I can ask Arkady for the information - and probably get better results doing so than by name calling.


Check out my comic at www.shizit.net/alpha. Or take care of your post hardcore music needs at www.shizit.net. Or ignore this lame self-promotional spam.
[ Parent ]
Arkady's solution (5.00 / 1) (#29)
by rusty on Sun Nov 18, 2001 at 01:30:24 AM EST

...has been implemented here. He's too modest to turn this into a plug for his own project, but he's already organized a growing alternative root, which is distributed, democratic, and open to peering with other roots (which solves, or at least ameliorates, the problem in this article).

There's a lot more information in the opennic webspace. I suggest you look there for some working answers.

-----

On a meta note, this question brings up an interesting point. If Arkady had mentioned opennic as a solution to the "whine" ambodied in the article, would that have been SSP? And would it have been acceptable? It seems like a damned if you do, damned if you don't situation, if you can't promote your own project, and also can't highlight a problem without proposing a solution...

Something to ponder.

____
Not the real rusty
[ Parent ]

SSP (none / 0) (#30)
by wiredog on Sun Nov 18, 2001 at 08:08:48 AM EST

We've voted SSP up before. If it is clearly labeled, of interest to us, and posted by somebody who's been here awhile.

If the first thing someone posts is a story about their own cool idea, it goes down in flames.

The idea of a global village is wrong, it's more like a gazillion pub bars.
Phage
[ Parent ]

actually (none / 0) (#31)
by Arkady on Sun Nov 18, 2001 at 01:55:35 PM EST

It's been more a matter of time than modesty, actually, though I was ambivalent about exactly how to reply to these.

Aziz (our old server, off which I've been trying to get the users for months) was cracked Thursday night. I've been rather busy dealing with that.

-robin

Turning and turning in the widening gyre
The falcon cannot hear the falconer;
Things fall apart; the centre cannot hold;
Mere Anarchy is loosed upon the world.


[ Parent ]
Is this really that big of a threat? (3.83 / 6) (#21)
by kgb on Fri Nov 16, 2001 at 02:52:13 PM EST

It seems to me that should ICANN's 13 server fall victim to attack, it would take a few hours for the sysadmins of the world to switch over to the open DNS servers you mention, and the problem would at least have a work-around. But it strikes me that the attack you are describing would only cripple the ability to update the DNS changes workaday DNS servers are looking for from ICANN.

Wouldn't the DNS server at my local ISP still be intact? Wouldn't that mean that the only disruption I'd be facing is trying to resolve recently moved or created domain names?

If this attack were to take place, I think a subscriber-list style database diff could be generated instantly at ICANN and/or Verisign, emailed out and voila`! a work around to even that update problem is in place, with little or no degradation to net services for the bulk of users.

It may be that I am entirely mistaken? Am I missing something?

PS this is a repost of a comment inadvertantly submitted as editorial.

missing (4.66 / 3) (#22)
by Arkady on Fri Nov 16, 2001 at 06:03:39 PM EST

What you're missing is the heirarchical nature of DNS' distributed database. ;-)

Basically, your local servers only have the locally authoritative data and you have to query the roots to get data from other parts of the system. Here's the description of the process, which I wrote for an as-yet unpublished article on OpenNIC and independent DNS systems:

#####
DNS is a fairly simple distributed hierarchical database, where each level contains only its own local data and pointers to the servers which contain the data for lower levels. As an example:

   a) my server contains all the information for the domain "unrated.net";

   b) a server controlled by Network Solutions Incorporated (NSI) contains all the data for the domain "net", which includes a pointer to my server as the authoritative source for data within "unrated.net";

   c) a machine (actually, a set of machines) controlled by the Internet Corporation for Assigned Names and Numbers (ICANN) stands at the root of this tree, containing pointers to the servers which are authoritative for all the Top-Level Domains (TLDs) in the ICANN namespace.

In order to use this system an end-user's machine must be pointed to a name server. All name server software is distributed with a file containing pointers to the 13 ICANN root name servers. To find the address for the machine "www.unrated.net", therefore:

   a) the end user's system will prepare a request for the address of the machine named "www.unrated.net" and send it to its name server

   b) this name server will contact one of the root servers to acquire the address of the authoritative name server for "net"

   c) it then asks this server for the address of the authoritative name server for "unrated.net"

   d) having found the name server for the proper domain, the user's name server then asks my server for the address corresponding to the name "www" in the domain "unrated.net"

   e) this address, or any error condition, is then reported back to the end-user's machine
#####

What this does mean, though, is that if you're configured for the ICANN root, you'd have to have already downloaded the list of OpenNIC's IP numbers to switch after they go down. ;-)

Cheers,
-robin

Turning and turning in the widening gyre
The falcon cannot hear the falconer;
Things fall apart; the centre cannot hold;
Mere Anarchy is loosed upon the world.


[ Parent ]
OK, I'll bite (3.00 / 5) (#23)
by ehintz on Fri Nov 16, 2001 at 09:37:52 PM EST

One root to rule them all;
One root to find them;
One root to bring them all
And in the darkness BIND them
In the land of Herndon
Where the shadows lie.

Nice. I do love the Tolkien references and the BIND play on words, although Tolkein references do seem to be coming fast and frequent these days. Unavoidable because of the movie I'm sure, but nice nonetheless... Cheers.

Regards,
Ed Hintz
thanks ;-) (3.66 / 3) (#24)
by Arkady on Sat Nov 17, 2001 at 01:45:26 AM EST

I promise, though, that I and many others in the independent DNS root world have referred to ICANN's attitude as the "one root to rule them all" approach so, though I can't claim originality I can at least claim it wasn't inspired by the film.

-robin

Turning and turning in the widening gyre
The falcon cannot hear the falconer;
Things fall apart; the centre cannot hold;
Mere Anarchy is loosed upon the world.


[ Parent ]
independently discovered (3.50 / 2) (#26)
by Luyseyal on Sat Nov 17, 2001 at 11:59:14 AM EST

I had the same epiphany regarding Tolkien and The One Ring, along with BIND and DNS. That's cool!

-l

[ Parent ]
distributed root vs. 'one root rules all' (3.50 / 4) (#25)
by sye on Sat Nov 17, 2001 at 10:16:35 AM EST

Here's a link to Open Root Server Confederation Yet for someone who actually knows the man behind ORSC.net, he calls it "Only Richard Server Confederation".

If, by some magic force, any one of the independent root server, got in the position of ICANN, what is the base for us to judge that it will act in any way different than what ICANN has been doing ? One argument will be that such a body should be at least an international coalition. But as a matter of fact, ICANN is simply the root of .net, .com, .org and a couple of other new TLDs.

In my view, distributed root will simply distribute catastrophe of 13 root servers down time into conflicting name-resolve mess throughout peace time.

~~~~~~~~~~~~~~~~~~~~~~~
commentary - For a better sye@K5
~~~~~~~~~~~~~~~~~~~~~~~
ripple me ~~> ~allthingsgo: gateway to Garden of Perfect Brightess in CNY/BTC/LTC/DRK
rubbing u ~~> ~procrasti: getaway to HE'LL
Hey! at least he was in a stable relationship. - procrasti
enter K5 via Blastar.in

well (none / 0) (#28)
by Arkady on Sat Nov 17, 2001 at 04:32:23 PM EST

I think we've demonstrated with OpenNIC that we can be trusted to operate in a collaborative fashion, since that's how our internal operation has been since we started. ;-)

I don't know a lot about how ORSC operates internally, but I have heard what you're saying before (and don't really know enough to comment). They have had a touch of the "one root" attitude in my conversations with them in the past, though.

OpenNIC, AlterNIC and Pacific Root have already arranged namespace peering amongst ourselves, and are trying to expand the peering arrangement to the others as well. As I said above, ICANN's the only one who has flat-out refused to talk about it with the rest of us so there's a good chance it'll happen (at least for all the non-ICANN users).

-robin

Turning and turning in the widening gyre
The falcon cannot hear the falconer;
Things fall apart; the centre cannot hold;
Mere Anarchy is loosed upon the world.


[ Parent ]
ICANN Jump on the Terrorist Bandwagon | 31 comments (20 topical, 11 editorial, 1 hidden)
Display: Sort:

kuro5hin.org

[XML]
All trademarks and copyrights on this page are owned by their respective companies. The Rest 2000 - Present Kuro5hin.org Inc.
See our legalese page for copyright policies. Please also read our Privacy Policy.
Kuro5hin.org is powered by Free Software, including Apache, Perl, and Linux, The Scoop Engine that runs this site is freely available, under the terms of the GPL.
Need some help? Email help@kuro5hin.org.
My heart's the long stairs.

Powered by Scoop create account | help/FAQ | mission | links | search | IRC | YOU choose the stories!