[asclepi]

So how exactly is one entity, even a state entity, going to take down all 13 root servers, assuming that that is what Schneier is talking about since the man speaks in mysteries? What would it take to do that?

Let's safely assume that these servers, every single one of them, are subject to DDoS attacks all the time and have at least some experience in handling them, and have a backup scenario ready for a serious attack. One of the reasons why the root servers are not centralized is to avoid the kind of disaster that Schneier predicts.

Also what if I maintain a list of IP addresses of the websites I visit most and update that list daily. When the "big attack" strikes, I put that list in /etc/hosts. Would I still be able to do my holiday shopping from Amazon? Would I still be able to read the logs on my VPS by ssh'ing to its IP? How long would such an attack sustain before BGP modifications start blackholing the sources? Long enough to let the average TTL cache expire?

Would an attack on the root servers really take down the internet? Or in case Schneier isn't talking about that, what kind of attack on the decentralized internet is actually able to take it all down? I'm not saying he is wrong, but I have a hard time thinking about how we should prepare and protect our infrastructure if he doesn't want to share the intel he knows instead of some generic warnings.

[steven777400]

Just to clarify, there are 13 "logical" root server but each one can be implemented by multiple servers. For example, L is implemented by 157 spread across the globe (see http://l.root-servers.org/ ). Many of the others are similarly redundant and distributed.

[Florin_Andrei]

Every once in a while I think of creating a little DNS cache that never expires entries, except when it runs out of storage, and run it on a Raspberry Pi, feeding it with DNS queries on my home network (but never using it to send replies to clients, just store queries and results).

But I never do anything about it.

[fanf2]

You can use dnstap with unbound or BIND 9.11 to do this kind of data collection really easily.

[PeterisP]

It doesn't really imply harming the DNS, but rather the actual core infrastructure - network connections.

If they disable/crack/overwhelm the major routers connecting different ISPs (e.g. zero-days or backdoors for router OSes, BGP attacks with cooperation or cracked credentials from some major ISP insiders), then the internet is not going to work for you because your ISP will be simply unable to route your data to where you want.

Are there any good reasons to believe that all major router models don't have backdoors inserted by state actors, either by bribing an insider engineer ten years ago, or even having a manufacturer of some secondary on-board chip (that has direct memory access) insert a hardware backdoor ? We've detected such attempts before, there's all reason to expect that there are some of them active and undetected right now.

[CJefferson]

Here's one way:

* Find a couple of remote security holes in Windows and Android, maybe iOS and Macs as well (Linux would be good too, as lots of servers run Linux and have big bandwidth).

* Write a self-propagating worm which uses your holes to infect a large chunk of machines currently attached to the internet.

* Set your worm so, after an hour or so it starts hammering the root servers.

That mess would be almost impossible to sort out, particularly if you were clever about the traffic you created do it was hard to filter.

The only reason I can think no-one would do this is it's MAD -- no-one's internet would work, why would Russia or China or the US want to take down everyone's internet?

[pbhjpbhj]

>why would Russia or China or the US want to take down everyone's internet? //

No-one's "internet" would work except for states that had a backup network. In the event of war such a tool would be useful, imagine the panic, chaos.

Another situation could be a major power trying to destabilise another's economy, fiscal warfare?

[rayvd]

https://indico.dns-oarc.net/event/25/session/4/contribution/...

Could be an interesting, peripherally relevant talk...

[wtracy]

Just a little heads-up, your account appears to have been shadowbanned.

[rl3]

That post is publicly visible to me. It also seems to be the first post for the account, and is fairly substantive.

Moreover, I don't think it's even possible to reply to posts made from shadowbanned accounts.

[wtracy]

Okay then.

I didn't look at the poster's history, I just saw a constructive-looking comment that seemed to be modded to oblivion, and jumped to conclusions.

I had to vouch for the post before HN would let me reply, which seems consistent with how shadowbanned accounts are handled here.

[rl3]

Sounds like someone flagged it for whatever reason and it was flag-killed.