Verisign Hides A Root Server
from the now-we're-playing-hide-and-seek? dept
Verisign has decided that having two of the root servers in the same building on the same network makes it more likely that a denial of service attack would knock them both out, and so they've moved one to an undisclosed location and put it on a different network. While this is getting a lot of press, I doubt it does very much to help protect the server. Its physical location doesn't much matter when the denial of service attack comes in.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Reader Comments
Subscribe: RSS
View by: Time | Thread
Yeah, with all those threats of physical DoS.
They really worried terrorists will actually try to bomb the root server, or are they just so dumb to think that physically moving the server will somehow prevent the network attacker from finding it?
[ link to this | view in chronology ]
It's not just about physical DoS
Separating the two machines makes sense for more reasons than just the possibility of a physical attack on the machine(s) in question. If the two are in different physical locations, they likely will connect to the rest of the Internet via different physical connections. This means two things:
First, physical attacks, or just physical plant accidents like a fire in a wiring closet or a construction crew digging up a trunk cable, are less likely to take down multiple machines.
Second, since one of the points of a network DOS attack is to saturate the target's link to the rest of the network, two machines with separate links to the network are more resistant to some attacks than two machines that share a link to the network. Moving to a new physical location most likely has the effect of making them use two different links, and is possibly easier/quicker/cheaper than running a whole bunch of duplicate cable, switching equipment, etc. to the common location.
The physical distribution of the root servers and the large number of them compared to the demand on them, has set a fairly low bar for their security. But now that we know that a DOS can get us within just one or two machines of crippling the network, the cost/benefit ratio changes, and we have to consider more, and more unlikely, vulnerabilities. It's still certainly possible to overdo it, but it's not necessarily unreasonable to take more precautions than we used to take.
[ link to this | view in chronology ]