I am inordinately proud of the poem in this one.
An old post of mine from Kuro5hin.Org, dated “Fri Nov 16th, 2001 at 09:47:52 AM EST”.
The Internet Corporation for Assigned Names and Numbers (ICANN) have jumped on the “we must protect our way of life from these nasty terrorists” bandwagon in a big way lately, even going so far as to cancel their annual meeting this fall and replace it with a festival on Domain Name System (DNS) security. In doing this, they’ve managed to redirect attention from important issues of how the DNS is administered and drawn attention away from the single greatest threat to the system’s stability: ICANN itself.
One root to rule them all;
One root to find them;
One root to bring them all
And in the darkness BIND them
In the land of Herndon
Where the shadows lie.
Choosing Targets
The attraction in bringing down the global DNS for a terrorist (or for a high-school student with a modem, for that matter) is obvious: without it, only those of us who already know the Internet Protocol (IP) address numbers for the machines we use could still operate on the Net. This type of attraction is a known and natural risk for any important piece of infrastructure, and is certainly not unique to the DNS or the Net in general. With ICANN in charge, however, there are two much more compelling motives for terrorists (and not high-school students) to hit the DNS: ICANN is a U.S. government operation run by and for large global businesses.
For those of you who thought ICANN was a global standards and technical coordinating body, this may come as something of a shock, but ICANN was created by the U.S. government and operates under the auspices of (and by a contract from) the U.S. Department of Commerce (DoC). In fact, all major decision by ICANN (such as which new Top-Level Domains (TLDs) to add to their root system) are subject to approval by the DoC though this only receives minimal notice by even the technical press.
Add to this the fact that ICANN is structured to provide large commercial entities control over its decision-making processes and you give potential terrorists exactly the same reasons to attack their DNS as they had to attack the Pentagon and the World Trade Center: the U.S. government and global capital.
As many people have said, but few in the American media have reported, who owns a system and by and in whose interests it is operated is a major factor in whether it will be attacked. ICANN’s in-built subservience to the American State and to global capital merely serve to attract attacks to the DNS.
Monolithism
It is a well established fact that a well designed distributed system is far more stable in the face of attack or damage than a monolithic one. The Net itself was designed with this understanding and the goal of continuing operation after a nuclear attack on the United States. The National Science Foundation (NSF) DNS infrastructure, which is now the ICANN system, only partially implemented this.
While it is true that there are 13 root DNS servers in their system, and these are well distributed on different networks, the actual TLD data often resides on only a few machines thus offering fewer critical points to attack, and the management of their system is quite centralized, being in the hands of ICANN and VeriSign. This element of centralization makes the system more vulnerable to attack (and less responsive to its millions of users) than it should be.
With the data and management centralized on 13 servers and two corporations, the ICANN DNS system can be disabled by any of the common Distributed Denial of Service (DDoS) attack programs. With this centralization of services, an attack on ICANN can disable all DNS resolution for the vast majority of Internet users, thus rendering the Net functionally useless to them. Similarly, the centralization of management creates the opportunity for an attack on the managing organization to disable the system. A single anthrax-hoax at VeriSign’s offices could block updates to the system (and the administrators’ ability to respond to a concurrent network-based attack) for several days, also rendering the system unusable.
Without DNS resolution, the Net is usable only by those who actually know the IP numbers of the machines they want to use (and with the growth in name-based virtual hosting, even that’s no longer a guarantee).
Distributing Control/Distributing Risk
There are at least 10 different DNS systems, other than ICANN’s, operating on the Net at this point. Needless to say, an attack on ICANN’s systems (or on any one root operator’s systems) wouldn’t affect users of these other DNS networks.
The “independent” root operators are (slowly, I admit) working towards a truly distributed DNS, where the system is operated by a variety of autonomous organizations and managed by collaboration between these groups. Such a system is, even with all other factors being equal, much more resistant to attack as the risk and damage is compartmentalized; were an attacker to bring down one system, the others are still functioning normally and would be available to take over providing service for the affected system’s users and data.
This gain in stability is available without any modification to the base software on which the system runs; with some modifications to the DNS protocols and software (which is not out of the question, as ICANN is considering that for their own system already), the service could be made even more distributed and more robust. DNS is, at heart, a distributed database of name to number mappings and, as such projects as FreeNet have demonstrated, the technology for distributing databases has come a long way since BIND was first released, though BIND and the DNS protocols have changed only slightly in all that time.
The 11th Parallel
Of all the DNS systems on the Net, only ICANN objects to a more distributed model, and for an obvious reason: they are the one which is currently the default used by new installations of the common DNS software (BIND and djbDNS) and are thus the root used by the vast majority of the Net. As the major power on the Net, they stand to lose the most (in both control and wealth) in a move to a more distributed environment. They are, therefore, ignoring this issue entirely in their discussion on “securing” DNS.
In this, ICANN’s attitude and response are much the same as those made to terrorist attacks in the Real World by their sponsors and beneficiaries, the State and Capital. Just as the U.S. government has refused to discuss the centralization of wealth and power in their organization which gave rise to the September 11th attacks (and has gone so far as to request the American media not air the statements from alQuaeda as to what those motives were), ICANN has always refused to discuss the centralization of wealth and power in their organization which make it an attractive, and less resistant, target (and have even gone so far as to submit an RFC which describes the independent root operators as a threat to the DNS system’s stability).
This parallel response is unsurprising; ICANN is a creation of the government, and is run by appointees and employees of some very large global businesses. It would only be surprising were ICANN to actually consider stepping down from their position of control over the Net in order to benefit the DNS system, just as it would only be surprising if the U.S. were to step down from its position of control over the Real World to improve the quality of life there.
- Hey, Democrats: Stop Funding Fascist Coups - 2025-12-09
- Self-Interesting: Fairness And Equality Are Rational Choices - 2025-12-08
- Yeah, It’s True: They Are The Bad Guys - 2025-12-05