October 23, 2002 1:10 PM PDT
Net attack flops, but threat persists
Read more about Net security
According to security experts, a more sophisticated attack could have disrupted the root servers long enough to impair Net access. Had the attack prevented access to the servers for eight to 10 hours, the average computer user may have noticed slower response times, said Craig Labovitz, director of network security firm Arbor Networks.
"If someone can really take over the infrastructure, it becomes a very different ball game," he said.
Although the attack failed to hobble the Net, there were indications Wednesday that it wasn't over yet, continuing at a lower intensity. In addition, locating the perpetrators will be difficult because the type of attack they used--known as a distributed denial-of-service--typically mask the origins of the assault.
In the wake of the attack, some of the companies and organizations that maintain the 13 key servers have pledged to reassess the security of the computers for which they are responsible.
VeriSign, which maintains two root servers as well as just over a dozen .com top-level domain servers, is evaluating whether it needs to revamp security, company spokesman Brian O'Shaughnessy said.
"VeriSign always looks for ways to improve its security," he said. "We are in a fluid environment--the bad guys always try to do bad things."
O'Shaughnessy refuted claims that the company's two charges--the "A" and "J" root servers--went down during the onslaught. "That's wrong," he said. "Two of the four that stayed up were ours."
Monday's assault took down seven of the 13 servers for as long as three hours, according to Internet performance measuring service Matrix NetSystems. The attack took the form of a data flood, sending a deluge of Internet control message protocol (ICMP) packets to the 13 root servers, which maintain the addresses for the hundreds of top-level domain servers. Top-level domains are recognized by familiar suffixes such as .com, .org and .uk.
ICMP packets carry network data used for reporting errors or checking network connectivity, as in the case of the common "ping" packet. A flood of such data can block access to servers by clogging bottlenecks in the network infrastructure, thus preventing legitimate data from reaching its destination.
However, ICMP data is not essential to network administration, and many servers and the routers that direct data to its destination tend to block the protocol. That's precisely what administrators did Monday afternoon to stop the flood of data from reaching the DNS root servers.
Continuing and future attacks
Still, experts are concerned about a better executed attack.
"(This attack) didn't impact the Internet much, because the Internet is resilient and operators were quick to respond," said Tiffany Olsen, spokeswoman for the President's Critical Infrastructure Board, the group responsible for creating the United States' National Strategy to Secure Cyberspace. However, there "will be larger attacks than this one was."
The FBI has opened an investigation into the attacks, but the agency will have a hard time finding the responsible person or group because the distributed attack randomized the source information on each piece of data, experts said.
Despite that difficulty, security experts say that whoever executed the attack wasn't very good.
"There are tens and dozens of scripts and tools that could have generated an attack of this kind," Arbor's Labovitz said. "It wouldn't even require a computer scientist, or even a wily hacker, to do this."
Meanwhile, Matrix NetSystems said Wednesday that the attack may be ongoing. "There are five servers right now that are showing issues," company CEO Bill Palumbo said. He acknowledged that the five may be down for maintenance or other reasons, but said that there are still delays in requests for domain name information.
Like a telephone book, domain name servers link a name, such as "cnet.com," with its numerical Internet Protocol address.
The system also works in a layered manner, so that someone who wants to go a specific address is first directed to a local server. If the domain is not found, the request gets bumped up to a domain name server for the top-level domain, such as ".com."
Requests only rarely consult the root servers, usually when a new name server is added locally. In addition, each entry in a DNS server has an expiration date, known as the time to live (TTL). When that time arrives, the entry is supposed to be deleted and the local DNS server has to ask the top-level domain server for the latest address information.
"You have to realize that there are several tens of thousands of new routes advertised every day," Palumbo said. "Because of that, the authoritative nature of a cache deteriorates rather rapidly."
Thus, even a complete outage of all 13 DNS root servers wouldn't bring the Internet to a halt, unless it went on for hours or days--time enough for the local DNS caches to expire.
Paul Mockapetris, the inventor of DNS and chief scientist for domain-name software company Nominum, said that compared with the 300 or so records that each root server contains, a future target that administrators should worry about is the 3 million or so records held by the .com DNS servers.
"The root servers will be harder in a month than they are today," he said. "This was really sort of--to borrow from Afghanistan--was 'dumb bombs,' and you have to worry about more sophisticated attacks in the future."