US Federal authorities are investigating an attack on the internet that has been described as the "largest and most complex" in history. Rather than a specific entity, the attack was aimed at the domain name system's root servers, essentially at the internet itself, writes Kevin Murphy.
In a distributed denial of service attack that began 5pm US Eastern time Monday and lasted one hour, seven of the 13 servers at the top of the internet's domain name system hierarchy were rendered virtually inaccessible, sources told ComputerWire.
"We're aware of that [the attack] and the National Infrastructure Protection Agency is addressing the matter," an FBI spokesperson told ComputerWire. No more information on the investigation was available.
According to a source that preferred not to be named, the recently formed Department of Homeland Security is involved in the investigation, as well as the FBI, suggesting that authorities are concerned the attack may have originated overseas.
"It was the largest and most complex DDoS attack on all 13 roots," a source familiar with the attacks said. "Only four of the primary 13 root servers were up during the attack. Seven were completely down and two were suffering severe degradation."
The source said each of the servers was hit by two to three times the load normally born by the entire 13-server constellation. Paul Vixie, chairman of the Internet Software Consortium, which manages one of the servers, said he saw 80Mbps of traffic to the box, which usually only handles 8Mbps.
In a DDoS flood attack, hackers take control of dozens or hundreds of "slave" or "drone" machines, then instruct them remotely to simultaneously flood specified IP addresses. The attack is believed to have been an ICMP (Internet Control Message Protocol) ping flood, which stops networked devices responding to traffic by pounding them with spurious packets.
Freely downloadable hacker tools such as Tribe Flood Network, Trinity and Stacheldraht can be used to launch ICMP floods. One such tool was used memorably against Amazon, eBay and other big sites in the Mafiaboy attacks of February 2000. Mafiaboy, a Canadian schoolboy, was eventually caught after bragging to friends about the attacks.
The DNS root servers are the master lists of domain names and IP addresses on the internet, the machines from which all DNS lookup information flows. If they were taken offline or became inaccessible, any application that uses domain names (email and browsers at the low end) would ultimately stop functioning properly.
The best way to counter these kinds of attacks is "massive over-provisioning", said the ISC's Vixie. He added that the attack did not actually crash any of the root servers, rather it congested devices upstream of the servers themselves, so that very little legitimate traffic could get through.
A spokesperson for VeriSign Inc, which manages another root server, said: "VeriSign expects that these sort of attacks will happen, and VeriSign was prepared. VeriSign responded quickly, and we proactively cooperated with fellow providers and authorities."
Louis Touton, VP of the Internet Corp for Assigned Names and Numbers (ICANN) which runs another server, said that these types of attacks against root servers are common, but that the scale and the fact that all 13 servers were targeted set Monday's incident apart. He pointed out that no end users were affected.
DDoS attackers operate with at least one degree of separation from their targets, and use spoofed source IP addresses to make tracing them virtually impossible. According to Vixie, the only way to stop such attacks happening in future is to make it too hard to execute them and get away with it.
"The most important thing to come to light here has been known for some time. We've got to find a way to secure all the end stations that forge this traffic," Vixie said. "There's an army of drones sitting out there on DSL lines... There's no security at the edge of the network. Anyone can send packets with pretty much any source address."
Richard Probst, VP of product management at DNS specialist Nominum Inc, observed the attacks, and said it was interesting that the hacker chose to attack the root servers for only one hour.
Only a sustained attack on the root servers would have had an impact on end users, which tend to do DNS lookups in the first instance on data cached locally at their ISP. It is only after a longer period, when cached data starts to purge, that an offline root server could cause problems.
"The root servers don't actually get as much traffic as others, such as those that handle .com, " Probst said. "It makes you wonder whether they were trying to stop things, or to show their knowledge of the system. It's almost as if these folks were exploring to see how the system would respond to this level of attack."