[ISN] Net attack flops, but threat persists

From: InfoSec News (isnat_private)
Date: Wed Oct 23 2002 - 23:45:53 PDT

  • Next message: InfoSec News: "RE: [ISN] Researchers predict worm that eats the Internet in 15 minutes"

    By Robert Lemos 
    Staff Writer, CNET News.com
    October 23, 2002, 1:10 PM PT
    news analysis: A widespread but unsophisticated attack on the
    computers that act as the address books for the Internet failed to
    cause any major problems, but experts warn that more security is
    Beginning Monday, a flood of data barraged the Internet's 13
    domain-name service (DNS) root servers in what's known as a
    denial-of-service attack. But the simple nature of the attack, and the
    system's resiliency, allowed administrators to quickly block the data
    According to security experts, a more sophisticated attack could have
    disrupted the root servers long enough to impair Net access. Had the
    attack prevented access to the servers for eight to 10 hours, the
    average computer user may have noticed slower response times, said
    Craig Labovitz, director of network architecture for denial-of-service
    prevention firm Arbor Networks.
    "If someone can really take over the infrastructure, it becomes a very
    different ball game," he said.
    Although the attack failed to hobble the Net, there were indications
    Wednesday that it wasn't over yet, continuing at a lower intensity. In
    addition, locating the perpetrators will be difficult because the type
    of attack they used--known as a distributed
    denial-of-service--typically mask the origins of the assault.
    In the wake of the attack, some of the companies and organizations
    that maintain the 13 key servers have pledged to reassess the security
    of the computers for which they are responsible.
    VeriSign, which maintains two root servers as well as just over a
    dozen .com top-level domain servers, is evaluating whether it needs to
    revamp security, said company spokesman Brian O'Shaughnessy.
    "VeriSign always look for ways to improve its security," he said. "We
    are in a fluid environment--the bad guys always try to do bad things."
    O'Shaughnessy refuted claims that the company's two charges--the "A"  
    and "J" root servers--went down during the onslaught. "That's wrong,"  
    he said. "Two of the four that stayed up were ours."
    Monday's assault took down seven of the 13 servers for as long as
    three hours, according to Internet performance measuring service
    Matrix NetSystems. The attack took the form of a data flood, sending a
    deluge of Internet control message protocol (ICMP) packets to the 13
    root servers, which maintain the addresses for the hundreds of
    top-level domain servers. Top-level domains are recognized by familiar
    suffixes such as .com, .org and .uk.
    ICMP packets carry network data used for reporting errors or checking
    network connectivity, as in the case of the common "ping" packet. A
    flood of such data can block access to servers by clogging bottlenecks
    in the network infrastructure, thus preventing legitimate data from
    reaching its destination.
    However, ICMP data is not essential to network administration, and
    many servers and the routers that direct data to its destination tend
    to block the protocol. That's precisely what administrators did Monday
    afternoon to stop the flood of data from reaching the DNS root
    Continuing and future attacks
    Still, experts are concerned about a better executed attack.
    "(This attack) didn't impact the Internet much, because the Internet
    is resilient and operators were quick to respond," said Tiffany Olsen,
    spokeswoman for the President's Critical Infrastructure Board, the
    group responsible for creating the United States' National Strategy to
    Secure Cyberspace. However, there "will be larger attacks than this
    one was."
    The FBI has opened an investigation into the attacks, but the agency
    will have a hard time finding the responsible person or group because
    the distributed attack randomized the source information on each piece
    of data, experts said.
    Despite that difficulty, security experts say that whoever executed
    the attack wasn't very good.
    "There are tens and dozens of scripts and tools that could have
    generated an attack of this kind," said Arbor's Labovitz. "It wouldn't
    even require a computer scientist, or even a wily hacker, to do this."
    Meanwhile, Matrix NetSystems said Wednesday that the attack may be
    ongoing. "There are five servers right now that are showing issues,"  
    said company CEO Bill Palumbo. He acknowledged that the five may be
    down for maintenance or other reasons, but said that there are still
    delays in requests for domain name information.
    Like a telephone book, domain name servers link a name, such as
    "cnet.com," with its numerical Internet Protocol address.
    The system also works in a layered manner, so that someone who wants
    to go a specific address is first directed to a local server. If the
    domain is not found, the request gets bumped up to a domain name
    server for the top-level domain, such as ".com."
    Requests only rarely consult the root servers, usually when a new name
    server is added locally. In addition, each entry in a DNS server has
    an expiration date, known as the time to live (TTL). When that time
    arrives, the entry is supposed to be deleted and the local DNS server
    has to ask the top-level domain server for the latest address
    "You have to realize that there are several tens of thousands of new
    routes advertised every day," said Matrix NetSystem's Palumbo.  
    "Because of that, the authoritative nature of a cache deteriorates
    rather rapidly."
    Thus, even a complete outage of all 13 DNS root servers wouldn't bring
    the Internet to a halt, unless it went on for hours or days--time
    enough for the local DNS caches to expire.
    Paul Mockapetris, the inventor of DNS and chief scientist for
    domain-name software company Nominum, said that compared to the 300 or
    so records that each root server contains, a future target that
    administrators should worry about is the 3 million or so records held
    by the .com DNS servers.
    "The root servers will be harder in a month than they are today," he
    said. "This was really sort of--to borrow from Afghanistan--was 'dumb
    bombs,' and you have to worry about more sophisticated attacks in the
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Thu Oct 24 2002 - 02:38:34 PDT