[ISN] More Than One Internet Attack Occurred Monday

From: InfoSec News (isnat_private)
Date: Fri Oct 25 2002 - 01:41:14 PDT

  • Next message: InfoSec News: "[ISN] Prostitutes Steal Secret Software from US Army"

    By Brian Krebs and David McGuire
    washingtonpost.com Staff Writers
    Wednesday, October 23, 2002; 7:06 PM 
    Monday's attack on the 13 computer servers that manage the world's
    Internet traffic was the first of two assaults, according to officials
    at the companies that were affected.
    Just after 5 p.m. EDT on Monday, a "distributed denial of service"  
    (DDOS) attack struck the 13 "root servers" that provide the primary
    roadmap for the Internet. The second attack started several hours
    later and targeted a different kind of Internet server.
    DDOS attacks are intended to overwhelm networks with data until they
    The first attack, which lasted an hour, targeted all 13 of the root
    servers that form the core of the worldwide Domain Name System, which
    converts numeric codes into the words and names that form e-mail and
    Web addresses. Some of the servers failed intermittently, but Internet
    users were largely unaffected due to redundant nature of the
    root-server system, experts said.
    The second attack, say sources familiar with the incident, targeted
    "name" servers that direct Internet users to more specific online
    locations. Those servers house Internet domains such as dot-com,
    dot-biz and dot-info, and country code domains such as Great Britain's
    dot-uk and Canada's dot-ca.
    "At around 11 (p.m. EDT), the whole thing started over again, this
    time switching to the global (name) servers," said Chris Morrow, a
    network security engineer for UUNET, in an interview Tuesday. A unit
    of WorldCom Inc., UUNET handles roughly half of the global Internet
    traffic and is the service provider for two of the 13 root servers.
    VeriSign, which manages the servers for the dot-com, dot-net and
    dot-org domains, tracked attacks against all of its name servers
    beginning around 10 p.m. Monday, company spokesman Brian O'Shaughnessy
    VeriSign also operates two of the 13 root servers that were targeted
    in the first attack. Neither VeriSign's root servers nor its name
    servers were taken down in the attacks, O'Shaughnessy said.
    "We experienced an attack on our name-server constellation and we
    dealt with it the same way we dealt with the previous attack on our
    root servers," he said.
    Dublin-based Afilias Ltd. also reported having its "dot-info" name
    servers struck late Monday, but Afilias spokeswoman Heather Carle said
    the company was able to easily repel the attack. "We're able to
    internally balance the load from any hits our DNS server takes," she
    Afilias operates dot-info, one of seven newer domains created to ease
    crowding in the popular dot-com, dot-net and dot-org domains.
    If all of the name servers for any domain were crippled long enough,
    users would start having difficulty reaching addresses within those
    domains. Most name and root servers are designed with enough back-up
    capacity that such an attack would be very difficult to execute.
    The White House's Office of Homeland Security and the FBI are
    investigating Monday's cyber attacks, but have declined to speculate
    on who might have been responsible. It is also not clear whether the
    same source was to blame for the separate attacks on root and name
    At a press conference today, White House Press Secretary Ari Fleischer
    sought to downplay speculation that the strikes were carried out by
    "I'm not aware there's anything that would lead anybody to that
    direction," Fleischer said. "History has shown that many of these
    attacks actually come from the hacker community."
    It is difficult to discover the identities of DDOS hackers because the
    computers they use to mount the assaults usually are commandeered --
    either manually or remotely -- and programmed to carry out the
    attacks. These computers often belong to unsuspecting home users.
    Experts say the only way to trace the attacks to their true source is
    to deconstruct the data packets used in the assault as it is
    happening. According to Gordon Johndroe, spokesman for the Office of
    Homeland Security, the FBI was able to "monitor the attack while in
    UUNET's Morrow said a successful investigation ultimately could hinge
    on boasts made in the hacker community.
    "I don't think anyone knows who's responsible for this yet," Morrow
    said. "Somebody might blather about it in a couple months, and that's
    probably the only chance have of finding out who did it."
    The reporters can be e-mailed at brian.krebsat_private and
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Fri Oct 25 2002 - 04:12:36 PDT