http://www.washingtonpost.com/wp-dyn/articles/A6894-2002Oct23.html By Brian Krebs and David McGuire washingtonpost.com Staff Writers Wednesday, October 23, 2002; 7:06 PM Monday's attack on the 13 computer servers that manage the world's Internet traffic was the first of two assaults, according to officials at the companies that were affected. Just after 5 p.m. EDT on Monday, a "distributed denial of service" (DDOS) attack struck the 13 "root servers" that provide the primary roadmap for the Internet. The second attack started several hours later and targeted a different kind of Internet server. DDOS attacks are intended to overwhelm networks with data until they fail. The first attack, which lasted an hour, targeted all 13 of the root servers that form the core of the worldwide Domain Name System, which converts numeric codes into the words and names that form e-mail and Web addresses. Some of the servers failed intermittently, but Internet users were largely unaffected due to redundant nature of the root-server system, experts said. The second attack, say sources familiar with the incident, targeted "name" servers that direct Internet users to more specific online locations. Those servers house Internet domains such as dot-com, dot-biz and dot-info, and country code domains such as Great Britain's dot-uk and Canada's dot-ca. "At around 11 (p.m. EDT), the whole thing started over again, this time switching to the global (name) servers," said Chris Morrow, a network security engineer for UUNET, in an interview Tuesday. A unit of WorldCom Inc., UUNET handles roughly half of the global Internet traffic and is the service provider for two of the 13 root servers. VeriSign, which manages the servers for the dot-com, dot-net and dot-org domains, tracked attacks against all of its name servers beginning around 10 p.m. Monday, company spokesman Brian O'Shaughnessy said. VeriSign also operates two of the 13 root servers that were targeted in the first attack. Neither VeriSign's root servers nor its name servers were taken down in the attacks, O'Shaughnessy said. "We experienced an attack on our name-server constellation and we dealt with it the same way we dealt with the previous attack on our root servers," he said. Dublin-based Afilias Ltd. also reported having its "dot-info" name servers struck late Monday, but Afilias spokeswoman Heather Carle said the company was able to easily repel the attack. "We're able to internally balance the load from any hits our DNS server takes," she said. Afilias operates dot-info, one of seven newer domains created to ease crowding in the popular dot-com, dot-net and dot-org domains. If all of the name servers for any domain were crippled long enough, users would start having difficulty reaching addresses within those domains. Most name and root servers are designed with enough back-up capacity that such an attack would be very difficult to execute. The White House's Office of Homeland Security and the FBI are investigating Monday's cyber attacks, but have declined to speculate on who might have been responsible. It is also not clear whether the same source was to blame for the separate attacks on root and name servers. At a press conference today, White House Press Secretary Ari Fleischer sought to downplay speculation that the strikes were carried out by terrorists. "I'm not aware there's anything that would lead anybody to that direction," Fleischer said. "History has shown that many of these attacks actually come from the hacker community." It is difficult to discover the identities of DDOS hackers because the computers they use to mount the assaults usually are commandeered -- either manually or remotely -- and programmed to carry out the attacks. These computers often belong to unsuspecting home users. Experts say the only way to trace the attacks to their true source is to deconstruct the data packets used in the assault as it is happening. According to Gordon Johndroe, spokesman for the Office of Homeland Security, the FBI was able to "monitor the attack while in progress." UUNET's Morrow said a successful investigation ultimately could hinge on boasts made in the hacker community. "I don't think anyone knows who's responsible for this yet," Morrow said. "Somebody might blather about it in a couple months, and that's probably the only chance have of finding out who did it." The reporters can be e-mailed at brian.krebsat_private and david.mcguireat_private - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Fri Oct 25 2002 - 04:12:36 PDT