http://www.washingtonpost.com/wp-dyn/articles/A61714-2003Nov4.html By David McGuire washingtonpost.com Staff Writer Tuesday, November 4, 2003; 8:49 AM On October 21, 2002, people around the world cruised through cyberspace the way they do every day -- bidding on auctions, booking airline reservations, sending e-mail -- all the while unaware that someone was working overtime to try to bring the Internet to its knees. Around 5 p.m. Eastern time, operators of the Internet's root servers, the computers that provide the roadmap for all online traffic, saw an unnaturally large spike in the amount of incoming data. It was a "distributed denial-of-service attack," a concentrated attempt to throw so much information at the servers that they would shut down. Seven of the 13 servers went down completely, and two were badly crippled. In the course of the next frenzied hours, their operators tried to repel the attack as Internet users typed and clicked away with little idea that anything was wrong. In the end, the Internet held firm but nearly everyone who fought off the attack agreed that it came closer than ever before to sustaining major damage. A little more than a year later, experts have been working to improve the Internet's defenses but they say a better coordinated attack could do even worse damage. The weapons are cheap and simple and plenty of people know how to use them, leaving the Internet's caretakers looking for new ways to win a lopsided electronic arms race with online criminals. "The people who did it last time were chicken-boners," said Paul Vixie, president of the non-profit Internet Software Consortium, which operates one of the root servers. "I'm sure that there are still serious, well funded cyberwarfare people who would look at what we've done and say 'yeah, there's a way that we could nail that'." DDoS (pronounced "DEE-Doss") attacks are one of the simplest ways to cause online havoc but one of the most difficult to defend against. Hackers snare "zombie" computers -- usually unprotected home or business PCs -- and force them to send bundles of data to their targets to try to make them crash. If a DDoS attack took down all of the root servers -- something experts said is unlikely -- Internet communications would slowly cease. Because most computers store the information they get from the root servers, it would take about three days to feel the full effect of the attack. The code that lets hackers into zombie computers spreads through worms and viruses that roam the Internet looking for vulnerable PCs. Getting that process started requires almost no investment on the part of the attacker. "Those things are in the hands of any angry teenager with a $300 Linux machine," Vixie said. Computer experts have found that the best way to fend off an attack is considerably more expensive -- buy lots of extra bandwidth to handle all the data coming their way. Mountain View, Calif.-based Internet security company VeriSign Inc., has spent tens of millions of dollars to secure the two root servers it supervises, but Ken Silva, VeriSign's vice president of networks and information security, said the company worries that other operators don't have the money or resources to follow VeriSign's lead. Silva said that the servers should be in the hands of entities that can afford to operate them securely. In October 2002, "when it was all said and done and you looked at who survived ... it was the people who made the investment," he said. "It is scary that at the root of the Internet a significant number of these root servers are quite frankly just run as a hobby. You don't get paid for running a root server." Other root server operators include the University of Maryland, the U.S. Army Research Lab and NASA's Ames Research Center. The idea that other server operators aren't up to the task has earned a chilly reception from other members of the Internet community. Vint Cerf, chairman of the Internet Corporation for Assigned Names and Numbers (ICANN), said that the current model is faring well. "It is an arms race, but so far we've kept up," Cerf said. "Here it is in 2003 -- 20 years into the release of the 'Net -- and you look at how far we've come since 1983, you have to have some appreciation for the robustness of the system." ICANN supervises the Internet's addressing system. Karl Auerbach, an Internet software engineer and former ICANN director, said that the server operators have performed admirably. "All the work that's really been done has been done by the root server operators themselves. [VeriSign Chief Executive] Stratton Sclavos has been belittling the fact that the operators aren't professional. Well, they've been doing a very professional job." That work -- along with greater coordination among operators -- has made the Internet safer, said Steve Crocker, who runs ICANN's Security and Stability Advisory Committee. "I think it's unlikely that you'd have a long sustained attack that wasn't dealt with," he said. One of the ways sever operators have made the Internet less vulnerable to attack is by decentralizing their operations. The Internet Software Consortium runs the "F" root server in 12 cities instead of one. Splitting up the server's location, an idea known as "anycasting," helps foil DDoS attacks that try to slam a single target with a flood of data, Vixie said. With anycasting, a DDOS attack targeted at "F" will get shunted off to several different computers around the world, lessening its impact. It's a simple way to deflect a destructive problem, Vixie said, but most root server operators were reticent to try it until the October 2002 attack made them realize the stakes of maintaining the status quo. "An attack of a certain volume can be launched this year by someone with only half as much intelligence and skill as was necessary last year," he said. Silva said that VeriSign also runs the "J" server this way -- splitting its functions between several locations in the United States and the Netherlands. Nevertheless, he said, not enough root server operators are using the technique. And the server operators are almost sure to get tested again as worms continue seeding computers with instructions to launch DDoS attacks. "There's a trend in attack tools. First, attacks are invented, then they're automated, and when they're automated, any moron with a computer can do them," said Bruce Schneier, co-founder of Counterpane Internet Security Inc., and author of Beyond Fear: Thinking Sensibly About Security in an Uncertain World. Auerbach, the former ICANN director, said that's not good news for the people charged with keeping the Internet running. "There's a lot of people out there who seem to have nothing better to do than take down the infrastructure we have ... Sooner or later it's going to happen [again] and it's going to happen with a degree of virulence and professionalism that makes prior attacks look wimpy," Auerbach said. - ISN is currently hosted by Attrition.org To unsubscribe email majordomo@private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Wed Nov 05 2003 - 04:25:43 PST