[ISN] UPDATE: Lessons learned from Internet root server attack

From: InfoSec News (alerts@private)
Date: Thu Feb 08 2007 - 22:08:35 PST


By Carolyn Duffy Marsan
Network World

Theres some good news and some bad news for corporate network managers 
about the latest Internet root server attack.

The good news is that the Internet demonstrated once again that it is 
the most resilient network infrastructure ever built. Companies shouldnt 
be afraid to put mission-critical applications such as voice and 
streaming video on the `Net because of these attacks, security experts 

The bad news is that that the Internet continues to be a target for 
vandals and criminals, particularly those looking to make money through 
extortion, fraud or theft. Experts say that most corporate Web sites and 
IP networks couldnt withstand the ferocity of the latest attacks.

"These attacks werent that substantial," says Danny McPherson, chief 
research officer for Arbor Networks, which provides detection services 
for these types of attacks. "Theyve gotten a lot of attention, but 
theyre not as significant as the attacks we see every day against our 
customers, which are much more targeted and more damaging."

Steve Bellovin, an Internet security expert and professor of computer 
science at Columbia University, agrees.

"Id be more worried about somebody trying to target my corporation than 
somebody trying to target the infrastructure because no one corporation 
has the kind of replication and bandwidth that the infrastructure has at 
this point," Bellovin says.

On Tuesday, an attack was launched against three of the Internets 13 
root servers, which oversee the Internets Domain Name System. The DNS is 
a global distributed database system that matches domain names with 
corresponding IP addresses.

Three root servers operated by the Defense Department, the Internet 
Corporation for Assigned Names and Numbers (ICANN) and the Widely 
Integrated Distributed Environment (WIDE) Project were inundated with 
phony requests from a group of compromised PCs, called a botnet.

Michael Witt, deputy director of US-CERTs cybersecurity section, who 
spoke at a panel discussion at the RSA Conference last week, said the 
DNS root server attack was targeted at three root servers, known as G, L 
and M. G is the militarys top-level domain, Witt said. According to 
information at the US-CERT Web site, L operates on behalf of ICANN, and 
M is dedicated to the WIDE Project.

The attacks didnt impact the root-level servers," Witt said. They 
continued to do their job. The Department of Defense had no impact 
toward degradation on their network.

Witt said mitigation of the attack was carried out with the help of the 
North American Network Operators Group. We worked closely with those in 
the organization to minimize that attack, he said.

While these three root servers were disrupted by the botnet attack, 10 
other root servers worked fine. Overall, the Internets service suffered 
little disruption, and few corporate users even noticed that the attacks 
were happening.

"This attack was maybe one-tenth of the size of earlier attacks that 
weve seen on the DNS infrastructure," McPherson says. "It wasnt really 
that large, and it started tapering off quickly. More importantly, the 
user experience was not that far degraded."

This was the first major attack against the root servers since 2002, 
when all 13 root servers were targeted in a more severe distributed 
denial-of-service (DOS) attack.

"The oddest thing about this attack is that it happened at all," 
Bellovin says. "We havent had any major pure vandalism attacks in the 
last few years. The energy in the hacking world has shifted to a profit 
motive. Most of the DDOS attacks we see are for extortion. Sports 
gambling sites are especially affected."

Howard Schmidt, former White House cybersecurity adviser and now 
president and CEO of Issaquah, Washington-based R&H Security Consulting, 
said the fact that the attack on the DNS root servers this week had no 
perceivable impact on the public indicates how resilient the underlying 
system is. But we shouldnt let our guard down, Schmidt says.

Schmidt recalled how the massive attack in February 2002, when he was 
White House cyber-security adviser, also had no perceivable public 
impact but it did draw attention to the potential for grave consequences 
in loss of the Internet.

"We didnt find out who was doing it in 2002," Schmidt says. "Until we 
catch the people doing it, well never know their motivation."

Good news

Security experts say that the latest demonstration of the Internets 
resilience points to a rosy future for all things IP. Thats because the 
DNS -- which is critical to the routing of all information on the 
Internet has proven itself against many and varied attacks over the 

Since the 2002 root server attack, some root server operators have 
rolled out a technique called Anycast to copy information to multiple 
computers around the world.

"The name servers are more resilient to this type of attack today then 
they were five years ago," Bellovin says. "Its not that any given server 
is more resilient; its that the structure as a whole is more resilient 
because they are using Anycast servers. There are a lot more servers out 
there, so the attackers might not get all of them."

The failure of the latest attack shows how hard it is for a hacker to 
bring down the DNS.

"It seems unlikely that someone can take down all the root servers," 
says Scott Perry, founder of DNSstuff.com, which provides DNS tools to 
IT professionals. "While there are 13 root servers, these servers are 
mirrored so that over 100 servers handle the queries that go to the root 
server. Each of the root servers has one IP address, but in some cases 
those IP addresses are anycast to as many as 40 different computers. 
Because of that, when an attack like this occursit will only affect 
users near one location."

Attacks like these are no reason for corporations to hold off on 
migrating key applications such as voice to the Internet, experts say.

"The threats for something like VoIP are more within the enterprise than 
within the Internet infrastructure," Bellovin says. "Youre much more 
likely to have a virulent infection that takes you out than a root 
server attackThere are more problems near the edges of the Internet than 
in the infrastructure."

Bad news

Despite the positive outcome of the latest attacks, security experts 
warn against complacency.

"I dont know if a serious effort could take out the root server system," 
Bellovin says. "Weve heard of some really large botnetsThe steps that 
have been taken since 2002 have made the network considerably more 
robust and resilient in the face of this kind of attack. We dont know if 
its robust or resilient enough yet."

A botnet attack like this one would be more significant if it damaged 
the DNS servers that run key domains such as .com or .net. Thats because 
the root servers handle far fewer queries than the .com and .net 

"Theres more impact at the next level down below the root," says Ken 
Silva, chief security officer for VeriSign, which operates two root 
servers as well as the registries for .com and .net. "The .com servers 
handle 450,000 queries per second. If they dont work, thats 450,000 
queries per second that fail to connect."

Protecting against these kind of attacks is why VeriSign announced this 
week a three-year, $100 million effort to upgrade and expand the servers 
and network infrastructure that support its .com, .net and root servers. 
Dubbed Project Titan, the initiative will increase the capacity of 
VeriSigns network infrastructure 10 times by 2010.

Project Titan will "make the entire infrastructure that we operate much 
more resilient to these attacks," Silva says. It is "without a doubt the 
largest upgrade to a DNS top-level domain thats ever happened."

Few companies, government agencies or universities that run the DNS root 
servers on a voluntary basis can afford the kind of investment that 
VeriSign is making with Project Titan.

Corporate network managers also need to stay ahead of the game by 
continuing to invest in distributed DNS servers of their own.

McPherson says few corporations could withstand the kind of attack aimed 
at the three root servers this week.

"This was a 2G to 3Gbps attack," he says. "That could take most 
enterprises offline pretty easilyAttacks like this are pretty easy to 

McPherson says Arbor Networks saw DNS amplification attacks as large as 
22G to 25Gbps during 2006. "They were pretty ugly, and the scale of 
those attacks was pretty large," he says. "The root servers are pretty 
resilient but most enterprises are not."

- Senior Editor Ellen Messmer contributed to this report.

All contents copyright 1995-2007 Network World, Inc.

Subscribe to the InfoSec News RSS Feed

This archive was generated by hypermail 2.1.3 : Thu Feb 08 2007 - 22:29:08 PST