http://www.networkworld.com/news/2007/020807-internet-root-server-hack.html By Carolyn Duffy Marsan Network World 02/08/07 Theres some good news and some bad news for corporate network managers about the latest Internet root server attack. The good news is that the Internet demonstrated once again that it is the most resilient network infrastructure ever built. Companies shouldnt be afraid to put mission-critical applications such as voice and streaming video on the `Net because of these attacks, security experts say. The bad news is that that the Internet continues to be a target for vandals and criminals, particularly those looking to make money through extortion, fraud or theft. Experts say that most corporate Web sites and IP networks couldnt withstand the ferocity of the latest attacks. "These attacks werent that substantial," says Danny McPherson, chief research officer for Arbor Networks, which provides detection services for these types of attacks. "Theyve gotten a lot of attention, but theyre not as significant as the attacks we see every day against our customers, which are much more targeted and more damaging." Steve Bellovin, an Internet security expert and professor of computer science at Columbia University, agrees. "Id be more worried about somebody trying to target my corporation than somebody trying to target the infrastructure because no one corporation has the kind of replication and bandwidth that the infrastructure has at this point," Bellovin says. On Tuesday, an attack was launched against three of the Internets 13 root servers, which oversee the Internets Domain Name System. The DNS is a global distributed database system that matches domain names with corresponding IP addresses. Three root servers operated by the Defense Department, the Internet Corporation for Assigned Names and Numbers (ICANN) and the Widely Integrated Distributed Environment (WIDE) Project were inundated with phony requests from a group of compromised PCs, called a botnet. Michael Witt, deputy director of US-CERTs cybersecurity section, who spoke at a panel discussion at the RSA Conference last week, said the DNS root server attack was targeted at three root servers, known as G, L and M. G is the militarys top-level domain, Witt said. According to information at the US-CERT Web site, L operates on behalf of ICANN, and M is dedicated to the WIDE Project. The attacks didnt impact the root-level servers," Witt said. They continued to do their job. The Department of Defense had no impact toward degradation on their network. Witt said mitigation of the attack was carried out with the help of the North American Network Operators Group. We worked closely with those in the organization to minimize that attack, he said. While these three root servers were disrupted by the botnet attack, 10 other root servers worked fine. Overall, the Internets service suffered little disruption, and few corporate users even noticed that the attacks were happening. "This attack was maybe one-tenth of the size of earlier attacks that weve seen on the DNS infrastructure," McPherson says. "It wasnt really that large, and it started tapering off quickly. More importantly, the user experience was not that far degraded." This was the first major attack against the root servers since 2002, when all 13 root servers were targeted in a more severe distributed denial-of-service (DOS) attack. "The oddest thing about this attack is that it happened at all," Bellovin says. "We havent had any major pure vandalism attacks in the last few years. The energy in the hacking world has shifted to a profit motive. Most of the DDOS attacks we see are for extortion. Sports gambling sites are especially affected." Howard Schmidt, former White House cybersecurity adviser and now president and CEO of Issaquah, Washington-based R&H Security Consulting, said the fact that the attack on the DNS root servers this week had no perceivable impact on the public indicates how resilient the underlying system is. But we shouldnt let our guard down, Schmidt says. Schmidt recalled how the massive attack in February 2002, when he was White House cyber-security adviser, also had no perceivable public impact but it did draw attention to the potential for grave consequences in loss of the Internet. "We didnt find out who was doing it in 2002," Schmidt says. "Until we catch the people doing it, well never know their motivation." Good news Security experts say that the latest demonstration of the Internets resilience points to a rosy future for all things IP. Thats because the DNS -- which is critical to the routing of all information on the Internet has proven itself against many and varied attacks over the years. Since the 2002 root server attack, some root server operators have rolled out a technique called Anycast to copy information to multiple computers around the world. "The name servers are more resilient to this type of attack today then they were five years ago," Bellovin says. "Its not that any given server is more resilient; its that the structure as a whole is more resilient because they are using Anycast servers. There are a lot more servers out there, so the attackers might not get all of them." The failure of the latest attack shows how hard it is for a hacker to bring down the DNS. "It seems unlikely that someone can take down all the root servers," says Scott Perry, founder of DNSstuff.com, which provides DNS tools to IT professionals. "While there are 13 root servers, these servers are mirrored so that over 100 servers handle the queries that go to the root server. Each of the root servers has one IP address, but in some cases those IP addresses are anycast to as many as 40 different computers. Because of that, when an attack like this occursit will only affect users near one location." Attacks like these are no reason for corporations to hold off on migrating key applications such as voice to the Internet, experts say. "The threats for something like VoIP are more within the enterprise than within the Internet infrastructure," Bellovin says. "Youre much more likely to have a virulent infection that takes you out than a root server attackThere are more problems near the edges of the Internet than in the infrastructure." Bad news Despite the positive outcome of the latest attacks, security experts warn against complacency. "I dont know if a serious effort could take out the root server system," Bellovin says. "Weve heard of some really large botnetsThe steps that have been taken since 2002 have made the network considerably more robust and resilient in the face of this kind of attack. We dont know if its robust or resilient enough yet." A botnet attack like this one would be more significant if it damaged the DNS servers that run key domains such as .com or .net. Thats because the root servers handle far fewer queries than the .com and .net servers. "Theres more impact at the next level down below the root," says Ken Silva, chief security officer for VeriSign, which operates two root servers as well as the registries for .com and .net. "The .com servers handle 450,000 queries per second. If they dont work, thats 450,000 queries per second that fail to connect." Protecting against these kind of attacks is why VeriSign announced this week a three-year, $100 million effort to upgrade and expand the servers and network infrastructure that support its .com, .net and root servers. Dubbed Project Titan, the initiative will increase the capacity of VeriSigns network infrastructure 10 times by 2010. Project Titan will "make the entire infrastructure that we operate much more resilient to these attacks," Silva says. It is "without a doubt the largest upgrade to a DNS top-level domain thats ever happened." Few companies, government agencies or universities that run the DNS root servers on a voluntary basis can afford the kind of investment that VeriSign is making with Project Titan. Corporate network managers also need to stay ahead of the game by continuing to invest in distributed DNS servers of their own. McPherson says few corporations could withstand the kind of attack aimed at the three root servers this week. "This was a 2G to 3Gbps attack," he says. "That could take most enterprises offline pretty easilyAttacks like this are pretty easy to launch." McPherson says Arbor Networks saw DNS amplification attacks as large as 22G to 25Gbps during 2006. "They were pretty ugly, and the scale of those attacks was pretty large," he says. "The root servers are pretty resilient but most enterprises are not." - Senior Editor Ellen Messmer contributed to this report. All contents copyright 1995-2007 Network World, Inc. ______________________________________ Subscribe to the InfoSec News RSS Feed http://www.infosecnews.org/isn.rss
This archive was generated by hypermail 2.1.3 : Thu Feb 08 2007 - 22:29:08 PST