March 16, 2006
WASHINGTON - A powerful new twist on the most common kind of Internet
attack could overwhelm even the most popular and well-fortified Web
sites and disrupt e-mail traffic by enlisting the network
infrastructure servers that manage Internet traffic worldwide,
security experts warn.
First detected as early as 2002, the assault, known as a distributed
reflected denial-of-service (DRDoS) attack, bombards targeted Web
servers with such massive amounts of spurious data that even flagship
technology companies would not be able to cope.
In one case examined, an unknown assailant used an Internet
domain-name server in South Africa to unknowingly bombard targeted
computers with overwhelming floods of amplified data.
Domain-name servers are specialized computers that help direct
Internet traffic. Computers see Web addresses as a string of numbers
called an IP address; a domain-name server translates a user's request
for, say, "www.yahoo.com" into the IP address "220.127.116.11."
Experts traced at least 1,500 attacks that briefly shut down
commercial Web sites, large Internet providers and leading Internet
infrastructure companies during a period of weeks beginning late last
The attacks were so targeted that most Internet users did not notice
Like a standard "denial-of-service" (DoS) attack, a DRDoS attack
exploits the standard TCP/IP "three-way handshake" between a client
and server machine.
Typically, a "client" PC looking up a Web site sends a request for
acknowledgement, including its own return IP address, to the Web
site's server. The server acknowledges the request, and in turn asks
the client for a confirmation the request was made. The client sends
its own acknowledgement, and data then flows freely between the two
In a standard DoS attack, a malicious machine takes down a Web site by
flooding it with requests containing false IP return addresses, which
the server will acknowledge. But since it the acknowledgement goes to
a non-existent IP address, the server will get no reply, and will keep
trying again and again.
Enough false requests will overload a server and make a Web site
unavailable. In in the case of a distributed denial-of-service (DDoS)
attack, a hacker, having secretly taken command of hundreds or
thousands of "zombiefied" ordinary PCs by infecting them with computer
viruses, enlists them all in bombarding the targeted Web server.
A DRDoS attack takes the concept to a new level. The malicious
requests, again coming from countless "zombie" machines, contain a
legitimate return IP address =97 in this case, the IP address of the
server being targeted.
The requests go not to the target, but to hundreds of intermediate
infrastructure servers, often owned by large technology companies,
which help direct Web traffic. The infrastructure servers, which are
innocently doing their jobs and can easily handle huge numbers of
requests, "return" the acknowledgements to the target machine, which
is quickly overwhelmed.
Ken Silva, chief security officer for VeriSign Inc., compared the
scale of a possible DRDoS attack to the damage caused in October 2002
when nine of the 13 computer "root" servers that make up the core of
the Internet were crippled by a powerful straight-on DDoS attack.
VeriSign operates two of the 13 root server computers, but its
machines were unaffected.
"This is significantly larger than what we saw in 2002, by an order of
magnitude," Silva said.
Silva said the attacks earlier this year used only about 6 percent of
the more than 1 million domain-name and other infrastructure servers
across the Internet to flood victims' servers.
Still, the attacks in some cases exceeded 8 gigabits per second,
indicating a remarkably powerful electronic assault.
"This would be the Katrina of Internet storms," Silva said.
The U.S. Computer Emergency Readiness Team, part of the Homeland
Security Department, warned network engineers in December to properly
configure their domain-name servers to prevent hackers from using them
It called the attacks "troublesome" because domain-name servers must
operate to help direct Internet traffic.
FOXNews.com's Paul Wagenseil and The Associated Press contributed to
InfoSec News v2.0 - Coming Soon!