By Carolyn Duffy Marsan
Theres some good news and some bad news for corporate network managers
about the latest Internet root server attack.
The good news is that the Internet demonstrated once again that it is
the most resilient network infrastructure ever built. Companies shouldnt
be afraid to put mission-critical applications such as voice and
streaming video on the `Net because of these attacks, security experts
The bad news is that that the Internet continues to be a target for
vandals and criminals, particularly those looking to make money through
extortion, fraud or theft. Experts say that most corporate Web sites and
IP networks couldnt withstand the ferocity of the latest attacks.
"These attacks werent that substantial," says Danny McPherson, chief
research officer for Arbor Networks, which provides detection services
for these types of attacks. "Theyve gotten a lot of attention, but
theyre not as significant as the attacks we see every day against our
customers, which are much more targeted and more damaging."
Steve Bellovin, an Internet security expert and professor of computer
science at Columbia University, agrees.
"Id be more worried about somebody trying to target my corporation than
somebody trying to target the infrastructure because no one corporation
has the kind of replication and bandwidth that the infrastructure has at
this point," Bellovin says.
On Tuesday, an attack was launched against three of the Internets 13
root servers, which oversee the Internets Domain Name System. The DNS is
a global distributed database system that matches domain names with
corresponding IP addresses.
Three root servers operated by the Defense Department, the Internet
Corporation for Assigned Names and Numbers (ICANN) and the Widely
Integrated Distributed Environment (WIDE) Project were inundated with
phony requests from a group of compromised PCs, called a botnet.
Michael Witt, deputy director of US-CERTs cybersecurity section, who
spoke at a panel discussion at the RSA Conference last week, said the
DNS root server attack was targeted at three root servers, known as G, L
and M. G is the militarys top-level domain, Witt said. According to
information at the US-CERT Web site, L operates on behalf of ICANN, and
M is dedicated to the WIDE Project.
The attacks didnt impact the root-level servers," Witt said. They
continued to do their job. The Department of Defense had no impact
toward degradation on their network.
Witt said mitigation of the attack was carried out with the help of the
North American Network Operators Group. We worked closely with those in
the organization to minimize that attack, he said.
While these three root servers were disrupted by the botnet attack, 10
other root servers worked fine. Overall, the Internets service suffered
little disruption, and few corporate users even noticed that the attacks
"This attack was maybe one-tenth of the size of earlier attacks that
weve seen on the DNS infrastructure," McPherson says. "It wasnt really
that large, and it started tapering off quickly. More importantly, the
user experience was not that far degraded."
This was the first major attack against the root servers since 2002,
when all 13 root servers were targeted in a more severe distributed
denial-of-service (DOS) attack.
"The oddest thing about this attack is that it happened at all,"
Bellovin says. "We havent had any major pure vandalism attacks in the
last few years. The energy in the hacking world has shifted to a profit
motive. Most of the DDOS attacks we see are for extortion. Sports
gambling sites are especially affected."
Howard Schmidt, former White House cybersecurity adviser and now
president and CEO of Issaquah, Washington-based R&H Security Consulting,
said the fact that the attack on the DNS root servers this week had no
perceivable impact on the public indicates how resilient the underlying
system is. But we shouldnt let our guard down, Schmidt says.
Schmidt recalled how the massive attack in February 2002, when he was
White House cyber-security adviser, also had no perceivable public
impact but it did draw attention to the potential for grave consequences
in loss of the Internet.
"We didnt find out who was doing it in 2002," Schmidt says. "Until we
catch the people doing it, well never know their motivation."
Security experts say that the latest demonstration of the Internets
resilience points to a rosy future for all things IP. Thats because the
DNS -- which is critical to the routing of all information on the
Internet has proven itself against many and varied attacks over the
Since the 2002 root server attack, some root server operators have
rolled out a technique called Anycast to copy information to multiple
computers around the world.
"The name servers are more resilient to this type of attack today then
they were five years ago," Bellovin says. "Its not that any given server
is more resilient; its that the structure as a whole is more resilient
because they are using Anycast servers. There are a lot more servers out
there, so the attackers might not get all of them."
The failure of the latest attack shows how hard it is for a hacker to
bring down the DNS.
"It seems unlikely that someone can take down all the root servers,"
says Scott Perry, founder of DNSstuff.com, which provides DNS tools to
IT professionals. "While there are 13 root servers, these servers are
mirrored so that over 100 servers handle the queries that go to the root
server. Each of the root servers has one IP address, but in some cases
those IP addresses are anycast to as many as 40 different computers.
Because of that, when an attack like this occursit will only affect
users near one location."
Attacks like these are no reason for corporations to hold off on
migrating key applications such as voice to the Internet, experts say.
"The threats for something like VoIP are more within the enterprise than
within the Internet infrastructure," Bellovin says. "Youre much more
likely to have a virulent infection that takes you out than a root
server attackThere are more problems near the edges of the Internet than
in the infrastructure."
Despite the positive outcome of the latest attacks, security experts
warn against complacency.
"I dont know if a serious effort could take out the root server system,"
Bellovin says. "Weve heard of some really large botnetsThe steps that
have been taken since 2002 have made the network considerably more
robust and resilient in the face of this kind of attack. We dont know if
its robust or resilient enough yet."
A botnet attack like this one would be more significant if it damaged
the DNS servers that run key domains such as .com or .net. Thats because
the root servers handle far fewer queries than the .com and .net
"Theres more impact at the next level down below the root," says Ken
Silva, chief security officer for VeriSign, which operates two root
servers as well as the registries for .com and .net. "The .com servers
handle 450,000 queries per second. If they dont work, thats 450,000
queries per second that fail to connect."
Protecting against these kind of attacks is why VeriSign announced this
week a three-year, $100 million effort to upgrade and expand the servers
and network infrastructure that support its .com, .net and root servers.
Dubbed Project Titan, the initiative will increase the capacity of
VeriSigns network infrastructure 10 times by 2010.
Project Titan will "make the entire infrastructure that we operate much
more resilient to these attacks," Silva says. It is "without a doubt the
largest upgrade to a DNS top-level domain thats ever happened."
Few companies, government agencies or universities that run the DNS root
servers on a voluntary basis can afford the kind of investment that
VeriSign is making with Project Titan.
Corporate network managers also need to stay ahead of the game by
continuing to invest in distributed DNS servers of their own.
McPherson says few corporations could withstand the kind of attack aimed
at the three root servers this week.
"This was a 2G to 3Gbps attack," he says. "That could take most
enterprises offline pretty easilyAttacks like this are pretty easy to
McPherson says Arbor Networks saw DNS amplification attacks as large as
22G to 25Gbps during 2006. "They were pretty ugly, and the scale of
those attacks was pretty large," he says. "The root servers are pretty
resilient but most enterprises are not."
- Senior Editor Ellen Messmer contributed to this report.
All contents copyright 1995-2007 Network World, Inc.
Subscribe to the InfoSec News RSS Feed