By Roger A. Grimes
February 16, 2007
A few years ago, I had the privilege of seeing some root DNS servers in
action at VeriSign's main headquarters. It's something I had wanted to
do for over a decade, and I was literally slightly shaking with
excitement (yes, I am that big of a geek).
Physical security was high. It took three-factor authentication to get
me past the two mantraps and the bomb-blast protected walls. My escort
had to use handprint geometry, a PIN, a smart card, and a retinal scan
to get me into the inner sanctum.
Turns out VeriSign's DNS root servers at this location are composed of
two physically separate, 10-high stacked, 1U pizza-box-style IBM
eServers (VeriSign said they tested many different servers, and IBM's
gave them the best performance per dollar), running Solaris and Red Hat
Linux. Not surprisingly, they don't run BIND and keep things
intentionally diverse to protect against a platform-specific attack.
Watching the network lights rapidly blink under millions of transactions
per second was a blast. Did I mention I was a geek?
Although I've walked into hundreds of high-security centers since, I've
always remained impressed with the VeriSign walk-through. It wasn't too
many years ago when some of the east coast DNS servers were reported as
being stored in a elevator storage running inside a parking garage.
The DNS infrastructure has come a long way since then and is no longer
under threat of being rammed by a car. Unfortunately, physical attacks
are the easy ones to stop. The Internet's global DNS infrastructure
recently experienced its first huge widespread DoS attack since the Oct.
21, 2002 incident. This year's attack happened on February 6 and only
involved three of the Internet backbone's 13 root DNS servers (the 2002
attack targeted all 13).
I discussed the recent attack with VeriSign's chief security officer,
Ken Silva. He said that the attack focused on root servers G (maintained
by the U.S. Department of Defense) and L (maintained by ICANN), and to a
lesser extent, M (maintained by Japan). During the 12-hour attack,
nearly 90 percent of legitimate queries to those servers were being
That's a lot worse than I had been led to believe by other news sources.
I hadn't questioned the other sources because I, like most people I
know, didn't even notice the attack until it was over and had made
Silva said a couple of things made this attack less threatening than it
could have been. First, as stated above, it only affected three of the
13 root servers. I asked if the attackers had decided to attack all 13
servers at once if the results would have been worse.
"Yes," he replied without missing a beat. "Some phases of the attack
contained more than 1Gb of malformed data per second. Normal traffic is
a half a million queries per second, or about 26 billion requests per
day." These attack loads were significant enough that any DNS server
would suffer even with anti-DoS protections put in place.
Second, Silva said the attacks were "plain" malformed DNS requests from
spoofed IP addresses. They weren't reflection or amplification attacks,
which can saturate bandwidth even more.
Third, much of information served up by the root servers is often cached
on downstream DNS servers locally. Most of the traffic to the root
servers comes from newly started DNS servers when new top level domains
that aren't already cached need to be resolved. Silva said that if the
attacks had been directed at the top level domain .com resolution
servers, where over 50 million .com domain names are stored, the pain
would have been worse.
Finally, VeriSign and most other players have added significant server
power and bandwidth since the 2002 attack. Most of the DNS root servers
may be listed as one IP address, but in most cases, they are made up of
many more servers. The Anycast protocol they use allows multiple
computers to share one IP address; the downstream requesting client gets
the closest logical DNS server.
I asked Silva what it would take to stop spoofed DoS attacks. "ISPs need
to perform egress filtering and stop spoofed packets," he said. "There
is an ongoing proposal called BCP 38 that addresses egress filtering."
Still, until we get the majority of ISPs to participate, spoofed IP
attacks will continue. "Right now, our biggest defense is
over-capacity," explained Silva. "All the DNS providers keep trying to
build so much capacity that even the large attacks against the DNS
structure are minimal by comparison. In the year 2000, we had a billion
legitimate requests a day. Now it's 26 billion. We predict it will be
200 billion requests per day by 2010."
With both legitimate use and attack traffic in mind, VeriSign just
announced an increased scaling initiative called Project Titan. It plans
to increase DNS throughput tenfold by 2010 -- a "10,000-fold increase
since 2000," noted Silva.
VeriSign knows a little something about scaling, and it has to. For one,
it manages the first 10 of the 13 DNS root servers (A through J),
resolving top-level domain .com and .net traffic. Plus, Verisign offers
directory services for more than DNS; it has the exclusive RFID
directory service contract to help the Wal-Marts of the world track
medicines and inventory. Its near-term scale will be in the trillions of
transactions per day.
Despite all this, attack traffic is currently growing even more
aggressively than legitimate traffic -- up 150 fold since 2000, said
Silva. This is a concern because the DNS infrastructure, which has been
badly in need of a security makeover for two decades, is now used for a
lot more than Web surfing and e-mail. Like it or not, VoIP applications,
IP TV, cell phones, mission-critical communication links, and data
repositories are now using the Internet for real-time business. If the
Internet goes down today, it's going to affect far more than just your
ability to check into MySpace or YouTube.
Roger A. Grimes is contributing editor of the InfoWorld Test Center.
Subscribe to the InfoSec News RSS Feed