ICANN Targets DDoS Attacks

In the wake of last week's unprecedented DDoS attack against all 13 of the Internetís root-name servers, the government and ICANN, one of the Internet's main governing bodies, are considering changes to help protect the DNS system against future at

In the wake of last weeks unprecedented DDoS attack against all 13 of the Internets root-name servers, the government and ICANN, one of the Internets main governing bodies, are considering changes to help protect the DNS system against future attacks.

The most immediate and significant changes will likely come from the Internet Corporation for Assigned Names and Numbers, which is holding a meeting this week in Shanghai, China. The body, which is ultimately responsible for maintaining the root servers that contain the master list of Internet domains, will hear recommendations from its Security and Stability Advisory Committee on securing the edge of the Domain Name System network. Specifically, the committee will recommend that ISPs take steps to prevent packets with forged IP addresses from being used in distributed-denial-of-service attacks, according to sources.

Typically, virtually all packets in such attacks carry forged IP addresses, making it difficult for engineers to trace or filter them. The technology to prevent forwarding of such packets has been in most routers for several years, but ISPs have been reluctant to use it.

"They dont turn it on because it makes extra work for them and doesnt earn them any more money," said Paul Vixie, chairman of the Internet Software Consortium, a root server operator in Redwood City, Calif., and a member of the ICANN Security and Stability Advisory Committee. "Theres more we need to do because [the attacks] will get worse."

Also in the name of added security, the operators of the root-name servers--each of which is actually several machines in multiple locations--will add more servers to make the system more resistant to attacks and spread out the effects of large-scale DDoS events, according to Vixie.

Security experts say such changes have been needed for some time and that last weeks attack simply makes them more imperative.

Meanwhile, U.S. government security officials are discussing the possibility of creating new regulations that would require federal agencies to buy Internet service only from ISPs that have DDoS protection on their networks, according to people familiar with the situation. Such a decision could place economic pressure on the other ISPs to follow suit, thereby improving Internet security.

The Oct. 21 attack reportedly took down as many as nine of the 13 root servers that contain the master domain list for the DNS for the Internet. However, security watchdog groups and Internet performance authorities said there was little noticeable change in Internet performance for most users.

The attack was an Internet Control Message Protocol flood--also known as a ping flood--which sends a huge number of status requests to servers, sources familiar with the incident said. A spokesman for VeriSign Inc., in Mountain View, Calif., which operates two of the root servers, including the "A," or master, server, said the servers were receiving as many as 150,000 requests per second during the height of the attack.

Although last weeks attempt didnt bring the Internet down, thats no cause for celebration, experts say.

"By no means has this problem gone away. This one wasnt very sophisticated, so its clear that some of the root operators werent as prepared as they couldve been," said Paul Mockapetris, chief scientist at security vendor Nominum Inc., also in Redwood City, and the principal designer of the current DNS system. "The [top-level domains] are even more vulnerable. Its the next generation of attacks that we need to worry about."

Other observers suggested that ISPs--which typically share capacity during emergencies such as DDoS attacks--should have access to a pool of ready bandwidth.

"The problem with this was, no one had excess capacity to share," said Mark Rasch, senior vice president and chief security counsel at Solutionary Inc., based in Omaha, Neb.

For their part, ISPs say that their range of options for DDoS protection is limited. "There doesnt appear to be any public product suite that we can provide to customers to prevent this," said Jennifer Baker, a WorldCom Inc. spokeswoman based in Washington.