A massive DDoS attack against most of the root DNS servers on the Internet Monday afternoon failed to cripple the global network, or even noticeably disturb traffic.
The attack, which began around 4 p.m. Monday and lasted for approximately two hours, reportedly took offline as many as seven of the 13 root servers that contain the master domain list for the DNS (domain name system) for the Internet. However, security watchdog groups and Internet performance authorities say there was little or no noticeable change in the way the Internet performed for most users.
The attack was apparently an ICMP (Internet control message protocol) flood—also known as a ping flood—which sends a blizzard of status requests to servers, sources familiar with the incident said. Such attacks are among the most basic and therefore easiest to defend against, a factor that likely contributed greatly to the service providers ability to handle Mondays attack.
“With a little bit of work, you can trace that back through the network and install a filter to take care of it,” said Ted Julian, chief strategist at Arbor Networks Inc., a Waltham, Mass., company that sells anti-DDoS (distributed-denial-of-service) solutions. “They got lucky this time. But its just a matter of time before someone tries a more sophisticated attack against this system. If it was just generic Web traffic directed at these servers, that would be much harder to deal with.”
The 13 servers that make up the core of the DNS system are located in several countries around the world, although the majority of them are in the United States. WorldCom Inc.s UUNet subsidiary maintains two of the machines and VeriSign Inc. has the contract to operate the “A” root server, which periodically sends out a list of updated DNS information to the other 12 root boxes.
Like TCP/IP and many other protocols on which the Internet relies, the DNS system was designed years ago and has some inherent weaknesses that are well-known in the security underground.
“If the Internet is going to work, it needs to be open, but that openness leads to problems,” said Julian. “The Internet is based on protocols that were designed a long time ago, and whether its a compromise of the protocol itself or a compromise of the design of the system, these [DDoS] attacks represent the greatest threat we have.”
The Internet Storm Center maintained at Incidents.org had already returned its alert status to green—or all clear—late Tuesday.
This is not the first time a large-scale DDoS attack has hit the Internet. In early 2000, a coordinated series of attacks crippled numerous high-traffic sites, including Yahoo, CNN.com, ZDNet and Amazon.com. And since then, such attacks have become the tool of choice for script kiddies as well as more sophisticated attackers looking to cause the maximum amount of havoc with the least amount of effort.
DDoS attacks come in several flavors, but the most common send massive amounts of data to selected servers, effectively flooding them with requests for service. As the servers become overwhelmed, they begin to deny all incoming service requests, which cuts off all activity.
However, this seems to be the first such attack to target the root servers at the heart of the Internet. Security experts have long warned that such an attack was likely, but it appears that the system did its job. The DNS system is designed in such a way that about 75 percent of the root name servers must fail before there is any real drop-off in Internet performance.
(Editors Note: This story has been updated since its original posting to include additional information about the attack and comments from Arbor Networks Ted Julian.)
