Root Server Attack Fizzles

An attack, apparently intended to get the attention of the security community, failed in its attempt to bring down the Internet, analysts say.

An attack, apparently intended to get the attention of the security community, failed in its attempt to bring down, or even slow down, the Internet, analysts say.

According to the ICANN (Internet Corporation for Assigned Names and Numbers), the attack was aimed at one of its root servers—the top-level servers that translate requests for names into IP addresses so computers can retrieve the data on the Internet that users need.

The attack, which took place early the morning of Feb. 6, was described as a distributed denial of service attack, and was apparently intended to so overwhelm the target servers that Internet users would be unable to resolve names, and therefore not be able to reach some Web sites.

Unfortunately for the perpetrators, their efforts went largely unnoticed. In fact, at Verizon, which operates metropolitan area networks including MAE East and MAE West, was unaffected.

A spokesperson said that the operators of those networks were unaware that the attacks had taken place until theyd read about them in the news.

"It was a concerted attack," said Paul Levins, vice president of corporate affairs for ICANN, speaking to eWEEK from Brussels, Belgium. "What it demonstrated was that the distributed nature of the Internet withstood it, and the average users would have barely noticed," he said.

Levins said that while there are a number of theories about where the attack came from or who might be responsible, he stressed that nothing is certain.

"Were still analyzing the attack itself," Levins said. He said that ICANN was analyzing the root server that it manages, but he also noted that the Internet community as a whole was diligent in its approach to handling the attack.

"Theyre analyzing it based on fact rather than making early statements about what the motivations were or the targets were," he said.

Levins said that a few of the root servers were affected heavily, although he said that theres no indication yet that any were actually taken offline as a result of the attack.

He said that because the root servers, as well as the staffs that run them, are highly distributed, the operators could work to mitigate the effects of the attack. "We learn from those experiences, which is a good thing," Levins said.

However, security experts said they were puzzled by the nature of the attack, and they had some ideas of their own as to the motivations, and origin of the attack.

"I think that its quite strange that the bad guys used botnets to attack the Internet," said Eugene Kaspersky, founder of The Kaspersky Lab in Moscow, Russia. "To develop such a botnet takes time and resources. Usually theyre developed to steal money. In this case the botnet was used to attack the Internet. I dont see the reason."

However, Kaspersky noted that despite the best efforts of the attackers, not much actually happened.

"Its kind of Internet fireworks," he said. "Its just a joke." Kaspersky said that more details are needed, however, before the attack is really understood.

Other analysts agree. Randy Abrams, director of technical education at anti-virus software company ESET said in a prepared statement that the impact on the Internet was minimal.

"While the motivation for the attack is unknown, there are several plausible explanations," he said.

Abrams said they included mischief, diversion (so that something else can be attacked while the analysts are focusing on the root server attack), or for testing, so a bigger or better attack could be developed.

However, David Moll, co-chairman of Webroot Software, said he thinks he knows whats up, and that he thinks its no coincidence that the attack happened when it did.

"Its very clearly a coordinated and sophisticated attack on the largest infrastructure in the United States and globally," Moll said. "We believe its a coordinated muscle-flex while the industry is meeting this week at RSA."

/zimages/6/28571.gifClick here to read more about security products expected at the RSA conference.

Webroot CTO Gehard Eschelbeck expanded on the companys findings. "Theres been a clearly visible rise in botnets over the last couple of weeks," he said. "We believe that was a clear sign of preparation for this attack."

Moll said that the company also thinks the location from which the attacks were launched has been found, based on what theyre finding from their human researchers and their automated threat detection network. He said it was a multi-pronged attack originating in South Korea.

Webroot CEO Peter Watkins says he thinks this experience will help security researchers prepare for the next try.

"We believe we can begin to establish predictive patterns in the use of botnets," Watkins said, "and better predict these types of attacks when we see a malicious uptick in activity of the nature leading up to this type of attack."

"We should be able to throw up warning signs," he said, but added, "We should also be better at coordinating with the government to share this kind of information."

Kaspersky said that while the attack on the root servers could have been serious, the Internet has other, more serious, pressures already.

"There are bigger problems. There are more fresh worm attacks. There are better distributed attacks," he said.

"There is a low risk that the Internet can be damaged by such an attack," he said, adding that it would be much worse if such an attack were aimed at a single provider.

Kaspersky said that the Internet is designed to survive attacks that are vastly worse than a denial of service attack against a few servers. He noted that even huge natural disasters havent managed to bring down the Internet.

"This demonstrates how well the Internet is built," Levins said.

Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.