China DDoS attack shows not all TLD servers equally secure

With new generic domains expected to be operational by next month, worry is smaller ones will have much less security than China's

The distributed denial of service (DDoS) attack that took down a portion of China's Internet over the weekend demonstrates that the strength of the global network varies greatly across domains.

Servers running China's ".cn" top level domain (TLD) came under attack Sunday starting at about 2 a.m. Eastern time. The China Internet Network Information Center, which runs the TLD servers, confirmed the attack and apologized to affected users.

The organization said it was working to "enhance the service capabilities" of the system, but did not provide any more details.A'A

CloudFlare, which provides security and performance services to more than 1 million websites, found that .cn suffered a limited outage that lasted between two and four hours. A drop in server performance by as much as 32 percent compared to 24 hours earlier caused the down time.

CloudFlare's Chief Executive, Matthew Prince, said on Monday that the CINIC would likely have to make its infrastructure "substantially beefier."

"Obviously, an attacker has shown that there is some bottleneck," he said.

Arbor Networks, which also protects websites against DDoS attacks, said the .cn servers had to contend with traffic that was four times higher than average. The attack also appeared to go on into Sunday afternoon.

"A serious attack was carried out," said Dan Holden, director of security research at Arbor.

During the bombardment, not everyone heading to a website using the .cn domain would have been shutout. That's because Internet service providers temporarily hold website IP addresses in caches to avoid querying a TLD server for each website every time.

[In-depth: 7 essentials for defending againts DDoS attacks]

However, if the attack had gone on for 24 hours, then more websites would have been affected gradually, since caches are routinely purged after a number of hours.

"Had it gone on longer than 24 hours, then literally no .cn domain would likely have been able to be reached," Prince said.

The fact that China's TLD servers would take a hit in a DDoS attack is surprising, given the overall sophistication of the country's Internet capabilities. The country has one of the most sophisticated Internet filtering systems in the world, and is credited with mounting some of the most advanced cyberespionage campaigns to steal corporate and government secrets from other countries.

If the CINIC stumbled against an attack, how would the many smaller TLDs expected to launch soon across the Internet stand up?

In 2011, the Internet Corporation for Assigned Names and Numbers (ICANN) ended most restrictions on generic top-level domains, such as .com, .net and .biz. As a result, companies and organizations will eventually be able to choose their own gTLDs.

The first batch of ICANN-approved generic domains is expected to be operational by next month. Experts expect as man as 1,000 new gTLDs over time, with most of them reflecting names of companies and products and cities. There will also be more generic names, such as ".bank" and ".sport."

The attack on .cn is a reminder that if a country code TLD can be crippled, then users of generic TLDs should make it a point to check the infrastructure of the organizations running the domain name registry underneath.

"The more obscure the TLD, the more likely they have less infrastructure to protect themselves," CloudFlare's Prince said.

Read more about malware/cybercrime in CSOonline's Malware/Cybercrime section.

This story, "China DDoS attack shows not all TLD servers equally secure" was originally published by CSO.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Must read: Hidden Cause of Slow Internet and how to fix it
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.