Skip Links

DDoS attack highlights 'Net problems

Episode called crude, ineffective . . . but concerns mount about future problems.

By , Network World
October 28, 2002 12:03 AM ET

Network World - Last week's distributed denial-of-service attack against the Internet's root servers underscores that much of the Internet's infrastructure remains vulnerable to these common hacker attacks and more sophisticated assaults that might be on the horizon, experts say.

That an easily preventable distributed DoS attack was successful against so many of the Internet's root servers surprised many network executives, who say they thought more precautions were being taken by the operators of such a key component of the Internet's DNS.

A distributed DoS attack occurs when a hacker hijacks machines across the Internet and uses them to send a flood of requests to a server until it becomes overwhelmed and stops functioning.

In this case, the distributed DoS attack was aimed at the 13 root servers that run as the master directory for lookups that match domain names with their corresponding IP addresses. Below the root servers are the servers that support top-level domains such as .com, .net and .org, and below the top-level domain servers are hosts of individual Web sites.

"Last Monday's attack wasn't very skillful from the point of attacking the DNS root servers with a well-known ping attack," says Paul Mockapetris, an inventor of the DNS and chief scientist at Nominum, a DNS software vendor. "There are going to be some lax administrators who get a big wake-up call."

The root server attack also shows that hackers are becoming more ambitious in choosing targets.

"Two years ago, most of the denial-of-service attacks were on actual Web sites. With this attack, people are going after parts of the infrastructure,'' says Ted Julian, co-founder and chief strategist with Arbor Networks, a start-up that sells an anti-distributed DoS monitoring system to ISPs. "It changes from a local attack to a global attack."

During the root server attack, a hacker sent fake ping requests, which are queries from one host to another to determine if a communications path is available between the two hosts. Ping messages, which are rarely received by the root servers, are sent using the Internet Control Message Protocol (ICMP).

The 13 root servers were flooded with ICMP requests for about an hour, causing several root servers to stop being available to regular Internet traffic. However, the remaining root servers withstood the attack and ensured that it didn't slow down performance across the Internet.

By simply limiting the amount of ICMP traffic that the root servers can accept, administrators could have prevented the attack, experts say. In fact, root server operators who didn't already have rate limits set on their ICMP traffic set them as soon as the attack was discovered. But by then, these servers had already been inundated with phony traffic.

"An ICMP flood is one of the easiest things to filter," says Jim Lippard, director of Internet security at Global Crossing. "For the name servers we provide, we just filter out ICMP traffic completely."

The root server attack comes nearly three years after the first major distributed DoS attack knocked such high-profile Web sites as Yahoo, eBay and eTrade offline, causing financial hardship to these companies. Since then, high-profile distributed DoS attacks have crippled Microsoft's Web site and led U.K. ISP Cloud Nine to go out of business.

Our Commenting Policies
Latest News
rssRss Feed
View more Latest News