Skip Links

'Net security gets root-level boost

By and , Network World
October 27, 2003 12:13 AM ET

Network World - A year after surviving a massive distributed denial-of-service attack, the Internet's root servers are better fortified against hacker activity, thanks to behind-the-scenes deployment of a routing technique known as Anycast, experts say.

With Anycast, the root server operators have more than doubled the number of server farms available to handle the highest-level DNS queries. This routing technique heightens root server resilience by multiplying the number of servers with the same IP address and balancing the load across an army of geographically dispersed servers.

A handful of the 13 root server operators have begun deploying Anycast since last year's attack, which didn't succeed in crashing DNS but rendered several root servers unavailable for legitimate queries. Experts say the deployment of Anycast is making the entire root-server system more resistant to outage.

"More of the root server operators are doing this routing technique, and the DNS is more robust than ever," says Paul Mockapetris, inventor of the DNS and chairman of DNS software vendor Nominum. "The DNS is more resilient than it was a year ago by a factor of two."

A reinforced DNS is a boon to enterprise network managers who need a rock-solid root server and DNS system for all of their IP services to function. However, one network executive resists putting much faith in a new DNS technique until it's been tested under attack.

DNS is "still not as secure as it could be, or should be," says Stephen Lengel, systems engineering manager at The ServiceMaster Co. in Downers Grove, Ill., which provides heating, cooling, landscaping, pest control and appliance maintenance services, and has about 20,000 users on its network. Despite the use of techniques such as Anycast, no technology is 100% safe from attack, he adds. "It's usually just a matter of time before someone exploits it or finds a hole in it."

While distributed DoS attacks have occurred for years, last October's assault on the Internet's 13 root servers - which run the master directory for lookups that match domain names with their corresponding IP addresses - served as a wake-up call to the vulnerabilities inherent in the distributed design of DNS. Below the root servers are the servers that support top-level domains such as .com, .net and .org, and below the top-level domain servers are hosts of Web sites.

During a distributed DoS attack, a hacker hijacks machines across the Internet and uses them to send a flood of requests to a server until it becomes overwhelmed and stops functioning.

Last October, the root servers were under a distributed DoS attack for about an hour, causing several servers to stop being available to regular Internet traffic. However, the remaining root servers withstood the attack and ensured that the Internet's overall performance was not degraded. Nonetheless, this was the most serious hacker attack ever on this key piece of the Internet infrastructure, and it was an eye-opener for the root-server operators.

Our Commenting Policies
Latest News
rssRss Feed
View more Latest News