Skip Links

Network World

  • Social Web 
  • Email 
  • Close

(Comma separation for multiple addresses)
Your Message:

UPDATE: Lessons learned from Internet root server attack

By Carolyn Duffy Marsan , Network World , 02/08/2007
  • Share/Email
  • Tweet This
  • Comment
  • Print

There’s some good news and some bad news for corporate network managers about the latest Internet root server attack.

The good news is that the Internet demonstrated once again that it is the most resilient network infrastructure ever built. Companies shouldn’t be afraid to put mission-critical applications such as voice and streaming video on the `Net because of these attacks, security experts say.

Solutions for 21st Century Healthcare: Download now

The bad news is that that the Internet continues to be a target for vandals and criminals, particularly those looking to make money through extortion, fraud or theft. Experts say that most corporate Web sites and IP networks couldn’t withstand the ferocity of the latest attacks.

Five tips for preventing DNS attacks
The Internet's DNS system uses several techniques to stay up and running in face of distributed denial-of-service (DoS) attacks such as those launched last week. DNS experts offer the following suggestions of what you can do to improve the resilience of your corporate DNS infrastructure:
Use multiple DNS servers distributed around the globe. Some root servers use a technique called Anycast to distribute their content across dozens of servers around the world. If you increase the number of DNS servers you have, your DNS infrastructure will be less vulnerable to attack in any one location or region.
Keep current copies of your DNS records. If you keep current copies of your DNS records on one or more secondary servers, you will still have access to that information if your primary DNS server is attacked.
Use the latest version of BIND. Make sure you are using the current version of Berkeley Internet Name Domain, the open source software that runs most DNS servers. Older versions of BIND have known security issues. The current release of BIND is 9.3.4.
Ask your ISP about distributed DoS prevention. Ask your ISP what steps it is taking to prevent, minimize and isolate distributed DoS attacks. Find out if your ISP is deploying Anycast DNS server, distributed DoS filtering and trace-back technologies used to isolate botnet attacks. Ask if service levels are guaranteed or statistical.
Multihome your Internet applications across two carriers. Your Web site and IP network are more likely to withstand an attack if they have access to two IP infrastructures run by separate carriers.
Click to see: Five tips for preventing DNS attacks

"These attacks weren’t that substantial," says Danny McPherson, chief research officer for Arbor Networks, which provides detection services for these types of attacks. "They’ve gotten a lot of attention, but they’re not as significant as the attacks we see every day against our customers, which are much more targeted and more damaging."

Related Content

Steve Bellovin, an Internet security expert and professor of computer science at Columbia University, agrees.

"I’d be more worried about somebody trying to target my corporation than somebody trying to target the infrastructure because no one corporation has the kind of replication and bandwidth that the infrastructure has at this point," Bellovin says.

  • Share/Email
  • Tweet This
  • Comment
  • Print

Comments (1)
Login
Forgot your account info?

UPDATE: Lessons learned from Internet root server attackBy Anonymous on February 9, 2007, 11:56 am"We worked closely with those in the organization to minimize that attack," I wonder how it would work if all other communication between the organization would...

Reply | Read entire comment

View all comments

Add comment
Anonymous comments subject to approval. Register here for member benefits.
Have a NetworkWorld account? Log in here. Register now for a free account.

Most Read

View more Most Read

Videos

rssRss Feed

Latest News

rssRss Feed