UPDATE: Lessons learned from Internet root server attack

There’s some good news and some bad news for corporate network managers about the latest Internet root server attack.

The good news is that the Internet demonstrated once again that it is the most resilient network infrastructure ever built. Companies shouldn’t be afraid to put mission-critical applications such as voice and streaming video on the `Net because of these attacks, security experts say.

The bad news is that that the Internet continues to be a target for vandals and criminals, particularly those looking to make money through extortion, fraud or theft. Experts say that most corporate Web sites and IP networks couldn’t withstand the ferocity of the latest attacks.

Five tips for preventing DNS attacks

The Internet's DNS system uses several techniques to stay up and running in face of distributed denial-of-service (DoS) attacks such as those launched last week. DNS experts offer the following suggestions of what you can do to improve the resilience of your corporate DNS infrastructure:
Use multiple DNS servers distributed around the globe. Some root servers use a technique called Anycast to distribute their content across dozens of servers around the world. If you increase the number of DNS servers you have, your DNS infrastructure will be less vulnerable to attack in any one location or region.
Keep current copies of your DNS records. If you keep current copies of your DNS records on one or more secondary servers, you will still have access to that information if your primary DNS server is attacked.
Use the latest version of BIND. Make sure you are using the current version of Berkeley Internet Name Domain, the open source software that runs most DNS servers. Older versions of BIND have known security issues. The current release of BIND is 9.3.4.
Ask your ISP about distributed DoS prevention. Ask your ISP what steps it is taking to prevent, minimize and isolate distributed DoS attacks. Find out if your ISP is deploying Anycast DNS server, distributed DoS filtering and trace-back technologies used to isolate botnet attacks. Ask if service levels are guaranteed or statistical.
Multihome your Internet applications across two carriers. Your Web site and IP network are more likely to withstand an attack if they have access to two IP infrastructures run by separate carriers.

"These attacks weren’t that substantial," says Danny McPherson, chief research officer for Arbor Networks, which provides detection services for these types of attacks. "They’ve gotten a lot of attention, but they’re not as significant as the attacks we see every day against our customers, which are much more targeted and more damaging."

Steve Bellovin, an Internet security expert and professor of computer science at Columbia University, agrees.

"I’d be more worried about somebody trying to target my corporation than somebody trying to target the infrastructure because no one corporation has the kind of replication and bandwidth that the infrastructure has at this point," Bellovin says.

On Tuesday, an attack was launched against three of the Internet’s 13 root servers, which oversee the Internet’s Domain Name System. The DNS is a global distributed database system that matches domain names with corresponding IP addresses.

Three root servers – operated by the Defense Department, the Internet Corporation for Assigned Names and Numbers (ICANN) and the Widely Integrated Distributed Environment (WIDE) Project – were inundated with phony requests from a group of compromised PCs, called a botnet.

Michael Witt, deputy director of US-CERT’s cybersecurity section, who spoke at a panel discussion at the RSA Conference last week, said the DNS root server attack was targeted at three root servers, known as G, L and M. “G is the military’s top-level domain,” Witt said. According to information at the US-CERT Web site, L operates on behalf of ICANN, and M is dedicated to the WIDE Project.

“The attacks didn’t impact the root-level servers," Witt said. “They continued to do their job. The Department of Defense had no impact toward degradation on their network.”

Witt said mitigation of the attack was carried out with the help of the North American Network Operators Group. “We worked closely with those in the organization to minimize that attack,” he said.

While these three root servers were disrupted by the botnet attack, 10 other root servers worked fine. Overall, the Internet’s service suffered little disruption, and few corporate users even noticed that the attacks were happening.

"This attack was maybe one-tenth of the size of earlier attacks that we’ve seen on the DNS infrastructure," McPherson says. "It wasn’t really that large, and it started tapering off quickly. More importantly, the user experience was not that far degraded."

This was the first major attack against the root servers since 2002, when all 13 root servers were targeted in a more severe distributed denial-of-service (DOS) attack.

"The oddest thing about this attack is that it happened at all," Bellovin says. "We haven’t had any major pure vandalism attacks in the last few years. The energy in the hacking world has shifted to a profit motive. Most of the DDOS attacks we see are for extortion. Sports gambling sites are especially affected."

Howard Schmidt, former White House cybersecurity adviser and now president and CEO of Issaquah, Washington-based R&H Security Consulting, said the fact that the attack on the DNS root servers this week had no perceivable impact on the public indicates how resilient the underlying system is. “But we shouldn’t let our guard down,” Schmidt says.

Schmidt recalled how the massive attack in February 2002, when he was White House cyber-security adviser, also had no perceivable public impact but it did draw attention to the potential for grave consequences in loss of the Internet.

"We didn’t find out who was doing it in 2002," Schmidt says. "Until we catch the people doing it, we’ll never know their motivation."

Good news

Security experts say that the latest demonstration of the Internet’s resilience points to a rosy future for all things IP. That’s because the DNS -- which is critical to the routing of all information on the Internet – has proven itself against many and varied attacks over the years.

Since the 2002 root server attack, some root server operators have rolled out a technique called Anycast to copy information to multiple computers around the world.

"The name servers are more resilient to this type of attack today then they were five years ago," Bellovin says. "It’s not that any given server is more resilient; it’s that the structure as a whole is more resilient because they are using Anycast servers. There are a lot more servers out there, so the attackers might not get all of them."

The failure of the latest attack shows how hard it is for a hacker to bring down the DNS.

"It seems unlikely that someone can take down all the root servers," says Scott Perry, founder of DNSstuff.com, which provides DNS tools to IT professionals. "While there are 13 root servers, these servers are mirrored so that over 100 servers handle the queries that go to the root server. Each of the root servers has one IP address, but in some cases those IP addresses are anycast to as many as 40 different computers. Because of that, when an attack like this occurs…it will only affect users near one location."

Attacks like these are no reason for corporations to hold off on migrating key applications such as voice to the Internet, experts say.

"The threats for something like VoIP are more within the enterprise than within the Internet infrastructure," Bellovin says. "You’re much more likely to have a virulent infection that takes you out than a root server attack…There are more problems near the edges of the Internet than in the infrastructure."

Bad news

Despite the positive outcome of the latest attacks, security experts warn against complacency.

"I don’t know if a serious effort could take out the root server system," Bellovin says. "We’ve heard of some really large botnets…The steps that have been taken since 2002 have made the network considerably more robust and resilient in the face of this kind of attack. We don’t know if it’s robust or resilient enough yet."

A botnet attack like this one would be more significant if it damaged the DNS servers that run key domains such as .com or .net. That’s because the root servers handle far fewer queries than the .com and .net servers.

"There’s more impact at the next level down below the root," says Ken Silva, chief security officer for VeriSign, which operates two root servers as well as the registries for .com and .net. "The .com servers handle 450,000 queries per second. If they don’t work, that’s 450,000 queries per second that fail to connect."

Protecting against these kind of attacks is why VeriSign announced this week a three-year, $100 million effort to upgrade and expand the servers and network infrastructure that support its .com, .net and root servers. Dubbed Project Titan, the initiative will increase the capacity of VeriSign’s network infrastructure 10 times by 2010.

Project Titan will "make the entire infrastructure that we operate much more resilient to these attacks," Silva says. It is "without a doubt the largest upgrade to a DNS top-level domain that’s ever happened."

Few companies, government agencies or universities that run the DNS root servers on a voluntary basis can afford the kind of investment that VeriSign is making with Project Titan.

Corporate network managers also need to stay ahead of the game by continuing to invest in distributed DNS servers of their own.

McPherson says few corporations could withstand the kind of attack aimed at the three root servers this week.

"This was a 2G to 3Gbps attack," he says. "That could take most enterprises offline pretty easily…Attacks like this are pretty easy to launch."

McPherson says Arbor Networks saw DNS amplification attacks as large as 22G to 25Gbps during 2006. "They were pretty ugly, and the scale of those attacks was pretty large," he says. "The root servers are pretty resilient but most enterprises are not."

--Senior Editor Ellen Messmer contributed to this report.

Learn more about this topic

VeriSign announces $100 million investment in DNS02/08/07Hackers slow Internet root servers with attack

02/07/07

How vulnerable is the 'Net?

04/18/05

U.S. cyber counterattack: Bomb 'em one way or the other

02/08/07

RSA ’07: Hackers find a wealth of victims on corporate Web sites

02/07/07

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2007 IDG Communications, Inc.

IT Salary Survey: The results are in