Major ‘Net backbone attack could be first of many

The distributed denial of service (DDoS) attack launched Monday against all 13 of the Internet domain name system (DNS) root servers failed to bring down the Internet, but that doesn’t mean that more attacks won’t follow and succeed where this week’s attack failed, according to experts, some of whom feel that the federal government needs to step in to secure the ‘Net infrastructure.

Monday’s attack was targeted at 13 key servers that translate easy-to-remember URLs into the numeric IP addresses used by computers to communicate.

Attackers flooded the DNS servers with Internet traffic using Internet Control Message Protocol at more than 10 times the normal rate of traffic, according to Brian O’Shaughnessy, a spokesman at VeriSign, which manages the “A” and “J” root servers.

Such events are nothing new, with high-profile attacks in past years against Internet service providers and companies such as Microsoft and eBay. But experts say that Monday’s incident opens a new chapter in the history of Internet-based attacks.

“Monday’s attack was an example of people not targeting enterprises, but going against the Internet itself by attacking the architecture and protocols on which the Internet was built,” said Ted Julian, chief strategist at Arbor Networks of Lexington, Mass.

Factors contributing to such attacks are well known, according to experts. Worms such as Code Red, Nimda and Slapper have left hundreds — if not thousands — of compromised computers on the Internet, Julian said. Such systems can be used as “zombies” in a DDoS attack. Zombies are machines controlled remotely and used to launch an attack.

Reports from Matrix NetSystems Tuesday traced the attacks to Internet hosting service providers in the U.S. and Europe.

Gerry Brady, chief technology officer for Guardent said that sophisticated software programs make leveraging those compromised machines a simple matter, even for novice attackers.

“With automated attack tools, even inexperienced people can get control of a large number of hosts. The IP addresses and access passwords for those systems are traded on the Internet like you or I used to trade baseball cards,” Brady said.

While the Federal Bureau of Investigation’s National Infrastructure Protection Center is investigating the attacks, Brady pointed out that some of the most frequent sources of such attacks are teenagers, not terrorists.

“The big drivers we’re seeing (in DDoS attacks) are juvenile rivalries — revenge for incidents that might have happened during online gaming. These attacks are not professional or financial in nature. They’re random and non-directed,” Brady said.

Fortunately, Monday’s attacks were not sophisticated, relying on a simple “packet flood” approach in which information packets are sent in high volumes to a server, and using a protocol — ICMP — that is typically not seen in very high volumes, Brady and Julian said.

Future attacks could be much more sophisticated, they said.

Instead of sending a flood of packets all using the same protocol, attackers might disguise a DDoS attack as normal traffic — what Julian referred to as a “bandwidth anomaly.” In such an attack, nothing about the protocols used or packets sent would appear unusual, but the volume of traffic would be enough to overwhelm the targeted server.

Even more pernicious, Brady and Julian agreed, would be attacks that target the routing infrastructure, as opposed to the DNS infrastructure of the Internet. That infrastructure of roadways over which Internet traffic passes is more “brittle” than the flexible architecture of DNS, Brady said.

“When one backbone goes down, the traffic has to go somewhere,” said Brady, recalling that the recent outage on the UUNet Internet backbone operated by WorldCom was felt instantly worldwide.

More federal management of key components of the Internet infrastructure is needed, Julian and Brady agreed. That could include tax incentives or direct federal funding for private companies and public organizations managing key DNS servers to secure their systems, all of which are currently operated as a free service by companies, government entities and non-profit organizations.

“This showcases a specific vulnerability that requires the government to get involved,” Julian said. “If you run a DNS server, what is your monetary incentive to secure it? There is none. This is the number one area of focus that the government should have.”

As for the backbone providers, Brady said that because of the dire financial condition of most companies that manage the Internet backbone, there is little private money available to ensure the extra capacity should one or more parts of the backbone be attacked. Federal investment could help create and secure a more robust infrastructure.

“If this were voice communications (that were attacked) can you imagine (U.S. Secretary of Defense Donald) Rumsfeld’s reaction?” Brady said. “That would be a national security issue. We must acknowledge that this is critical infrastructure and we have to find remediation.”

“This is rich territory for Mr. Clarke and his people,” said Julian, referring to Richard Clarke, President Bush’s special adviser for cyberspace security.

In the meantime, Brady said that the pattern of past DDoS attacks make more of them likely in the near future.

“I would be worried that we’re in a short-term countdown to more infrastructure attacks because they’re just so easy to do,” Brady said.