DDoS attack highlights ‘Net problems

Last week’s distributed denial-of-service attack against the Internet’s root servers underscores that much of the Internet’s infrastructure remains vulnerable to these common hacker attacks and more sophisticated assaults that might be on the horizon, experts say.

Last week’s distributed denial-of-service attack against the Internet’s root servers underscores that much of the Internet’s infrastructure remains vulnerable to these common hacker attacks and more sophisticated assaults that might be on the horizon, experts say.

That an easily preventable distributed DoS attack was successful against so many of the Internet’s root servers surprised many network executives, who say they thought more precautions were being taken by the operators of such a key component of the Internet’s DNS.

A distributed DoS attack occurs when a hacker hijacks machines across the Internet and uses them to send a flood of requests to a server until it becomes overwhelmed and stops functioning.

In this case, the distributed DoS attack was aimed at the 13 root servers that run as the master directory for lookups that match domain names with their corresponding IP addresses. Below the root servers are the servers that support top-level domains such as .com, .net and .org, and below the top-level domain servers are hosts of individual Web sites.

“Last Monday’s attack wasn’t very skillful from the point of attacking the DNS root servers with a well-known ping attack,” says Paul Mockapetris, an inventor of the DNS and chief scientist at Nominum, a DNS software vendor. “There are going to be some lax administrators who get a big wake-up call.”

The root server attack also shows that hackers are becoming more ambitious in choosing targets.

“Two years ago, most of the denial-of-service attacks were on actual Web sites. With this attack, people are going after parts of the infrastructure,” says Ted Julian, co-founder and chief strategist with Arbor Networks, a start-up that sells an anti-distributed DoS monitoring system to ISPs. “It changes from a local attack to a global attack.”

During the root server attack, a hacker sent fake ping requests, which are queries from one host to another to determine if a communications path is available between the two hosts. Ping messages, which are rarely received by the root servers, are sent using the Internet Control Message Protocol (ICMP).

The 13 root servers were flooded with ICMP requests for about an hour, causing several root servers to stop being available to regular Internet traffic. However, the remaining root servers withstood the attack and ensured that it didn’t slow down performance across the Internet.

By simply limiting the amount of ICMP traffic that the root servers can accept, administrators could have prevented the attack, experts say. In fact, root server operators who didn’t already have rate limits set on their ICMP traffic set them as soon as the attack was discovered. But by then, these servers had already been inundated with phony traffic.

“An ICMP flood is one of the easiest things to filter,” says Jim Lippard, director of Internet security at Global Crossing. “For the name servers we provide, we just filter out ICMP traffic completely.”

The root server attack comes nearly three years after the first major distributed DoS attack knocked such high-profile Web sites as Yahoo, eBay and eTrade offline, causing financial hardship to these companies. Since then, high-profile distributed DoS attacks have crippled Microsoft’s Web site and led U.K. ISP Cloud Nine to go out of business.

Experts say susceptibility to distributed DoS attacks exists at all levels of the Internet’s DNS, from the root servers to the backbone ISPs to companies that run major Web sites. The same types of distributed DoS attacks also continue to cause damage.

“Most of the vulnerabilities that are getting exploited on a daily basis [have patches] that were available for months, if not years,” Lippard says. “The same vulnerabilities are used long after they should have been dealt with. . . . It takes an ICMP attack like this to get people to put filters up.”

Although the latest distributed DoS attack caused little damage, experts say it shows that the root servers could fall prey to more ambitious attacks.

“A large-scale and sophisticated denial-of-service attack – not a ping attack like we saw last Monday, but an attack that flooded servers with bogus DNS requests – could reduce the effective capacity of the root servers and would impact users,” Mockapetris says.

ISPs and corporations regularly deal with distributed DoS attacks such as the ICMP flood aimed at root servers.

“Our average customer sees a denial-of-service attack about once a week,” says Jim Melvin, CEO of Mazu Networks, a start-up that sells an anti-distributed DoS appliance to corporations. “MTV sees them daily, but they’re a high-profile, teen-focused Web site. Other companies see them weekly or monthly.”

Since the spring of 2000, venture capital firms have pumped more than $90 million into four start-ups that offer anti-distributed DoS devices. These devices typically monitor Internet traffic for abnormal surges, identify when distributed DoS attacks cause these surges, and automatically shut off malicious traffic to protect network resources from being overloaded.

Despite the many high-profile distributed DoS attacks, these start-ups have attracted only a few dozen ISP and enterprise customers, including Canadian ISP Telus, the U.S. Department of Defense, MTV and the New York Mercantile Exchange. The systems range in price from $25,000 to $100,000 for corporations and several hundred thousand dollars for carriers.

“With the state of the world today, it doesn’t take a sophisticated attack to do damage,” Melvin says. “The analogy I use is that people are going to bed at night with the doors open.”

Holding back a widespread fix to the distributed DoS problem is that most ISPs haven’t purchased the latest anti-distributed DoS systems and don’t offer distributed DoS monitoring as a premium service to their corporate customers.

The backbone providers have done “very little” to address the distributed DoS problem since it came to light almost three years ago, says Gartner analyst John Pescatore. “The ISPs are not buying anything because they’re in such tight financial shape.”

Most carriers have established round-the-clock Internet security teams that monitor their networks for all kinds of attacks. These teams will help corporate network managers mitigate a distributed DoS attack after it has been discovered. Most carriers also do some kind of traffic filtering, such as limiting ICMP traffic in a way that would prevent an attack such as the one against the root servers.

Anti-distributed DoS technology “needs to be baked into the infrastructure,” Pescatore says. “The telecom guys need to work together to put in denial-of-service protections such as ingress filtering, egress filtering, traffic load balancing. It needs to be done in a coordinated manner across the backbone.”