While there is not much of a chance that you noticed it directly, the heart of the Internet was under attack last month. On October 21st, the Root Servers that provide core directory lookup services for the Internet were hit by a Distributed Denial of Service (DDoS) attack. The flood of traffic from zombie computers caused interruptions of service from some of these DNS Servers, which translated to some pockets of slowness on the Internet, although most of us were oblivious to the attack.
There are 13 Root Servers, but due to the distributed architecture of DNS, most of the traffic of the Internet does not need to consult the Root Servers directly. Had the attack been more sophisticated and able to keep these servers inaccessible for several days, that would have been a serious problem. As the locally maintained cache of addresses began to expire on corporate DNS servers, they would need to contact the Root Server Hierarchy. Failing this, there would be the need to manually reconfigure thousands of DNS servers. In that case, slow and unavailable Internet sites would have been a much more common phenomenon.
As of this writing, the culprit behind these attacks has not been identified. It can be difficult to find the initiator of DDoS attacks, as the attack comes from thousands of computers. It is a painstaking matter of log file analysis and using other forensics tools to trace back to the attacking computers to look for evidence. We did catch MafiaBoy, the instigator of the February 2000 attacks on Yahoo, eBay and others, however, chatroom braggadocio was a key break in that case. The aim of this attack was not web site defacement and writing a statement that you want the world to read. Instead, this attack was more akin to disrupting "Internet supply lines" and interfering with "command and control". Was this a dumb kid who gave us the best he had? Or is it something more sinister - a test, foreshadowing a more severe attack. It is mere speculation on my part, but considering the state of the world and the potential for war, it is only prudent to do some worst case scenario planning and consider the possibility that a more wide scale attack on core Internet weaknesses could be attempted soon. In fact, while many people have been saying that the ineffectiveness of this attack attests to the robust architecture of the Internet, it is also a fact that some of the Root Servers have been moved or hardened since the October 21st attack. What do you want to bet that there have been some emails from the US Department of Defense to VeriSign and others that preceded these changes?
What are the takeaways on this? We have a good Directory system on the Internet, but it can be better. We need to think in terms of Hardening, Redundancy and Attack Mitigation. DNS Servers need to be carefully built, single purpose machines. They should have no extraneous services and should be scrupulously maintained when patches are released for newly discovered vulnerabilities.
I am amazed that in late 2002, we still have poor redundancy for so many domain names, including highly popular and widely used sites. I won't use this forum to publish a Wall of Shame, but there are a wide variety of large companies from Finance, Retail and even Defense Contractors who do not have sufficient route diversification in their DNS systems. A simple test for you is to do a "Whois" command for your domains (http://www.netsol.com/cgi-bin/whois/whois), if you find that the IP addresses are only different in the last "octet"…
dns1.mydomain.com 192.168.1.1
dns2.mydomain.com 192.168.1.2
…then it is likely that both of these systems could be knocked out by hitting a single upstream router. In fact, don't be surprised if they are sitting side by side in a computer room sharing the same power circuit. You can have more than 2 DNS servers, and they can be located half a globe away from each other. Another question you have to ask on the redundancy question is, why 13 Root Servers? It has been that way for a long time, why not increase the number?
Another secret out there is that there is actually some nice technology available to help detect and mitigate DDoS attacks. Mazu Networks told me that they have been experiencing strong growth in business and inquiries following this latest round of attacks.
November 2002 Issue
CSOinformer is edited by Jim Reavis, founder of SecurityPortal and longtime industry analyst. This monthly newsletter is targeted at people who must take a strategic, multi-year view of the information security industry, and we promise insights you will not find anywhere else.
CSOinformer is a service of Reavis Consulting Group, and is published on the second Tuesday of each month.