Massive DDoS Attack

An attack targeted nine of the 13 DNS "root" servers but experts on Wednesday dismissed the overall threat as "minimal" although some suggested that a sustained attack could be harmful.

by Ryan Naraine of internetnews.com [October 24, 2002]

A massive distributed denial-of-service (DDoS) attack of unknown origin briefly interrupted Web traffic on nine of the 13 DNS "root server system" servers that direct traffic on the Internet but experts on Wednesday dismissed the overall threat as "minimal."

Sources say the one-hour attack, which was hardly noticeable to the average end-user, was done via ICMP requests (ping-flooding) to the root servers. In a typical DDoS attack, hundreds of "drone" machines are used to remotely pound IP addresses. While the common ping program sends on 64-byte datagram per second, "ping flooding" attacks can emit ICMP echo requests at the highest possible frequency, experts explained.

Internet Software Consortium (ISC) chairman Paul Vixie confirmed the ICMP request source of the attack on the NANOG mailing list but maintained the DDos attack "was only visible to people who monitor root servers or whose backbones feed root servers."

"DDoS attacks often end up hurting intermediate links in the path more than the destination of the flow... The average person who just wanted to use DNS to get work done didn't seem to notice it at all," Vixie added.

The ISC, which manages one of the targeted root servers, reported 80 Mbps of traffic to its box, more than ten times the normal load, but sources say the attack merely slowed sections of the Web and did not completely block service. Other root servers managed by Verisign and ICANN saw more than three times the load they normally handle.

During the course of the ping-flood pounding, only four of 13 root servers remained up and running while seven were completely crippled. The 13 DNS root servers are the backbone that runs the domain names and IP addresses on the Web.

Despite the fact that the attack appeared to have minimal impact, the Federal Bureau of Investigation (FBI) and the U.S Government's new Department of Homeland Security are investigating and published reports say the early suspicion is that that attacks originated overseas.

A spokesman for the FBI's National Infrastructure Protection Center (NIPC), which tracks service attacks on the Internet, confirmed an investigation was underway.

While DNS server attacks aren't uncommon, the latest pounding to the 13 root servers stood out because it was orchestrated over a one-hour window and appeared to be the work of experts.

Coming on the heels of cyber-terrorism threats and the government's own warnings, security officials say the FBI must take this issue seriously. "Attacks orchestrated with this kind of complexity and power generally can't be executed by your run-of-the-mill "Script kid." It would take a lot of firepower, to amass the servers capable of that kind of bandwidth," said a freelance security consultant, who declined to be named.

A spokesman for UUNET, which is the service provider for two of the root servers, said it was the "largest, most targeted attack" ever seen. "This did not affect the end user but it was huge and concerted. It was rare because it was aimed at all 13 servers. It was an attack on the Internet itself and not a particular site or service provider," he explained.

While the ISC's Vixie noted that the only way to thwart an attack of this magnitude would be to over-provision, many believe that if the attack was sustained for a longer period, the effects could have been catastrophic.

Individual websites facing a Denial of Service (DoS) attack can find assistance here and here.

— End