A massive distributed denial-of-service
(DDoS) attack (define)
of unknown origin briefly interrupted Web traffic on nine of the 13
DNS "root" servers that control the Internet but experts on
Wednesday dismissed the overall threat as "minimal."
Sources say the one-hour attack, which was hardly noticeable to
the average end-user, was done via ICMP
requests (ping-flooding) to the root servers. In a typical DDoS
attack, hundreds of "drone" machines are used to remotely pound IP
addresses. While the common ping program sends on 64-byte datagram
per second, "ping flooding" attacks can emit ICMP echo requests at
the highest possible frequency, experts explained.
Internet Software Consortium (ISC) chairman Paul Vixie confirmed
the ICMP request source of the attack on the NANOG mailing list but maintained
the DDos attack "was only visible to people who monitor root servers
or whose backbones feed root servers."
"DDoS attacks often end up hurting intermediate links in the path
more than the destination of the flow... The average person who just
wanted to use DNS to get work done didn't seem to notice it at all,"
The ISC, which manages one of the targeted root servers, reported
80Mbps of traffic to its box, more than ten times the normal load
but sources say the attack merely slowed sections of the Web and did
not completely block service. Other root servers managed by Verisign
and ICANN saw more than three times the load they normally handle.
During the course of the ping-flood pounding, only four of 13
root servers remained up and running while seven were completely
crippled. (See graphs
The 13 DNS root servers are the backbone that runs the domain
names and IP addresses on the Web.
Despite the fact that the attack appeared to have minimal impact,
the Federal Bureau of Investigation (FBI) and the U.S Government's
new Department of Homeland Security are investigating and published
reports say the early suspicion is that that attacks originated
A spokesman for the FBI's National
Infrastructure Protection Center (NIPC), which tracks service
attacks on the Internet, confirmed an investigation was underway.
While DNS server attacks aren't uncommon, the latest pounding to
the 13 root servers stood out because it was orchestrated over a
one-hour window and appeared to be the work of experts.
Coming on the heels of cyber-terrorism threats and the
government's own warnings, security officials say the FBI must take
this issue seriously. "Attacks orchestrated with this kind of
complexity and power generally can't be executed by your
run-of-the-mill "Script kid." It would take a lot of firepower, to
amass the servers capable of that kind of bandwidth," said a
freelance security consultant, who declined to be named.
A spokesman for UUNET, which is the service provider for two of
the root servers, told internetnews.com it was the "largest,
most targeted attack" ever seen. "This did not affect the end user
but it was huge and concerted. It was rare because it was aimed at
all 13 servers. It was an attack on the Internet itself and not a
particular Web site or service provider," he explained.
While the ISC's Vixie noted that the only way to thwart an attack
of this magnitude would be to over-provision, many believe that if
the attack was sustained for a longer period, the effects could have
Individual Web sites facing a Denial of Service (DoS) attack can
find assistance here and here.