Posted on 10/22/2002 4:54:09 PM PDT by j_tull
WASHINGTON (AP) - An unusually powerful electronic attack briefly crippled nine of the 13 computer servers that manage global Internet traffic this week, officials disclosed Tuesday. But most Internet users didn't notice because the attack only lasted one hour.
The FBI and White House were investigating. One official described the attack Monday as the most sophisticated and large-scale assault against these crucial computers in the history of the Internet. The origin of the attack was not known.
Seven of the 13 servers failed to respond to legitimate network traffic and two others failed intermittently during the attack, officials confirmed.
The FBI's National Infrastructure Protection Center was "aware of the denial of service attack and is addressing this matter," spokesman Steven Berry said.
Service was restored after experts enacted defensive measures and the attack suddenly stopped.
The 13 computers are spread geographically across the globe as precaution against physical disasters and operated by U.S. government agencies, universities, corporations and private organizations.
"As best we can tell, no user noticed and the attack was dealt with and life goes on," said Louis Touton, vice president for the Internet Corporation for Assigned Names and Numbers, the Internet's key governing body.
Brian O'Shaughnessy, a spokesman for VeriSign Inc., which operates two of the 13 computers in northern Virginia, said "these sorts of attacks will happen."
"We were prepared, we responded quickly," O'Shaughnessy said. "We proactively cooperated with our fellow root server operators and the appropriate authorities."
Computer experts who manage some of the affected computers, speaking on condition of anonymity, said they were cooperating with the White House through its Office of Homeland Security and the President's Critical Infrastructure Protection Board.
Richard Clarke, President Bush's top cyber-security adviser and head of the protection board, has warned for months that an attack against the Internet's 13 so-called root server computers could be dramatically disruptive.
These experts said the attack, which started about 4:45 p.m. EDT Monday, transmitted data to each targeted root server 30 to 40 times normal amounts. One said that just one additional failure would have disrupted e-mails and Web browsing across parts of the Internet.
Monday's attack wasn't more disruptive because many Internet providers and large corporations and organizations routinely store, or "cache," popular Web directory information for better performance.
"The Internet was designed to be able to take outages, but when you take the root servers out, you don't know how long you can work without them," said Alan Paller, director of research at the SANS Institute, a security organization based in Bethesda, Md.
Although the Internet theoretically can operate with only a single root server, its performance would slow if more than four root servers failed for any appreciable length of time.
In August 2000, four of the 13 root servers failed for a brief period because of a technical glitch.
A more serious problem involving root servers occurred in July 1997 after experts transferred a garbled directory list to seven root servers and failed to correct the problem for four hours. Traffic on much of the Internet ground to a halt.
Lucky you!! The last time I was there, a local kid sneezed in my face and I was sick for a week!!
Mind you, I've been wrong before and this is purely a gut feeling. But the hacker community seems to be in lockstep against "Dubya's war for oil to avenge his daddy" and they've been itching to find an excuse to use their Distributed Denial of Service (DDOS) zombie farms for a common hacktivist cause. 26 October marks the biggest anti-war event yet.
That's my theory, and I'm sticking to it.
The trial run of the slogan went: "Sun. We're the invisible dot at the end of dot com. Really. No, really, there's an invisible dot at the end. That's us."
I noticed severe slowdowns both yesterday and today, no idea if the problems are related to this reported attack, but many sites were terribly slow.
The DNS protocol does provide a TCP port for name service, but convention discourages its use. I wouldn't be surprised if the root servers don't support it, due to the resources that would be required to support a large number of users.
However, zone transfers (which update DNS servers) use TCP in order to preserve data integrity. There are presumably some security measures in place to protect against a SYN flood.
It turns out that this was indeed a DDoS attack, but it was a flood of ICMP echo requests. That made it very easy to filter with a firewall, although the attack apparently ended very quickly. See this posting for details.
Hmm... I would have imagined that the maintainers of the roots would have LONG ago turned if ICMP at the routers. That doesn't stop ICMP requests from flooding the routers, but then you realize that the routers feeding these boxes have some decent load balancing going on, so you'd have to REALLY do a massive PoD (ping of death) to swamp it, and even then you're just pegging the router, not the actual DNS server.
Oh well... I figured that just doing a flood of dns lookups might have been sufficient to peg these machines. Nothing more complicated than a bunch of machines doing tons of UDP requests to port 51 and then not even bothering to listen for a response before sending thousands more.
To answer other questions, I could be entirely off my rocker, but I'm fairly certain the roots run just customized *nix of some form, with only DNS doing anything on the machine. Nothing too fancy besides some nice hardware, stable OS, plenty of redundant bandwidth. DNS requests aren't exactly high bandwidth anyway, so it takes surprisingly little to be able to manage a lot of requests.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.