Massive DDoS Attack Hit DNS Root Servers

A massive distributed denial-of-service (DDoS) attack of unknown origin briefly interrupted Web traffic on nine of the
13 DNS “root” servers that control the Internet but experts on Wednesday
dismissed the overall threat as “minimal.”

Sources say the one-hour attack, which was hardly noticeable to the average
end-user, was done via ICMP
requests (ping-flooding) to the root servers. In a typical DDoS attack,
hundreds of “drone” machines are used to remotely pound IP addresses. While
the common ping program sends on 64-byte datagram per second, “ping
flooding” attacks can emit ICMP echo requests at the highest possible
frequency, experts explained.

Internet Software Consortium (ISC) chairman Paul Vixie confirmed the ICMP
request source of the attack on the NANOG
mailing list but maintained the DDos attack “was only visible to people who
monitor root servers or whose backbones feed root servers.”

“DDoS attacks often end up hurting intermediate links in the path more than
the destination of the flow… The average person who just wanted to use DNS
to get work done didn’t seem to notice it at all,” Vixie added.

The ISC, which manages one of the targeted root servers, reported 80Mbps of
traffic to its box, more than ten times the normal load but sources say the
attack merely slowed sections of the Web and did not completely block service. Other
root servers managed by Verisign and ICANN saw more than three times the
load they normally handle.

During the course of the ping-flood pounding, only four of 13 root servers
remained up and running while seven were completely crippled. (See graphs here).

The 13 DNS root servers are the backbone that runs the domain names and IP
addresses on the Web.

Despite the fact that the attack appeared to have minimal impact, the
Federal Bureau of Investigation (FBI) and the U.S Government’s new
Department of Homeland Security are investigating and published reports say
the early suspicion is that that attacks originated overseas.

A spokesman for the FBI’s National
Infrastructure Protection Center (NIPC), which tracks service attacks on
the Internet, confirmed an investigation was underway.

While DNS server attacks aren’t uncommon, the latest pounding to the 13 root
servers stood out because it was orchestrated over a one-hour window and
appeared to be the work of experts.

Coming on the heels of cyber-terrorism threats and the government’s own
warnings, security officials say the FBI must take this issue seriously.
“Attacks orchestrated with this kind of complexity and power generally can’t
be executed by your run-of-the-mill “Script kid.” It would take a lot of
firepower, to amass the servers capable of that kind of bandwidth,” said a freelance security consultant, who declined to be named.

A spokesman for UUNET, which is the service provider for two of the root
servers, told internetnews.com it was the “largest, most targeted
attack” ever seen. “This did not affect the end user but it was huge and
concerted. It was rare because it was aimed at all 13 servers. It was an
attack on the Internet itself and not a particular Web site or service
provider,” he explained.

While the ISC’s Vixie noted that the only way to thwart an attack of this
magnitude would be to over-provision, many believe that if the attack was
sustained for a longer period, the effects could have been catastrophic.

Individual Web sites facing a Denial of Service (DoS) attack can find
assistance here and here.