More Details On Attacks Against The Internet's Root Servers


In February, hackers tried once again to hijack the Internet. Here's why they failed.

They launched denial of service attacks on some of the 13 root servers that run the Internet's naming system. The root servers are critical because they each keep directories of the Internet's top-level domain servers (the servers that handle .com, .mil and so on). By controlling a root server, you could redirect Internet traffic to a server of your choice, although nobody knows if that was the plan here.

I was at the RSA security show in San Francisco when Jerry Dixon, who was speaking on a panel for US-CERT, announced the attacks and added, "Most of us who do security for a living are in firefighting mode."

Fortunately for Dixon and the security folks, however, the attacks were quickly contained. One reason, according to ICANN (the Internet Corporation for Assigned Names and Numbers), which studied the attacks, was the Anycast technology developed by the operators of the root servers after a similar attack in 2002.

Anycast lightens the load on a root server by spreading queries for domain names among many supporting servers in different geographies. Of the six (at least) root servers that were attacked, two--the l-root run by ICAAN and the g-root run by the Defense Information Systems Agency--were not using Anycast and had trouble functioning. They will be using Anycast soon, according to ICAAN. These attacks turn out to have been a test for Anycast, which functioned well.

(ICAAN also notes that root server operators were able to simply block queries composed of data packets larger than 512 bytes, which stood out because they exceeded the size limit for legitimate data packets.)

More information about the attacks is here, at this blog by Danny McPherson from Arbor Networks. It includes the locations of attacking bots (65% from South Korea, 19% from the U.S., and some from China, Canada and other places), the location of the botnet controller (Dallas, Texas) and the fact that the botnet was associated with a Russian reseller and was used until May 23 to conduct other denial of service attacks.

Much of the early media coverage of the attack was so wrong, McPherson notes, that it was hard at first to find an accurate story. What can I say? The media doesn't always do a good job, but with a surprise event like this, it usually takes awhile for accurate details to emerge.