DoS Attack Cripples Internet Root Servers

It was the fiercest attack on the 13 root servers since an October 2002 assault that took down many of the roots that help manage worldwide Internet traffic, according to Ben Petro, a senior VP of NeuStar, which provides clearinghouse services to the communications and Internet industry. Three of the servers were nearly overloaded by the attack, but they didn't go down, says Petro, who adds that they were in a slowed-down brownout stage.

Tuesday's attack nearly matched the 2002 attack in terms of strength but surpassed the old attack in sophistication, Petro says. The servers didn't go down this time because of the significant increase in computing power in the last four years and because the roots' defenses have been heavily beefed up since then.

"If you take down the roots, you take down the Internet," says Petro. "By comparison, if you take down a company, that hurts them. But this is just an attack of a very different scale. When you see someone going after root, it's an attack directly at the infrastructure of the Internet."

Petro, though, says the Internet was not close to going down Tuesday. He notes that those three servers were heavily strained, but they withstood the attack and the disturbance wasn't noticeably felt around the globe.

id
unit-1659132512259
type
Sponsored post

"You take down the root and you are taking down the Internet and dramatically affecting commerce in general," says Petro. "Our opinion is that it was very uncomfortable for those three roots. They were getting close to their pivot point."

The main attack hit the roots at 5:30 a.m. EST on Tuesday and reached its maximum sustained traffic at 7 a.m. It started to subside around 10:30 that morning and was still going on -- though rather weakly -- at 7 p.m. Tuesday.

Denial-of-service attacks -- sometimes called DoS -- are designed to pound each computer with countless questions that flood its ability to respond, effectively taking the machine down.

Zully Ramzan, a senior researcher at Symantec Security Response, says nothing has been confirmed, but there has been some speculation that the attacks originated in South Korea.

Johannes Ullrich, chief research officer at the SANS Institute and chief technology officer for the Internet Storm Center, says more investigation will have to be done before analysts can figure out where the attacks were coming from. The Internet Storm Center is a cooperative cyberthreat monitoring and alert system.

Fortunately, the attack showed warning signs, according to Petro.

Between 7 and 9 p.m. Monday, a small-scale denial-of-service attack hit the root servers. "It looked like a precursor," Petro says. "It wasn't the strength of an attack of substance, but it had the intensity level of someone who had spent the time to engineer a real attack. ... We were bracing ourselves. Generally, when we see that type of attack, we hold our breath for 24 to 48 hours because very often large-scale attacks are foreshadowed by smaller ones that test the target."

No one company or agency controls all 13 root servers. The U.S. Department of Defense has one, for instance, while some are run by universities. The roots are central machines on the Domain Name System. Think of them as directory assistance for the Internet, explains Symantec's Ramzan. The system converts the URLs into numeric addresses, which are then used to route traffic from one computer to another.

Ramzan says he has a lot of faith in the servers to withstand such an attack.

"I wouldn't have expected them to go down," he says. "It's such an important part of the Internet that people have taken a lot of measures to make sure they stay up. It's really hard to take them down. If it wasn't so hard to take them down, I'd be really worried."