The biggest test of Internet homeland security went pretty much unnoticed this week. Yet it represents the most serious attack on the Internet itself for five years. On the 6th February a 12 hour concerted Distributed Denial of Service attack took place aimed at the DNS root servers that manage global Internet traffic. DNS is the Domain Name System that translates between the easy to remember URLs we all use, such as daniweb.com, and the much less memorable underlying IP address in numeric form. Think of it as being a huge distributed database system and you are pretty much in the right ballpark.
In this attack, making use once again of that ever present menace fuelled by end-user insecurity and malware infected applications, the Botnet, three root servers in particular were targeted and briefly succumbed to the flood of data: G, L and M. G refers to the one operated by the Defense Department and is in fact the military’s top level domain, L refers to the Internet Corporation for Assigned Names and Numbers (ICANN) server, and M the Widely Integrated Distributed Environment (WIDE) project. Yet it appears the real target might have been UltraDNS which operate servers that manage traffic within the org domain, and it looks likely that the attack originated in South Korea given the volume of rogue data traced back there.
So why didn’t you notice? Because unlike the last big attack against root servers in 2002 when there was an impact upon many millions of users, the powers that be have learned lessons and ever increasingly distributed their workload so that it becomes ever more difficult to take down the Net just by targeting the core root servers. Indeed, the remaining 10 root servers were not impacted at all by the attack, as far as I have been able to ascertain. The fact that root server operators have been moving to an Anycast implementation makes them much more resilient to this kind of all out attack, certainly much more so than 5 years back when all 13 servers were impacted. Most serious observers would agree that it is now very difficult, highly unlikely, but not totally impossible, to cripple the Internet in this way by bringing down the entire DNS server spread. The 13 root servers are mirrored between 100 others, and each root server IP address that uses Anycast is distributed to maybe 40 computers. So you see the problem facing the would be cyber-terrorist or ambitious blackmailer.
So that’s OK then? Well no, actually, because some experts such as Paul D. Parisi, CTO of DNSstuff.com, have warned that it is likely the attack was just testing the resilience of the DNS system and could be a “harbinger of more targeted attacks against .com parent servers or even individual enterprise servers.” In an effort to help organizations prepare for such an eventuality, DNSstuff.com has made a root server time map tool available that can monitor, in real time, the state of root and .com servers supporting DNS. There can be no doubting that the average enterprise level server is nowhere near as resilient as those core DNS root servers. There can also be little doubting that the gangs behind such attacks have the power, courtesy of those huge botnets being assembled, to take on and take down pretty much any small-fry target they fancy. Blackmail, corporate dirty tricks, vandalism are all on the agenda for the people holding the trigger to such big guns.
But that doesn’t mean that the cyber-terrorism threat is totally negated either. While the root servers coped well, look below this top level and there is still potential for huge disruption. If the terrorists were to target the .com servers for example, that could knock out up to half a million .com queries per second. Such is the threat these kind of attacks pose, that Verisign which handles the registries for .com and .net as well as two root servers has announced $100 million upgrade and expansion program called Project Titan to strengthen and increase network infrastructure capacity by a factor of 10 within the next three years. Let’s hope that the terrorists don’t attack before 2010 then, and that they don’t target the other organizations (including government agencies) which don’t have access to a $100 million budget…