Major Net backbone attack could be first of many

The distributed denial of service (DDOS) attack launched on Monday (21 October) against all 13 of the Internet domain name system...

The distributed denial of service (DDOS) attack launched on Monday (21 October) against all 13 of the Internet domain name system (DNS) root servers could be the first of many attacks, experts warn.

While this week's attack failed to crash the Internet, that doesn't mean that more attacks won't follow and succeed where this one failed, according to experts, some of whom feel that the US government needs to step in to secure Internet infrastructure.

Monday's attack was targeted at 13 key servers that translate easy-to-remember URLs (uniform resource locators) into the numeric IP (Internet Protocol) addresses used by computers to communicate. Attackers flooded the DNS servers with Internet traffic using Internet Control Message Protocol at more than 10 times the normal rate of traffic, according to Brian O'Shaughnessy, a spokesman at VeriSign, which manages the "A" and "J" root servers.

Such events are nothing new, with high-profile attacks in past years against Internet service providers and companies such as Microsoft and eBay. But experts say that Monday's incident opens a new chapter in the history of Internet-based attacks.

"Monday's attack was an example of people not targeting enterprises, but going against the Internet itself by attacking the architecture and protocols on which the Internet was built," said Ted Julian, chief strategist at Arbor Networks.

Factors contributing to such attacks are well known, according to experts. Worms such as Code Red, Nimda and Slapper have left hundreds - if not thousands - of compromised computers on the Internet, Julian said. Such systems can be used as "zombies" in a DDOS attack. Zombies are machines controlled remotely and used to launch an attack.

Reports from Matrix NetSystems traced the attacks to Internet hosting service providers in the USA and Europe.

Gerry Brady, chief technology officer for Guardent said that sophisticated software programs make leveraging those compromised machines a simple matter, even for novice attackers. "With automated attack tools, even inexperienced people can get control of a large number of hosts," Brady said.

While the Federal Bureau of Investigation's National Infrastructure Protection Center (NIPC) is investigating the attacks, Brady pointed out that some of the most frequent sources of such attacks are teenagers, not terrorists.

"The big drivers we're seeing [in DDOS attacks] are juvenile rivalries - revenge for incidents that might have happened during online gaming. These attacks are not professional or financial in nature. They're random and non-directed," Brady said.

Fortunately, Monday's attacks were not sophisticated, relying on a simple "packet flood" approach in which information packets are sent in high volumes to a server, and using the ICMP protocol which is typically not seen in very high volumes, Brady and Julian said.

Future attacks could be much more sophisticated, they said. Instead of sending a flood of packets all using the same protocol, attackers might disguise a DDOS attack as normal traffic - what Julian referred to as a "bandwidth anomaly". In such an attack, nothing about the protocols used or packets sent would appear unusual, but the volume of traffic would be enough to overwhelm the targeted server.

Even more pernicious, Brady and Julian agreed, would be attacks that target the routing infrastructure, as opposed to the DNS infrastructure of the Internet. That infrastructure of roadways over which Internet traffic passes is more "brittle" than the flexible architecture of DNS, Brady said.

"When one backbone goes down, the traffic has to go somewhere," said Brady, recalling that the recent outage on the UUNet Internet backbone operated by WorldCom was felt instantly worldwide.

More federal management of key components of the Internet infrastructure is needed, Julian and Brady agreed. That could include tax incentives or direct federal funding for private companies and public organisations managing key DNS servers to secure their systems, all of which are currently operated as a free service by companies, government entities and non-profit organisations.

"This showcases a specific vulnerability that requires the government to get involved," Julian said. "If you run a DNS server what is your monetary incentive to secure it? There is none. This is the number one area of focus that the government should have."

As for the backbone providers, Brady said that because of the dire financial condition of most companies that manage the Internet backbone, there is little private money available to ensure the extra capacity should one or more parts of the backbone be attacked. Federal investment could help create and secure a more robust infrastructure.

"If this were voice communications [that were attacked] can you imagine [US Secretary of Defence Donald] Rumsfeld's reaction?" Brady said. "That would be a national security issue. We must acknowledge that this is critical infrastructure and we have to find remediation."

In the meantime, Brady said that the pattern of past DDOS attacks make more of them likely in the near future. "I would be worried that we're in a short-term countdown to more infrastructure attacks because they're just so easy to do," Brady said.

Read more on IT risk management