DNS server attacks came from US and Korea

The distributed denial of service (DDOS) attacks against 13 of the Internet's core servers have been traced to computers in the...

The distributed denial of service (DDOS) attacks against 13 of the Internet's core servers have been traced to computers in the US and Korea, according to a statement from the US Federal Bureau of Investigation (FBI).

The attack, which began on 21 October, flooded all 13 of the root servers of the Internet Domain Name System (DNS), a network of computer servers that communicate by matching up Internet domains used by people with numeric equivalents used by computers.

All 13 of the root servers were flooded with Internet traffic using Internet Control Message Protocol (ICMP) at more than ten times the normal rate of traffic, said Brian O'Shaughnessy, a spokesman at VeriSign, which manages the "A" and "J" root servers.

About two thirds of those servers were temporarily disabled or severely hampered in serving legitimate user requests by the attack, said O'Shaugnessy. However, four or five of the 13 servers remained online throughout the attack and the majority of Internet users did not experience any interruption in service.

South Korea is a frequent source of cyberattacks because of its high number of computer users and the widespread availability of broadband Internet access such as digital subscriber lines (DSLs) or cable modems.

Unlike machines that connect to the Internet using dial-up modems, machines with broadband connections maintain a constant, high-capacity connection to the Internet when they are turned on.

As a result, attackers, viruses and e-mail worms can compromise these computers often without the knowledge of the computer's owner. Those machines then act as "zombies" in a distributed denial of service attack, controlled remotely by the attacker and used to send a steady stream of information packets to the targeted Web site or server.

Allan Paller of the non-profit SANS Institute said that investigators may be able to use billing logs from the Internet service providers involved to trace the attacks back to their source.

However, Paller noted that lists of machines compromised by hackers or worms such as Code Red and Nimda are frequently traded on the Internet. Investigations into the source of the 21 October attack will probably lead back to those compromised machines in the US, Korea and elsewhere.

From there, the job of identifying the actual perpetrators gets more difficult.

The fact that computers in Korea took part in the attack does not mean that the attackers were Korean, Paller said. Attackers frequently compromise and control machines from afar using one or more intermediate machines to cover their tracks.

The FBI did not say whether any progress had been made in locating the perpetrators of the DNS attacks.

Read more on IT risk management