Verisign relocates DNS server to reduce risk of attack

To make the 13 computer servers that run the Internet's core addressing system more secure, the two machines operated by VeriSign...

To make the 13 computer servers that run the Internet's core addressing system more secure, the two machines operated by VeriSign in the US have been physically and electronically separated to make them less vulnerable to attack.

Verisign spokeswoman Cheryl Regan acknowledged that the two US Domain Name System (DNS) servers were reconfigured earlier this week as part of a planned safety enhancement to the system.

Previously, both DNS servers in the US were located in the same room of a VeriSign building in Virginia. Both DNS servers were also previously set up on the same system subnet, making them both vulnerable to attacks at the same time.

The DNS servers take easy-to-remember Web site domain names and convert them into the numerical IP addresses used by computers. A distributed denial-of-service (DDOS) attack occurs when too much traffic is sent to the servers by an attacker, overloading the server so that it can no longer respond to legitimate requests.

Now, one of the two servers has been relocated to a different location and the two machines are on separate subnets, improving their resistance to attacks by hackers.

The other 11 DNS servers in the Internet system are operated by other groups around the world.

Last month, all 13 of the Internet's root DNS servers were hit by a massive DDOS attack. Eight or nine of the servers were disabled by the attack, which lasted for about an hour.

Regan said this week's system changes had been planned long before the October attack and were not a reaction to that incident.

Alan Paller, research director at the SANS Institute, a security research and education group, called the relocation of one of the two DNS servers "a good small step".

Even more important, he added, are the changes needed that could help block DDOS attacks as they begin through the systems run by Internet service providers, before they even reach the Internet backbone. "I see a lot of work being done in that area," Paller said.

IDC security analyst Charles Kolodgy agreed that the VeriSign configuration changes were a good idea in terms of disaster recovery.

Kolodgy said similar DDOS lessons were learned last year by Microsoft, when the company had all four of its own DNS servers located on one network, like the previous VeriSign configuration.

A hacker attack in January 2001 crippled Microsoft's name servers for days because they had been assembled as one system, rather than with redundant capacity.

Read more on IT risk management