Feds investigating ‘largest ever’ Internet attack

Attack of the Drones

  • alert
  • submit to reddit

Seven Steps to Software Security

US Federal authorities are investigating an attack on the internet that has been described as the "largest and most complex" in history. Rather than a specific entity, the attack was aimed at the domain name system's root servers, essentially at the internet itself, writes Kevin Murphy.

In a distributed denial of service attack that began 5pm US Eastern time Monday and lasted one hour, seven of the 13 servers at the top of the internet's domain name system hierarchy were rendered virtually inaccessible, sources told ComputerWire.

"We're aware of that [the attack] and the National Infrastructure Protection Agency is addressing the matter," an FBI spokesperson told ComputerWire. No more information on the investigation was available.

According to a source that preferred not to be named, the recently formed Department of Homeland Security is involved in the investigation, as well as the FBI, suggesting that authorities are concerned the attack may have originated overseas.

"It was the largest and most complex DDoS attack on all 13 roots," a source familiar with the attacks said. "Only four of the primary 13 root servers were up during the attack. Seven were completely down and two were suffering severe degradation."

The source said each of the servers was hit by two to three times the load normally born by the entire 13-server constellation. Paul Vixie, chairman of the Internet Software Consortium, which manages one of the servers, said he saw 80Mbps of traffic to the box, which usually only handles 8Mbps.

In a DDoS flood attack, hackers take control of dozens or hundreds of "slave" or "drone" machines, then instruct them remotely to simultaneously flood specified IP addresses. The attack is believed to have been an ICMP (Internet Control Message Protocol) ping flood, which stops networked devices responding to traffic by pounding them with spurious packets.

Freely downloadable hacker tools such as Tribe Flood Network, Trinity and Stacheldraht can be used to launch ICMP floods. One such tool was used memorably against Amazon, eBay and other big sites in the Mafiaboy attacks of February 2000. Mafiaboy, a Canadian schoolboy, was eventually caught after bragging to friends about the attacks.

The DNS root servers are the master lists of domain names and IP addresses on the internet, the machines from which all DNS lookup information flows. If they were taken offline or became inaccessible, any application that uses domain names (email and browsers at the low end) would ultimately stop functioning properly.

The best way to counter these kinds of attacks is "massive over-provisioning", said the ISC's Vixie. He added that the attack did not actually crash any of the root servers, rather it congested devices upstream of the servers themselves, so that very little legitimate traffic could get through.

A spokesperson for VeriSign Inc, which manages another root server, said: "VeriSign expects that these sort of attacks will happen, and VeriSign was prepared. VeriSign responded quickly, and we proactively cooperated with fellow providers and authorities."

Louis Touton, VP of the Internet Corp for Assigned Names and Numbers (ICANN) which runs another server, said that these types of attacks against root servers are common, but that the scale and the fact that all 13 servers were targeted set Monday's incident apart. He pointed out that no end users were affected.

DDoS attackers operate with at least one degree of separation from their targets, and use spoofed source IP addresses to make tracing them virtually impossible. According to Vixie, the only way to stop such attacks happening in future is to make it too hard to execute them and get away with it.

"The most important thing to come to light here has been known for some time. We've got to find a way to secure all the end stations that forge this traffic," Vixie said. "There's an army of drones sitting out there on DSL lines... There's no security at the edge of the network. Anyone can send packets with pretty much any source address."

Richard Probst, VP of product management at DNS specialist Nominum Inc, observed the attacks, and said it was interesting that the hacker chose to attack the root servers for only one hour.

Only a sustained attack on the root servers would have had an impact on end users, which tend to do DNS lookups in the first instance on data cached locally at their ISP. It is only after a longer period, when cached data starts to purge, that an offline root server could cause problems.

"The root servers don't actually get as much traffic as others, such as those that handle .com, " Probst said. "It makes you wonder whether they were trying to stop things, or to show their knowledge of the system. It's almost as if these folks were exploring to see how the system would respond to this level of attack."

© ComputerWire

Related story

Root server DoS attack slows net

Mobile application security vulnerability report

More from The Register

next story
Yorkshire cops fail to grasp principle behind BT Fon Wi-Fi network
'Prevent people that are passing by to hook up to your network', pleads plod
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
NEW, SINISTER web tracking tech fingerprints your computer by making it draw
Have you been on YouPorn lately, perhaps? White House website?
LibreSSL RNG bug fix: What's all the forking fuss about, ask devs
Blow to bit-spitter 'tis but a flesh wound, claim team
Black Hat anti-Tor talk smashed by lawyers' wrecking ball
Unmasking hidden users is too hot for Carnegie-Mellon
Attackers raid SWISS BANKS with DNS and malware bombs
'Retefe' trojan uses clever spin on old attacks to grant total control of bank accounts
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
Don't look, Snowden: Security biz chases Tails with zero-day flaws alert
Exodus vows not to sell secrets of whistleblower's favorite OS
prev story


Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Reducing security risks from open source software
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Consolidation: the foundation for IT and business transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.