Feds investigating ‘largest ever’ Internet attack

Attack of the Drones

  • alert
  • submit to reddit

SANS - Survey on application security programs

US Federal authorities are investigating an attack on the internet that has been described as the "largest and most complex" in history. Rather than a specific entity, the attack was aimed at the domain name system's root servers, essentially at the internet itself, writes Kevin Murphy.

In a distributed denial of service attack that began 5pm US Eastern time Monday and lasted one hour, seven of the 13 servers at the top of the internet's domain name system hierarchy were rendered virtually inaccessible, sources told ComputerWire.

"We're aware of that [the attack] and the National Infrastructure Protection Agency is addressing the matter," an FBI spokesperson told ComputerWire. No more information on the investigation was available.

According to a source that preferred not to be named, the recently formed Department of Homeland Security is involved in the investigation, as well as the FBI, suggesting that authorities are concerned the attack may have originated overseas.

"It was the largest and most complex DDoS attack on all 13 roots," a source familiar with the attacks said. "Only four of the primary 13 root servers were up during the attack. Seven were completely down and two were suffering severe degradation."

The source said each of the servers was hit by two to three times the load normally born by the entire 13-server constellation. Paul Vixie, chairman of the Internet Software Consortium, which manages one of the servers, said he saw 80Mbps of traffic to the box, which usually only handles 8Mbps.

In a DDoS flood attack, hackers take control of dozens or hundreds of "slave" or "drone" machines, then instruct them remotely to simultaneously flood specified IP addresses. The attack is believed to have been an ICMP (Internet Control Message Protocol) ping flood, which stops networked devices responding to traffic by pounding them with spurious packets.

Freely downloadable hacker tools such as Tribe Flood Network, Trinity and Stacheldraht can be used to launch ICMP floods. One such tool was used memorably against Amazon, eBay and other big sites in the Mafiaboy attacks of February 2000. Mafiaboy, a Canadian schoolboy, was eventually caught after bragging to friends about the attacks.

The DNS root servers are the master lists of domain names and IP addresses on the internet, the machines from which all DNS lookup information flows. If they were taken offline or became inaccessible, any application that uses domain names (email and browsers at the low end) would ultimately stop functioning properly.

The best way to counter these kinds of attacks is "massive over-provisioning", said the ISC's Vixie. He added that the attack did not actually crash any of the root servers, rather it congested devices upstream of the servers themselves, so that very little legitimate traffic could get through.

A spokesperson for VeriSign Inc, which manages another root server, said: "VeriSign expects that these sort of attacks will happen, and VeriSign was prepared. VeriSign responded quickly, and we proactively cooperated with fellow providers and authorities."

Louis Touton, VP of the Internet Corp for Assigned Names and Numbers (ICANN) which runs another server, said that these types of attacks against root servers are common, but that the scale and the fact that all 13 servers were targeted set Monday's incident apart. He pointed out that no end users were affected.

DDoS attackers operate with at least one degree of separation from their targets, and use spoofed source IP addresses to make tracing them virtually impossible. According to Vixie, the only way to stop such attacks happening in future is to make it too hard to execute them and get away with it.

"The most important thing to come to light here has been known for some time. We've got to find a way to secure all the end stations that forge this traffic," Vixie said. "There's an army of drones sitting out there on DSL lines... There's no security at the edge of the network. Anyone can send packets with pretty much any source address."

Richard Probst, VP of product management at DNS specialist Nominum Inc, observed the attacks, and said it was interesting that the hacker chose to attack the root servers for only one hour.

Only a sustained attack on the root servers would have had an impact on end users, which tend to do DNS lookups in the first instance on data cached locally at their ISP. It is only after a longer period, when cached data starts to purge, that an offline root server could cause problems.

"The root servers don't actually get as much traffic as others, such as those that handle .com, " Probst said. "It makes you wonder whether they were trying to stop things, or to show their knowledge of the system. It's almost as if these folks were exploring to see how the system would respond to this level of attack."

© ComputerWire

Related story

Root server DoS attack slows net

High performance access to file storage

More from The Register

next story
Parent gabfest Mumsnet hit by SSL bug: My heart bleeds, grins hacker
Natter-board tells middle-class Britain to purée its passwords
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Mounties always get their man: Heartbleed 'hacker', 19, CUFFED
Canadian teen accused of raiding tax computers using OpenSSL bug
Samsung Galaxy S5 fingerprint scanner hacked in just 4 DAYS
Sammy's newbie cooked slower than iPhone, also costs more to build
Snowden-inspired crypto-email service Lavaboom launches
German service pays tribute to Lavabit
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Call of Duty 'fragged using OpenSSL's Heartbleed exploit'
So it begins ... or maybe not, says one analyst
prev story


Top three mobile application threats
Learn about three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
SANS - Survey on application security programs
In this whitepaper learn about the state of application security programs and practices of 488 surveyed respondents, and discover how mature and effective these programs are.