Feds investigating ‘largest ever’ Internet attack

Attack of the Drones

  • alert
  • submit to reddit

Securing Web Applications Made Simple and Scalable

US Federal authorities are investigating an attack on the internet that has been described as the "largest and most complex" in history. Rather than a specific entity, the attack was aimed at the domain name system's root servers, essentially at the internet itself, writes Kevin Murphy.

In a distributed denial of service attack that began 5pm US Eastern time Monday and lasted one hour, seven of the 13 servers at the top of the internet's domain name system hierarchy were rendered virtually inaccessible, sources told ComputerWire.

"We're aware of that [the attack] and the National Infrastructure Protection Agency is addressing the matter," an FBI spokesperson told ComputerWire. No more information on the investigation was available.

According to a source that preferred not to be named, the recently formed Department of Homeland Security is involved in the investigation, as well as the FBI, suggesting that authorities are concerned the attack may have originated overseas.

"It was the largest and most complex DDoS attack on all 13 roots," a source familiar with the attacks said. "Only four of the primary 13 root servers were up during the attack. Seven were completely down and two were suffering severe degradation."

The source said each of the servers was hit by two to three times the load normally born by the entire 13-server constellation. Paul Vixie, chairman of the Internet Software Consortium, which manages one of the servers, said he saw 80Mbps of traffic to the box, which usually only handles 8Mbps.

In a DDoS flood attack, hackers take control of dozens or hundreds of "slave" or "drone" machines, then instruct them remotely to simultaneously flood specified IP addresses. The attack is believed to have been an ICMP (Internet Control Message Protocol) ping flood, which stops networked devices responding to traffic by pounding them with spurious packets.

Freely downloadable hacker tools such as Tribe Flood Network, Trinity and Stacheldraht can be used to launch ICMP floods. One such tool was used memorably against Amazon, eBay and other big sites in the Mafiaboy attacks of February 2000. Mafiaboy, a Canadian schoolboy, was eventually caught after bragging to friends about the attacks.

The DNS root servers are the master lists of domain names and IP addresses on the internet, the machines from which all DNS lookup information flows. If they were taken offline or became inaccessible, any application that uses domain names (email and browsers at the low end) would ultimately stop functioning properly.

The best way to counter these kinds of attacks is "massive over-provisioning", said the ISC's Vixie. He added that the attack did not actually crash any of the root servers, rather it congested devices upstream of the servers themselves, so that very little legitimate traffic could get through.

A spokesperson for VeriSign Inc, which manages another root server, said: "VeriSign expects that these sort of attacks will happen, and VeriSign was prepared. VeriSign responded quickly, and we proactively cooperated with fellow providers and authorities."

Louis Touton, VP of the Internet Corp for Assigned Names and Numbers (ICANN) which runs another server, said that these types of attacks against root servers are common, but that the scale and the fact that all 13 servers were targeted set Monday's incident apart. He pointed out that no end users were affected.

DDoS attackers operate with at least one degree of separation from their targets, and use spoofed source IP addresses to make tracing them virtually impossible. According to Vixie, the only way to stop such attacks happening in future is to make it too hard to execute them and get away with it.

"The most important thing to come to light here has been known for some time. We've got to find a way to secure all the end stations that forge this traffic," Vixie said. "There's an army of drones sitting out there on DSL lines... There's no security at the edge of the network. Anyone can send packets with pretty much any source address."

Richard Probst, VP of product management at DNS specialist Nominum Inc, observed the attacks, and said it was interesting that the hacker chose to attack the root servers for only one hour.

Only a sustained attack on the root servers would have had an impact on end users, which tend to do DNS lookups in the first instance on data cached locally at their ISP. It is only after a longer period, when cached data starts to purge, that an offline root server could cause problems.

"The root servers don't actually get as much traffic as others, such as those that handle .com, " Probst said. "It makes you wonder whether they were trying to stop things, or to show their knowledge of the system. It's almost as if these folks were exploring to see how the system would respond to this level of attack."

© ComputerWire

Related story

Root server DoS attack slows net

The smart choice: opportunity from uncertainty

More from The Register

next story
Mozilla fixes CRITICAL security holes in Firefox, urges v31 upgrade
Misc memory hazards 'could be exploited' - and guess what, one's a Javascript vuln
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Don't look, Snowden: Security biz chases Tails with zero-day flaws alert
Exodus vows not to sell secrets of whistleblower's favorite OS
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
Researcher sat on critical IE bugs for THREE YEARS
VUPEN waited for Pwn2Own cash while IE's sandbox leaked
prev story


Top three mobile application threats
Prevent sensitive data leakage over insecure channels or stolen mobile devices.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
Build a business case: developing custom apps
Learn how to maximize the value of custom applications by accelerating and simplifying their development.