Net attack flops, but threat persists

[InfoSec News <isn () c4i org>]

http://news.com.com/2100-1001-963095.html?tag=fd_lede1_hed

By Robert Lemos 
Staff Writer, CNET News.com
October 23, 2002, 1:10 PM PT

news analysis: A widespread but unsophisticated attack on the
computers that act as the address books for the Internet failed to
cause any major problems, but experts warn that more security is
necessary.

Beginning Monday, a flood of data barraged the Internet's 13
domain-name service (DNS) root servers in what's known as a
denial-of-service attack. But the simple nature of the attack, and the
system's resiliency, allowed administrators to quickly block the data
stream.

According to security experts, a more sophisticated attack could have
disrupted the root servers long enough to impair Net access. Had the
attack prevented access to the servers for eight to 10 hours, the
average computer user may have noticed slower response times, said
Craig Labovitz, director of network architecture for denial-of-service
prevention firm Arbor Networks.

"If someone can really take over the infrastructure, it becomes a very
different ball game," he said.

Although the attack failed to hobble the Net, there were indications
Wednesday that it wasn't over yet, continuing at a lower intensity. In
addition, locating the perpetrators will be difficult because the type
of attack they used--known as a distributed
denial-of-service--typically mask the origins of the assault.

In the wake of the attack, some of the companies and organizations
that maintain the 13 key servers have pledged to reassess the security
of the computers for which they are responsible.

VeriSign, which maintains two root servers as well as just over a
dozen .com top-level domain servers, is evaluating whether it needs to
revamp security, said company spokesman Brian O'Shaughnessy.

"VeriSign always look for ways to improve its security," he said. "We
are in a fluid environment--the bad guys always try to do bad things."

O'Shaughnessy refuted claims that the company's two charges--the "A"  
and "J" root servers--went down during the onslaught. "That's wrong,"  
he said. "Two of the four that stayed up were ours."

Monday's assault took down seven of the 13 servers for as long as
three hours, according to Internet performance measuring service
Matrix NetSystems. The attack took the form of a data flood, sending a
deluge of Internet control message protocol (ICMP) packets to the 13
root servers, which maintain the addresses for the hundreds of
top-level domain servers. Top-level domains are recognized by familiar
suffixes such as .com, .org and .uk.

ICMP packets carry network data used for reporting errors or checking
network connectivity, as in the case of the common "ping" packet. A
flood of such data can block access to servers by clogging bottlenecks
in the network infrastructure, thus preventing legitimate data from
reaching its destination.

However, ICMP data is not essential to network administration, and
many servers and the routers that direct data to its destination tend
to block the protocol. That's precisely what administrators did Monday
afternoon to stop the flood of data from reaching the DNS root
servers.

Continuing and future attacks

Still, experts are concerned about a better executed attack.

"(This attack) didn't impact the Internet much, because the Internet
is resilient and operators were quick to respond," said Tiffany Olsen,
spokeswoman for the President's Critical Infrastructure Board, the
group responsible for creating the United States' National Strategy to
Secure Cyberspace. However, there "will be larger attacks than this
one was."

The FBI has opened an investigation into the attacks, but the agency
will have a hard time finding the responsible person or group because
the distributed attack randomized the source information on each piece
of data, experts said.

Despite that difficulty, security experts say that whoever executed
the attack wasn't very good.

"There are tens and dozens of scripts and tools that could have
generated an attack of this kind," said Arbor's Labovitz. "It wouldn't
even require a computer scientist, or even a wily hacker, to do this."

Meanwhile, Matrix NetSystems said Wednesday that the attack may be
ongoing. "There are five servers right now that are showing issues,"  
said company CEO Bill Palumbo. He acknowledged that the five may be
down for maintenance or other reasons, but said that there are still
delays in requests for domain name information.

Like a telephone book, domain name servers link a name, such as
"cnet.com," with its numerical Internet Protocol address.

The system also works in a layered manner, so that someone who wants
to go a specific address is first directed to a local server. If the
domain is not found, the request gets bumped up to a domain name
server for the top-level domain, such as ".com."

Requests only rarely consult the root servers, usually when a new name
server is added locally. In addition, each entry in a DNS server has
an expiration date, known as the time to live (TTL). When that time
arrives, the entry is supposed to be deleted and the local DNS server
has to ask the top-level domain server for the latest address
information.

"You have to realize that there are several tens of thousands of new
routes advertised every day," said Matrix NetSystem's Palumbo.  
"Because of that, the authoritative nature of a cache deteriorates
rather rapidly."

Thus, even a complete outage of all 13 DNS root servers wouldn't bring
the Internet to a halt, unless it went on for hours or days--time
enough for the local DNS caches to expire.

Paul Mockapetris, the inventor of DNS and chief scientist for
domain-name software company Nominum, said that compared to the 300 or
so records that each root server contains, a future target that
administrators should worry about is the 3 million or so records held
by the .com DNS servers.

"The root servers will be harder in a month than they are today," he
said. "This was really sort of--to borrow from Afghanistan--was 'dumb
bombs,' and you have to worry about more sophisticated attacks in the
future."



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.