Assault on Net servers fails

A distributed denial-of-service attack hits the computers that serve as the address books for the Internet, but the effort appears to have little real effect.

Robert Lemos Staff Writer, CNET News.com
Robert Lemos
covers viruses, worms and other security threats.
Robert Lemos
3 min read
An attempt to cripple the computers that serve as the address books for the Internet failed on Monday.

The so-called distributed denial-of-service attack sent a barrage of data at the 13 domain-name service root servers beginning around 1 p.m. PDT Monday, and as of Tuesday afternoon, it appeared to be continuing, according to Matrix NetSystems, an Austin, Texas, company that measures Internet performance.

Traffic from several Internet service providers has been slightly delayed, but because the domain name system, or DNS, is spread out and because the 13 root servers are the last resort for address searches, the attack had almost no effect on the Internet itself.

"There was never an end-user that said there was a problem," said Paul Vixie, chairman of the Internet Software Consortium, a group that supports the open-source software on which many domain name servers run.

The group also administers one of the 13 computers--specifically, the "F" server--that routinely match Internet addresses. Like a telephone book, domain name servers link a name with a number, in this case a Web site name such as "cnet.com" with its numerical Internet Protocol address. The system also works in a layered manner, so that someone who wants to go a specific address is first directed to a local server. If the domain is not found, then the request gets bumped up to a domain name server for the top-level domain, such as ".com."

Requests only rarely consult the root servers. Most requests that the ISC's "F" server sees, Vixie said, are from poorly designed networks that don't cache earlier answers to requests for information.

"We answer a request and then two milliseconds later get another request from the same user for the same domain," he said.

The "F" server responds to more than 270 million domain-name service queries each day, according to its site.

While Vixie took issue with reports that the attack had been the "largest ever," he did say that aspects of the data flood made it unusual. "There have been (previous) attacks against the root domain servers--yes," he said. "But it is rare to have attacks against all 13 at the same time."

Still, the results were not severe. The attack, at its peak, only caused 6 percent of domain name service requests to go unanswered, according to Matrix NetSystems. The DNS system normally responds almost 100 percent of the time.

The 13 domain-name service root servers are designated "A" through "M." The most affected servers, according to Matrix NetSystems, were the "A" and "J" servers owned by VeriSign Global Registry Services in Herndon, Va.; the "G" server owned by the U.S. Department of Defense Network Information Center in Vienna, Va.; the "H" server at the U.S. Army Research Lab in Aberdeen, Md.; the "I" server, located in Stockholm; the "K" server, located in London; and the "M" server, located in Tokyo.

About 4,000 denial-of-service attacks hit the Internet in the average week, according to data collected by the Cooperative Association for Internet Data Analysis. Many of those are aimed at domain name servers.

Attacks that broadly affect the Internet are rare. In April 1997, a misconfigured router advertised itself to the Internet as the quickest gateway to every other server and caused a ripple that affected communications for several hours.