Is the Sky Falling?

Everyone is talking about the appropriate reaction to the DNS root server attack, but no one is actually reacting.

. What's this?

By

October 28, 2002CSO — Last Monday around 4:30 p.m. Eastern, someone, it seems, tried to take down the Internet.

They did this by launching a well-known, brusque type of distributed denial of service (DDoS) attack, called an ICMP flood, on the Internet's 13 root DNS servers, the machines that translate words like "www.skyisfalling.com" into numbers like 35.128.23.1. (I made those up. Don't bother trying them.)

These 13 computers are peppered throughout the world and each is known by a single letter, A through M. The seven DNS root servers that took the biggest hit were A, G, H, I, J, K and M. The server known as H is found at the U.S. Army Research Lab in Aberdeen, Md. A, G and J are located in Virginia. Server I is in Stockholm, K in London and M in Tokyo.

But DNS translations are also cached on thousands of routers. So, often when you ask for www.skyisfalling.com, you'll get 35.128.23.1 from one of these cached copies squatting on a nearby router. Your request never has to go to the root server. This is a smart architecture; the only way the ICMP flood could have succeeded is if all of the root servers remained down long enough (maybe eight or nine hours) that the router caches started to expire, which would eventually happen when their preset TTL (time to live) ran out.

That didn't happen. According to one report sent out as the attack was winding down, some of the root servers went down, but never all of them. Packet loss by the DNS network approached 10 percent at the attack's apex (normally packet loss is less than one percent) and reachability of DNS servers fell to around 94 percent. Maybe you noticed sluggish Web page loads. Probably you noticed nothing. (Thank you to Ted Julian and Bruce Schneier for the refresher.)

Why all the technical talk? We'll get to that in a minute. The point is, the attack wasn't tilting at windmills, but it wasn't what you'd call a surgical strike either. Its legacy will be its target: the very backbone of the Internet. (Even though everyone knew and talked about DNS as a viable targetmore proof we really don't care about something until it actually happens.)

There were two types of reaction to the DNS attack. Either it was the beginning of ever more serious attempts to bring down the Internet, or it was an isolated incident. It was either a practice run for some larger cyberterrorist attack, or it was simply, as Bruce Schneier called it, vandalism. On the one side Bill "Ches" Cheswick, a security expert with vendor Lumeta, intoned, "Next time, we may not be so lucky." On the other, John Crain, technical manager of ICANN, glibly called out: "Nothing to see. No dead bodies. Move on."

What is Tech Briefcase?
TechBriefcase is a new, free service where IT Professionals can Search, Store and Share IT white papers and content like this. Learn more
Bookmark content
Speed up your research efforts with content across the web.
Search and Store
Find the white papers you need. Create folders for any topic.
View Anywhere
Open your briefcase on your iPhone, tablet or desktop. Share with colleagues.
Don't have an account yet?
RESOURCE CENTER