Key Net servers in suspected attack
By Joris Evers, CNET News.com
Published on ZDNet News: February 6, 2007, 5:53 PM PT
There are signs that hackers attacked key parts of the backbone of the Internet on Tuesday, but no damage seems to have been done, experts said.
The attack appears to have focused on the Domain Name System, which maps text-based domain names, such as “News.com,” to the actual numeric IP addresses of servers connected to the Internet, and vice versa. Several key DNS servers saw traffic spike in the early in the morning on Tuesday, several experts said–a sign of an attack.
“It is an unusual large amount of traffic that is hitting DNS servers,” said John Crain, chief technical officer at the Internet Corporation for Assigned Names and Numbers, which operates one of the main so-called root DNS servers. “We see large attacks on a regular basis, but this hit quite a few servers, so it was fairly large,” he said.
Yet the DNS servers were able to withstand the onslaught, Crain added. “It was irritating. It ruined my night’s sleep. It was extraordinary in the fact that it happened to multiple systems at once, but this is not affecting Internet users,” he said.
DNS serves as the address books for the Internet. There are 13 official root DNS servers, which sit at the top of the DNS hierarchy. These root servers get queried only if other DNS servers, like those at an internet service provider, don’t have the right IP address for a specific Web site.
If part of the DNS system goes down, Web sites could become unreachable and e-mail could become undeliverable. But DNS is built to be resilient, and attacks on the system are rare. In 2002, a similar denial-of-service attack also failed.
“The main thing is that there was very little impact on the general public, the servers were able to hold up against the attacks,” said Zully Ramzan, a researcher at Symantec Security Response. “The Internet in general was designed to even withstand a nuclear attack.”
The barrage of data being apparently targeted at the DNS system started at around 2.30 a.m. Pacific Time on Tuesday. Multiple root servers saw a traffic spike, but the “G” server, run by the U.S. Department of Defense, and “L,” run by ICANN, seem to have gotten the brunt of it, Ramzan said. ICANN’s Crain confirmed that impression.
While ICANN and Symantec didn’t see any effect on the Internet at large, Internet service provider Neustar did see slow downs on the Net. “We would call it a brownout instead of a blackout. It was significant, but it did not take anything down,” a representative for the company said.
The true cause of the traffic surge still needs to be determined, both Ramzan and Crain said.