• PC World
• »Security

The distributed denial-of-service attack launched Monday against all 13 of the Internet domain name system root servers failed to bring down the Internet, but that doesn't mean that more attacks won't follow and succeed where this week's attack failed, according to experts, some of whom feel that the federal government needs to step in to secure the Net infrastructure.

Monday's attack targeted 13 key servers that translate easy-to-remember URLs into the numeric IP addresses used by computers to communicate. Attackers flooded the DNS servers with Internet traffic using ICMP (Internet Control Message Protocol) at more than 10 times the normal rate of traffic, according to Brian O'Shaughnessy, a spokesperson at VeriSign, which manages the "A" and "J" root servers.

A New Chapter

Such events are nothing new, as past years have seen high-profile attacks against Internet service providers and companies such as Microsoft and EBay. But experts say that Monday's incident opens a new chapter in the history of Internet-based attacks.

"Monday's attack was an example of people not targeting enterprises, but going against the Internet itself by attacking the architecture and protocols on which the Internet was built," says Ted Julian, chief strategist at Arbor Networks of Lexington, Massachusetts.

Factors contributing to such attacks are well known, according to experts. Worms such as Code Red, Nimda, and Slapper have left hundreds--if not thousands--of compromised computers on the Internet, Julian says. Such systems can be used as "zombies" in a DDOS attack. Zombies are machines controlled remotely and used to launch an attack. Reports from Matrix NetSystems Tuesday traced the attacks to Internet hosting service providers in the U.S. and Europe.

Surprisingly Simple

Gerry Brady, chief technology officer for Guardent says that sophisticated software programs make leveraging those compromised machines a simple matter, even for novice attackers. "With automated attack tools, even inexperienced people can get control of a large number of hosts. The IP addresses and access passwords for those systems are traded on the Internet like you or I used to trade baseball cards," Brady says.

Though the Federal Bureau of Investigation's National Infrastructure Protection Center is investigating the attacks, Brady points out that in the past perhaps the most frequent source of such attacks has been teenagers, not terrorists. "The big drivers we're seeing [in DDOS attacks] are juvenile rivalries--revenge for incidents that might have happened during online gaming. These attacks are not professional or financial in nature. They're random and nondirected," Brady says.

What Lies Ahead

Fortunately, Monday's attacks were not sophisticated. They relied on a simple "packet flood" approach in which information packets in high volume are sent to a server, using a protocol--ICMP--that's not typically seen in very high volumes, Brady and Julian say. Future attacks could be much more sophisticated, they say.

Instead of sending a flood of packets that all use the same protocol, attackers might disguise a DDOS attack as normal traffic--what Julian referred to as a "bandwidth anomaly." In such an attack, nothing about the protocols used or the packets sent would appear unusual, but the volume of traffic would be enough to overwhelm the targeted server.

Even more pernicious, Brady and Julian agree, would be attacks that target the routing infrastructure (as opposed to the DNS infrastructure) of the Internet. The infrastructure of roadways over which Internet traffic passes is more "brittle" than the flexible architecture of DNS, Brady says. "When one backbone goes down, the traffic has to go somewhere," says Brady, recalling that the recent outage on the UUNet Internet backbone operated by WorldCom was felt instantly worldwide.

Government Intervention

More federal management of key components of the Internet infrastructure is needed, Julian and Brady agree. Government involvement could take the form of tax incentives or direct federal funding for private companies and public organizations that manage key DNS servers, to secure their systems. Currently companies, government entities, and nonprofit organizations perform all such management as a free service.

"This showcases a specific vulnerability that requires the government to get involved," Julian says. "If you run a DNS server, what is your monetary incentive to secure it? There is none. This is the number-one area of focus that the government should have."

As for the backbone providers, Brady says that the dire financial condition of most companies that manage the Internet backbone leaves little private money available to ensure the extra capacity if one or more parts of the backbone are attacked. Federal investment could help create and secure a more robust infrastructure.

"If this were voice communications [that were attacked] can you imagine [U.S. Secretary of Defense Donald] Rumsfeld's reaction?" Brady says. "That would be a national security issue. We must acknowledge that this is critical infrastructure, and we have to find remediation."

"This is rich territory for Mr. Clarke and his people," says Julian, referring to Richard Clarke, President Bush's special adviser for cyberspace security.

In the meantime, Brady says that the pattern of past DDOS attacks makes more of them likely in the near future. "I would be worried that we're in a short-term countdown to more infrastructure attacks because they're just so easy to do," Brady says.

• See more like this:
• Internet,
• backbone,
• hacker,
• attack,
• distributed denial of service,
• DDOS,
• DNS,
• domain name system