On 21 October at 9pm, somebody initiated an hour-long attack on the foundations of the Internet. The distributed denial-of-service (DDoS) attack troubled or disabled nine of the 13 root DNS servers - the core of the system supporting memorable Net addresses in place of raw IP numbers.
If the attack had crippled all the DNS roots, the result would have been insidious rather than catastrophic. DNS caches worldwide would have grown stale, with increasing failure rates. "[If] you take the root servers out, you don't know how long you can work without them," said Alan Paller, director of research at security body the Sans Institute.
It doesn't take a genius to organise a DDoS attack. More damaging but much more difficult would be to garble the root DNS data. On 17 July 1997, information on seven of the then nine root servers was corrupted by accident, and was left unfixed for four hours. Widespread routing problems quickly resulted.
Of course, the root server operators put a lot of effort into securing systems against would-be garblers. But while a DDoS attack is easier to set up than a successful database hack, defending a system against DDoS attacks is arguably a lot harder than keeping out hackers.
That's because the DDoS idea is to overwhelm legitimate lines of communication. It can be tough to cut off attacking traffic without locking out every other user. The Internet Engineering Task Force has pondered the problem, and offered a solution in RFC2827. This recognises that attacks have to be deflected before they reach the victim.
In the root server attack, the hacker used a "Smurf" technique, or something similar, relying on a flood of ICMP "ping" messages.
To create a Smurf attack, the hacker amasses an army of hacked machines - called drones, slaves or zombies - owned by others around the Net. Each is planted with software, set to launch the attack at a pre-arranged time. Once triggered, drones send out streams of ICMP traffic to IP broadcast relays - routers that will pass on one message to several other addresses. This tactic multiplies the number of machines involved in the eventual attack. According to Netscan.org, there are currently more than 25,000 such "amplifiers" available as a result of poor network administration.
Each ICMP packet is sent out with a forged source address - in this case the address of a DNS server. Every machine that receives the broadcast therefore replies to a DNS server, overwhelming the servers with irrelevant interrupts.
As RFC2827 notes, forged addresses are detectable only in the earliest stages of attack. ISPs are aware of the range of IP addresses under their control, so they could drop all outgoing packets that claim a source address outside the correct range. Similarly, corporate firewalls should be set to detect and block packets leaving the network that claim a source address outside it.
Unfortunately, these measures are not widely implemented due to a mixture of denial, complacency and cost constraints. Cost, really, should not be the governing factor. Ask your ISP if it implements RFC2827 and if not, why not. And if you haven't already done so, set up outgoing address filtering at your firewall.
Have your say: contact IT Week
reader comments