DNS attack puts in perspective

With more business apps running online, it's time to shore up DoS prevention measures

A few years ago, I had the privilege of seeing some root DNS servers in action at VeriSign's main headquarters. It's something I had wanted to do for over a decade, and I was literally slightly shaking with excitement (yes, I am that big of a geek).

Physical security was high. It took three-factor authentication to get me past the two mantraps and the bomb-blast protected walls. My escort had to use handprint geometry, a PIN, a smart card, and a retinal scan to get me into the inner sanctum.

Turns out VeriSign's DNS root servers at this location are composed of two physically separate, 10-high stacked, 1U pizza-box-style IBM eServers (VeriSign said they tested many different servers, and IBM's gave them the best performance per dollar), running Solaris and Red Hat Linux. Not surprisingly, they don't run BIND and keep things intentionally diverse to protect against a platform-specific attack.

Watching the network lights rapidly blink under millions of transactions per second was a blast. Did I mention I was a geek?

Although I've walked into hundreds of high-security centers since, I've always remained impressed with the VeriSign walk-through. It wasn't too many years ago when some of the (US) east coast DNS servers were reported as being stored in a elevator storage running inside a parking garage.

The DNS infrastructure has come a long way since then and is no longer under threat of being rammed by a car. Unfortunately, physical attacks are the easy ones to stop. The Internet's global DNS infrastructure recently experienced its first huge widespread DoS attack since the Oct. 21, 2002 incident . This year's attack happened on February 6 and only involved three of the Internet backbone's 13 root DNS servers (the 2002 attack targeted all 13).

I discussed the recent attack with VeriSign's chief security officer, Ken Silva. He said that the attack focused on root servers G (maintained by the U.S. Department of Defense) and L (maintained by ICANN), and to a lesser extent, M (maintained by Japan). During the 12-hour attack, nearly 90 percent of legitimate queries to those servers were being dropped.

That's a lot worse than I had been led to believe by other news sources. I hadn't questioned the other sources because I, like most people I know, didn't even notice the attack until it was over and had made headlines.

Silva said a couple of things made this attack less threatening than it could have been. First, as stated above, it only affected three of the 13 root servers. I asked if the attackers had decided to attack all 13 servers at once if the results would have been worse.

"Yes," he replied without missing a beat. "Some phases of the attack contained more than 1Gb of malformed data per second. Normal traffic is a half a million queries per second, or about 26 billion requests per day." These attack loads were significant enough that any DNS server would suffer even with anti-DoS protections put in place.

Second, Silva said the attacks were "plain" malformed DNS requests from spoofed IP addresses. They weren't reflection or amplification attacks, which can saturate bandwidth even more.

Third, much of information served up by the root servers is often cached on downstream DNS servers locally. Most of the traffic to the root servers comes from newly started DNS servers when new top level domains that aren't already cached need to be resolved. Silva said that if the attacks had been directed at the top level domain .com resolution servers, where over 50 million .com domain names are stored, the pain would have been worse.

Finally, VeriSign and most other players have added significant server power and bandwidth since the 2002 attack. Most of the DNS root servers may be listed as one IP address, but in most cases, they are made up of many more servers. The Anycast protocol they use allows multiple computers to share one IP address; the downstream requesting client gets the closest logical DNS server.

I asked Silva what it would take to stop spoofed DoS attacks. "ISPs need to perform egress filtering and stop spoofed packets," he said. "There is an ongoing proposal called BCP 38 that addresses egress filtering."

Still, until we get the majority of ISPs to participate, spoofed IP attacks will continue. "Right now, our biggest defense is over-capacity," explained Silva. "All the DNS providers keep trying to build so much capacity that even the large attacks against the DNS structure are minimal by comparison. In the year 2000, we had a billion legitimate requests a day. Now it's 26 billion. We predict it will be 200 billion requests per day by 2010."

With both legitimate use and attack traffic in mind, VeriSign just announced an increased scaling initiative called Project Titan. It plans to increase DNS throughput tenfold by 2010 -- a "10,000-fold increase since 2000," noted Silva.

VeriSign knows a little something about scaling, and it has to. For one, it manages the first 10 of the 13 DNS root servers (A through J), resolving top-level domain .com and .net traffic. Plus, Verisign offers directory services for more than DNS; it has the exclusive RFID directory service contract to help the Wal-Marts of the world track medicines and inventory. Its near-term scale will be in the trillions of transactions per day.

Despite all this, attack traffic is currently growing even more aggressively than legitimate traffic -- up 150 fold since 2000, said Silva. This is a concern because the DNS infrastructure, which has been badly in need of a security makeover for two decades, is now used for a lot more than Web surfing and e-mail. Like it or not, VoIP applications, IP TV, cell phones, mission-critical communication links, and data repositories are now using the Internet for real-time business. If the Internet goes down today, it's going to affect far more than just your ability to check into MySpace or YouTube.

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.
Roger A. Grimes

Roger A. Grimes

Computerworld
Show Comments

Cool Tech

Toys for Boys

Family Friendly

Stocking Stuffer

SmartLens - Clip on Phone Camera Lens Set of 3

Learn more >

Christmas Gift Guide

Click for more ›

Brand Post

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Maryellen Rose George

Brother PT-P750W

It’s useful for office tasks as well as pragmatic labelling of equipment and storage – just don’t get too excited and label everything in sight!

Cathy Giles

Brother MFC-L8900CDW

The Brother MFC-L8900CDW is an absolute stand out. I struggle to fault it.

Luke Hill

MSI GT75 TITAN

I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it.

Emily Tyson

MSI GE63 Raider

If you’re looking to invest in your next work horse laptop for work or home use, you can’t go wrong with the MSI GE63.

Laura Johnston

MSI GS65 Stealth Thin

If you can afford the price tag, it is well worth the money. It out performs any other laptop I have tried for gaming, and the transportable design and incredible display also make it ideal for work.

Andrew Teoh

Brother MFC-L9570CDW Multifunction Printer

Touch screen visibility and operation was great and easy to navigate. Each menu and sub-menu was in an understandable order and category

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?