Monday, March 12, 2007
New shield foiled Internet backbone attack
An attack in early February on key parts of the backbone of the Internet had little effect, thanks to new protection technology, according to a report released this week.
The distributed denial-of-service attack on the Domain Name System proved the effectiveness of the Anycast load-balancing system, the Internet Corporation for Assigned Names and Numbers said in a document published Thursday. ICANN regulates Internet domain name and address registration and operates one of the main so-called root DNS servers.
"The Internet sustained a significant distributed denial-of-service attack, originating from the Asia-Pacific region, but stood up to it," according to the ICANN document, which attributed the Internet's fortitude to Anycast's routing of traffic to the nearest server.
DNS serves as the address book for the Internet, mapping text-based domain names to the actual numeric IP addresses of servers connected to the Internet, and vice versa. A distributed denial-of-service attack seeks to bring targeted servers down by sending an onslaught of traffic from multiple sources, typically compromised PCs.
During the attack, which lasted almost eight hours, six of the 13 root servers that form the foundation of the Internet's DNS were targeted, ICANN said. However, only two were noticeably affected. These two did not have Anycast installed because the technology was still being tested, ICANN said.
"With the Anycast technology apparently proven, it is likely that the remaining roots--D, E, G, H and L--will move over soon," ICANN said. The letters refer to the five of the 13 official root DNS servers that do not yet have Anycast installed.
The root DNS servers sit at the top of the DNS hierarchy and get queried only if other DNS servers, like those at an Internet service provider, don't have the right address for a specific Web site. The 13 root servers are spread out across the globe and are represented by physical servers in more than 100 places geographically.
Anycast was developed after a similar denial-of-service attack hit the DNS root in 2002. That attack managed to swamp nine of the 13 root servers. "The Internet continued to run but it was a wake-up call for the root server operators," who set out to develop Anycast, ICANN said.
If the DNS system goes down, Web sites would be unreachable and e-mail undeliverable. But DNS is built to be resilient, and attacks on the system are rare.
ICANN has yet to determine the exact techniques used in the February attack. The incident will be discussed at a meeting of DNS root server operators later this month, the organization said.