Analysis of the February denial-of-service attack on the root servers that help manage worldwide Internet traffic shows that a combination of efforts, including using Anycast and communicating nonstop during the attack, kept the servers up and running.
ICANN released a report that analyzes what happened during the attack, which servers were hit the hardest, and what kept them running. The report notes that it's still early to know the exact method used during the attack but more information about it should come out at a meeting of root server operators later this month.
ICANN is the group responsible for the global coordination of the Internet's system of identifiers, including domain names, the addresses used in a variety of Internet Protocols.
While it was widely reported that the attack originated in South Korea, the report says it's only been narrowed down to the Asia-Pacific region. Since a large botnet was used to try to flood the root servers, the report notes that they could have been scattered around the world and the trigger could have come from anywhere.
"Because of the way the attack worked, it arrived like a brick wall, which immediately set off all the alarms built into the network," the report states. "In this case, it was clear almost immediately that it was a distributed denial-of-service attack."
Early in February, the 13 root servers were hit by a DoS attack that nearly took down three of them. Analysts say the hackers' used possibly millions of zombie computers to wage the attack -- and they expect that army is populated with the desktops and laptops of unknowing users around the world.
The roots are central machines on the Domain Name System. They're akin to directory assistance for the Internet. The system converts the URLs into numeric addresses, which are then used to route traffic from one computer to another. If the root servers had been taken down for a significant amount of time, it could have crippled Internet traffic. That wasn't close to happening during the February attack.
While they're referred to as the 13 root servers, there are many more computers involved. Each so-called server actually refers to an IP address, which can front many computers. Alan Paller, director of research at the SANS Institute, says they don't generally discuss how many computers are involved as a security precaution.
Analysts say the three root servers that were so greatly affected in the recent attack most likely were standalone servers. The other 10 had multiple machines and that most likely helped them fare better during the attack.