ICANN: Anycast And Communication Foiled February's Root Server Attack 2

ICANN's evaluation analyzes what happened during the attack on the root servers, which ones were hit the hardest, and what kept them running.

Sharon Gaudin, Contributor

March 13, 2007

5 Min Read

Analysis of the February denial-of-service attack on the root servers that help manage worldwide Internet traffic shows that a combination of efforts, including using Anycast and communicating nonstop during the attack, kept the servers up and running.

ICANN released a report that analyzes what happened during the attack, which servers were hit the hardest, and what kept them running. The report notes that it's still early to know the exact method used during the attack but more information about it should come out at a meeting of root server operators later this month.

ICANN is the group responsible for the global coordination of the Internet's system of identifiers, including domain names, the addresses used in a variety of Internet Protocols.

While it was widely reported that the attack originated in South Korea, the report says it's only been narrowed down to the Asia-Pacific region. Since a large botnet was used to try to flood the root servers, the report notes that they could have been scattered around the world and the trigger could have come from anywhere.

"Because of the way the attack worked, it arrived like a brick wall, which immediately set off all the alarms built into the network," the report states. "In this case, it was clear almost immediately that it was a distributed denial-of-service attack."

Early in February, the 13 root servers were hit by a DoS attack that nearly took down three of them. Analysts say the hackers' used possibly millions of zombie computers to wage the attack -- and they expect that army is populated with the desktops and laptops of unknowing users around the world.

The roots are central machines on the Domain Name System. They're akin to directory assistance for the Internet. The system converts the URLs into numeric addresses, which are then used to route traffic from one computer to another. If the root servers had been taken down for a significant amount of time, it could have crippled Internet traffic. That wasn't close to happening during the February attack.

While they're referred to as the 13 root servers, there are many more computers involved. Each so-called server actually refers to an IP address, which can front many computers. Alan Paller, director of research at the SANS Institute, says they don't generally discuss how many computers are involved as a security precaution.

Analysts say the three root servers that were so greatly affected in the recent attack most likely were standalone servers. The other 10 had multiple machines and that most likely helped them fare better during the attack. According to the ICANN report, though, a new technology called Anycast had been implemented on the 11 servers that faired well and it was a major reason they held up against the barrage of queries being sent in by the botnet used in the DoS attack. Anycast is a technology that enables many servers in different locations to act as if they are all together in the same place. It's a method of load balancing, spreading the load of the attack amongst themselves.

"It's what made the difference," says Alan Paller, director of research at the SANS Institute.

At least six of the 13 root servers were attacked, according to the report, but only two of them were noticeably affected: g-root, which is run by the U.S. Department of Defense and is located in Ohio, and l-root. Neither one was using Anycast.

The report notes that the engineers who run the root servers had made a specific decision to not use Anycast on every single server, so had left it off of g-root and l-root on purpose. "Common practice among Internet engineers across the globe is to make sure that the systems they use vary so that there is no single point of failure," the report states. "For example, many of the normal DNS servers that companies and even individuals run are built on top of Windows, but others are on Linux, some are on Mac OS X, some are on NetWare, Unix, OS/2 and so on... If everyone ran the same software on the same operating system, there is the risk that a specific security hole could take down the whole system. Running a wide variety hugely reduces that risk."

However, the report goes on to say that since Anycast proved itself so well, it will be moved onto all of the roots.

Sergey Bratus, a senior research associate with the Institute for Technology Studies at Dartmouth College, noted that the root engineers had needed to see how Anycast would hold up under a major attack. Once the technology proved itself, they became confident enough to use it everywhere.

The report goes on to note that Anycast wasn't the only thing keeping the attack at bay and keeping Internet traffic flowing without pause. First off, engineers in charge of the roots around the globe maintained ifairly constant communication, sharing information about the attack and ways they were battling it. "It's the only way they can act," says Paller. "If they don't have data about what's happening elsewhere, how will they know how to act? They've got to communicate."

And the engineers also employed two different defenses.

First off, they tried to basically suck up the extra queries by adding extra bandwidth as the attack was coming in. That made room for the legitimate queries to make their way through the deluge of fraudulent queries. And while they did that, they also tried to find patterns in the malicious queries coming in an effort to filter them out, cutting the attack off at the knees.

About the Author(s)

Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.

You May Also Like

More Insights