DNS Root Servers Fell Under Brief Attack

On February 6, some of the root DNS servers that provide the backbone for the Internet's global domain name system fell under attack. Five root servers felt the brunt of the attack. Security solution provider Sophos said that the attacks were confirmed by NeuStar UltraDNS, which manages DNS for more than 15 million domains through its Ultra Services platform.

Sophos thinks the attack was made possible by "botnets" that were built on the computers of unsuspecting users. The company also said that some reports indicate that a majority of the traffic originated in South Korea. Since root servers provide the master catalogs of which DNS servers provide service to specific domains, any attack that could bring them down would effectively cripple parts of Internet.

"If the DNS servers were to fall over then pandemonium would ensue, emphasising the importance of properly defending all PCs from being taken over by hackers," said Graham Cluley, senior technology consultant at Sophos. "A denial-of-service attack like this swamps web-connected servers with traffic from many computers around the globe. It's a bit like twenty hippos trying to get through a revolving door at the same time - there's no route through and everything clogs up. Fortunately the system is designed to be extremely resilient to these kind of attacks, and the average man in the street won't have noticed any impact."

Réseaux IP Européens (RIPE), an organization that "ensures the administrative and technical co-ordination necessary to enable the operation of the Internet" within Europe, monitors root server DNS traffic and response times. A snapshot of DNS traffic provided by RIPE for the week of February 5 shows that two of the root servers--g.root-servers.net (G server) and l.root-servers.net (L server)--fell under tremendously heavy loads. As seen in the graphs, the two servers failed to respond to a high number of queries--at some points, as many as 90 percent of DNS queries went unanswered.

The attack started at approximately 10 a.m. Coordinated Universal Time (UTC) and continued nonstop until shortly before noon, at which point, the attack began to taper off over the next several hours. Overall, the attack lasted approximately 12 hours with the L server being hit more severely than the G server.

A previous attack against the root name servers took place in October 2002. As a result of that attack, RIPE, which manages the K root server, installed 17 mirrors around the world to help ensure reliability of that server.