Hackers Launch Massive Attack on Internet DNS
Feb 7, 2007 1:59 PM PT
Hackers on Tuesday launched a denial-of-service (DoS) attack against at least three of the 13 root servers that maintain the Internet's domain name system (DNS).
The attacks, which lasted for 12 hours, reportedly targeted the server that maintains the dot-org suffix, and the servers at the Department of Defense and the Internet Corporation for Assigned Names and Numbers.
The attacks were largely unsuccessful -- and reportedly less serious than a similar attack in 2002 -- as most Internet users hardly noticed any impact. The DNS' resilience is largely due to robust protection and a high degree of redundancy built into it, including algorithms designed to balance unusually high levels of traffic.
"This is a high-profile target, so there are a lot of measures in place to protect it," Zulfikar Ramzan, senior principal reseacher with Symantec Security Response, told TechNewsWorld. "If the attack had been successful, it would have been a different story."
The shoring up groups did following the previous attacks "clearly worked," Matt Sergeant, senior antispam technologist at MessageLabs, told TechNewsWorld. "They have been readjusted and redistributed so an attack will be more widespread than just concentrated on a specific server."
Little concrete information has been released about the attacks. Presumably, the involved organizations are still analyzing the data.
"No one is talking about it," Dave Kennedy, senior risk analyst for Cybertrust, told TechNewsWorld. "No one is asking for help."
In this environment, speculation, rumors and misinformation have been rampant. For instance, it has been reported that the bulk of the attacks emanated from South Korea.
"We don't understand why South Korea is being blamed because from what we are seeing it is not them," Kennedy stated. "I have seen other reports that said [attacks from] China [are] playing a bigger role."
Reports also vary about the severity of the attacks. "There have been some exaggerations from what I can tell," he noted. "The servers were never down. They may have been unreachable in some places but that was more a result of the servers protecting themselves during the attack."
More than likely, the hackers used a bot network, or zombie computers, to carry out the attacks, Ramzan said. "Individual computer users should make sure they are not an accessory to such acts" by maintaining proper security.
Unfortunately, Sergeant commented, bot networks are easily available. "The hackers could have created their own or bought a network for a few hundred dollars."
Speculation About Intent
There is also no shortage of speculation on the intent of the attacks, and the fact that the attacks occurred on Safer Internet Day did not escape notice.
Kennedy pointed out that the attacks coincided with the North American Network Operators' Group annual meeting, held this year in Toronto. Another DoS attack in 2000 also occurred during the group's meeting, he said.
It's also possible the attacks were committed for a hacker or a group of hackers to show someone in their circle what they can do, Kennedy stated.
However, if that were the case, it's unlikely that there would be repeat demonstrations, at least on a regular basis, he said.
Hackers and malware writers need the Internet to do business themselves -- not only to communicate but also to run online scams, Kennedy contended.
"There is little point for them to bring it down. ... Generally, though, it is hard to get into the heads of hackers and try to figure out what motivates them," he said.
The most obvious motivation is financial gain -- the main driver behind most malware on the Internet today. Assuming everything had gone the hackers' way, in fact, they could have made more money than any malware writer had made before.
If the hackers had gained control of the servers, they could have begun rerouting traffic and performing sophisticated farming attacks, Randy Abrams, director of technical education at antivirus software firm Eset, told TechNewsWorld.
A user would type in an address and get rerouted to a different address without realizing it in this scenario. Online banking, as an example, would probably be a key target.