Attackers Target Internet Root Servers

In the largest coordinated attack against the core of the Internet since 2002, attackers managed to briefly overwhelm three of thirteen core servers. Did you notice?

Although the motivation for the attack remains unknown, early Tuesday attackers launched a distributed denial-of-service attack against the Internet’s core DNS servers, which are ultimately responsible for converting human-friendly site names (like www.digitaltrends.com) to IP numbers (like 209.85.60.103) which computers, routers, and software uses behind the scenes. Think of DNS as the ever-updating address book for the millions of machines on the Internet.

Three of the thirteen top-level root servers—one operated by ICANN, one by the U.S. Department of Defense, and one by UltraDNS—were briefly overwhelmed with the flood of bogus traffic pointed at them from hordes of so-called “zombie” computers around the world, although none of the three ever stopped working entirely. The remaining root servers were unaffected, and, for the most part, Internet users never noticed a major attack was underway. The incident serves as an illustration of the age-old tenet of the Internet’s design to route around damage: the DNS system is decentralized, such that if one host goes offline or becomes unavailable, remaining hosts take over the load.

“These zombie computers could have brought the web to its knees, and while the resilience of the root servers should be commended, more needs to be done to tackle the root of the problem—the lax attitude of some users towards IT security,” said Graham Cluley, senior technology consultant at Sophos, in a statement. “Society is almost totally reliant on the Internet for day-to-day communication—it’s ironic that the people who depend on the web may have been the ones whose computers were secretly trying to bring it down.”

Reports indicate that the attack’s origin and coordination of zombie computers may have taken place in South Korea; however, the nature and motivation of the attackers remains unclear. Denial-of-service attacks are typically used by cyber-criminals as an extortion mechanism: they take control of a zombie network and use it to flood a key router, server, or single point of failure for a network provider or business such that the organization’s Internet connectivity grinds to a halt or the server’s crash under the load. Once the attack is underway and proven effective, they blackmail the organization, offering to call off the attack in exchange for cash or other demands. Many organizations targeted by such attacks never go public for fear of damaging their reputation.