By Brian Krebs and David McGuire
washingtonpost.com Staff Writers Wednesday, October 23, 2002; 7:06 PM
Monday's attack on the 13 computer servers that manage the world's Internet traffic was the first of two assaults, according to officials at the companies that were affected.
Just after 5 p.m. EDT on Monday, a "distributed denial of service"
(DDOS) attack struck the 13 "root servers" that provide the primary
roadmap for the Internet. The second attack started several hours later and targeted a different kind of Internet server.
DDOS attacks are intended to overwhelm networks with data until they
fail.
The first attack, which lasted an hour, targeted all 13 of the root servers that form the core of the worldwide Domain Name System, which converts numeric codes into the words and names that form e-mail and Web addresses. Some of the servers failed intermittently, but Internet users were largely unaffected due to redundant nature of the root-server system, experts said.
The second attack, say sources familiar with the incident, targeted "name"
servers that direct Internet users to more specific online locations.
Those servers house Internet domains such as dot-com, dot-biz and dot-info, and
country code domains such as Great Britain's dot-uk and Canada's
dot-ca.
"At around 11 (p.m. EDT), the whole thing started over again, this
time switching to the global (name) servers," said Chris Morrow, a network
security engineer for UUNET, in an interview Tuesday. A unit of
WorldCom Inc., UUNET handles roughly half of the global Internet
traffic and is the service provider for two of the 13 root servers.
VeriSign, which manages the servers for the dot-com, dot-net and
dot-org domains, tracked attacks against all of its name servers
beginning around 10 p.m. Monday, company spokesman Brian O'Shaughnessy
said.
VeriSign also operates two of the 13 root servers that were targeted
in the first attack. Neither VeriSign's root servers nor its name
servers were taken down in the attacks, O'Shaughnessy said.
"We experienced an attack on our name-server constellation and we
dealt with it the same way we dealt with the previous attack on our root
servers," he said.
Dublin-based Afilias Ltd. also reported having its "dot-info" name
servers struck late Monday, but Afilias spokeswoman Heather Carle said
the company was able to easily repel the attack. "We're able to
internally balance the load from any hits our DNS server takes," she
said.
Afilias operates dot-info, one of seven newer domains created to ease
crowding in the popular dot-com, dot-net and dot-org domains.
If all of the name servers for any domain were crippled long enough,
users would start having difficulty reaching addresses within those
domains. Most name and root servers are designed with enough back-up
capacity that such an attack would be very difficult to execute.
The White House's Office of Homeland Security and the FBI are
investigating Monday's cyber attacks, but have declined to speculate on who might
have been responsible. It is also not clear whether the same source was to blame for the separate attacks on root and name servers.
At a press conference today, White House Press Secretary Ari Fleischer
sought to downplay speculation that the strikes were carried out by
terrorists.
"I'm not aware there's anything that would lead anybody to that direction," Fleischer said. "History has shown that many of these attacks actually come from the hacker community."
It is difficult to discover the identities of DDOS hackers because the computers they use to mount the assaults usually are commandeered -- either manually or remotely -- and programmed to carry out the attacks. These computers often belong to unsuspecting home users.
Experts say the only way to trace the attacks to their true source is
to deconstruct the data packets used in the assault as it is
happening. According to Gordon Johndroe, spokesman for the Office of
Homeland Security, the FBI was able to "monitor the attack while in
progress."
UUNET's Morrow said a successful investigation ultimately could hinge on
boasts made in the hacker community.
"I don't think anyone knows who's responsible for this yet," Morrow
said. "Somebody might blather about it in a couple months, and that's
probably the only chance have of finding out who did it."
