Delivering DNS Protection

Tuesday evening's distributed denial of service (DDoS) attack on the 13 copies of the U.S. root server should serve as a warning to every company employing DNS, said the inventor of the technology.

by Jim Wagner Managing Editor ISP-Lists [October 25, 2002]

Paul Mockapetris, who was one of the primary architects of the DNS project and currently serves as chief scientist at Nominum, a DNS consulting and management firm, said there is nothing in particular a company can do against a threat as unsophisticated—yet effective—as a DDoS using ping floods.

Essentially, ping flooding—the unceasing transfer of ping requests to a DNS server from any number of computers—is like a brute force attack on a password or algorithm. The constant barrage inevitably leads to a breach, or in the case of the U.S. root servers, a slowdown or shutdown.

"There are more sophisticated attacks that are possible, and I think that's really the danger from the standpoint of the root system," Mockapetris said.

The Internet Corporation for Assigned Names and Numbers (ICANN) entrusted 13 organizations with copies of the U.S. root server, the backbone for .com, .net, .org, and others. According to Mary Hewitt, ICANN spokesperson, the organizations at the affected sites were running the latest security.

"I think the fact the servers were only down for an hour at the most says something about our security," she said.

While there's not much a company can do against a DDoS, what people need to watch out for, Mockapetris said, is the sophisticated attacks that aren't always as easy to spot. In the case of ping flooding, the attack is usually signaled by a massive influx in traffic, easily visualized in a data traffic report.

Others aren't so easy to track, and are much harder to spot. DNS cache poisoning happens when an attacker spoofs cache information and redirects a network connection or blocks access. IP sequence prediction attacks, on the other hand, grab the IP packet sequence number from the victim's machine and trick the machine into thinking it is talking with a legitimate server. From there, the attacker can run the server.

Mockapetris recommends every company check to make sure their DNS server has the following:

• A backup copy of the root server in case the "live" copy is compromised.
• The necessary infrastructure in place, so that if a company is brought down by a DDoS it doesn't affect the entire network. Mockapetris suggests a separate server for intranet communications.
• Spare capacity. Prepare in advance for a DDoS attack by having twice as much capacity available as is used on a daily basis. That won't always work, he said, because Tuesday's attacks spiked at 10 times the normal capacity, but any extra capacity will help.

DNS is one of those unglamorous areas of IT that nobody thinks much about until something goes wrong. Case in point: last year Microsoft.com was brought to its knees for almost a week because an attacker found a point of weakness in the company's DNS.

The cause of the collapse? A flaw in the company's DNS infrastructure, where there was only one router standing between Microsoft's internal network and its Internet connection. Shutting down the site was the relatively easy matter of finding a weakness in that one router. Although Microsoft had many servers segmenting its network, there was only one DNS handling all the different network.

—End