The recent attack on all 13 domain name root servers, along with a recently released paper, has intensified the debate as to whether it is theoretically possible to completely shut down the Internet. The DNS attack successfully shut down seven of the servers for approximately an hour at the end of October.
Long viewed as the Mount Everest of the denial of service attacks, there had, until a few weeks ago, never been a successful simultaneous denial of service (DoS) attack on all of the domain name root servers (DNS). Where the debate rages now is whether this is a sign of things to come or a one-off attack which did little damage.
The root name servers, had they all been successfully shut down for a period of hours, would probably have had little effect on the Internet's overall efficacy, according to one expert.
"Your Internet provider probably caches 98 percent of what you need, so you don't (often) make a hit to the root (server)," said Bernard Turcotte, Montreal-based of the Canadian Internet Registration Authority. In fact the DNS root servers are really only used when an ISP has no idea where to go. For example, if someone types in torontostar.ca, in theory the request could go to a root server if your ISP and the Canadian zone file servers had no idea where .ca was, Turcotte explained. Though this is highly unlikely, he added.
"Your ISP, at worse case, will send it to our (Canadian) zone file servers, which are the phonebook for .ca," he said.
"Attacking the root servers is not going to shut the Internet down," said Simon Perry, vice-president, of security solutions with Islandia, N.Y.-based Computer Associates International Inc. If the attack could be sustained for hours (which, he pointed out, would require substantial computing firepower), it would, at most, slow access down, he said.
It took until 2002
Those who argue the attack was a one-off say the inherent structure of the Internet and the heat of the law is enough to stop future attempts.
"The Internet worked the way it is supposed to and it didn't go down even with some people trying to be really nasty," Turcotte said.
A spokeswoman for Microsoft Corp.'s MSN Internet service said it had not noticed any slowdown in traffic during the DNS DoS attack.
By "attacking the root zone file server, you will not only get the FBI and the CIA on your butt, you will probably get the security services of all the major governments in the world looking for you," Turcotte explained. "You want to pick your targets if you are going to do this kind of stuff you don't want severe heat on yourself."
The U.S. Federal Bureau of Investigation's National Infrastructure Protection Center "is aware of the matter" and is "addressing" it, said Steven Berry, a supervisory special agent with the FBI's press office.
Turcotte doesn't see this as a sign of things to come. "Someone was finally successful at doing this specific style of attack on this specific target," he said. But they weren't amateurs either. "They haven't caught them yet, so they weren't that stupid."
Perry, is inclined to agree but with a caveat. "Using current techniques it would be very difficult to completely shut the Internet down," he said. The caveat being current techniques. This is where the recently released paper, entitled How to own the Internet in your spare time, comes in. It was published by three individuals from Silicon Defense, ICSI Center for Internet Research and UC Berkeley.
The paper, Perry explained, tells how a properly created worm could, in theory, shut down the Internet.
The attack would require a worm such as Code Red or Nimda but with very specific, and as of yet never designed, attributes. First of all, it would require a payload to turn infected machines into zombies capable of launching a large scale DoS attack. Secondly, the worm would have to search for a specific vulnerability at a specific range of IP addresses, what is called targeted propagation. Random propagation, similar to Code Red, increases the likelihood of it getting noticed while not increasing the worm's ability to launch an attack. Specific ISP hosts would need to be infected for the theoretical attack to work, Perry said.
This is called hit list scanning, Perry explained, and were it to be successful, "such a worm could arguably subvert upwards of 10 million Internet hosts in a very short time."
With a coordinated payload to launch a distributed attack, after say 10 million machines were infected, it could work, Perry said.
"That could generate enough traffic to actually shut the Internet down."
But Perry is quick to add that it is nothing more than a theory.
-- With files from the IDG News Service.