Last week's distributed denial-of-service (DDOS) attack on the Domain Name System (DNS) root server system got the attention of the Internet Corporation for Assigned Names and Numbers (ICANN), the U.S.-created private group that is charged with ensuring the stability and security of the DNS.
ICANN, which has been increasing its focus on security issues since the Sept. 11 terrorist attacks, formed a security committee to examine what can be done to improve DNS system security.
Internet pioneer Stephen Crocker, who helped develop protocols for Arpanet, the original network that became the basis for the Internet, chairs that committee. Crocker will be discussing the DDOS attacks at ICANN's annual meeting in Shanghai next week, and in an interview with Computerworld reporter Patrick Thibodeau, he assessed the impact of the recent attack and outlined some of the options for improving DNS security.
Q: What's your assessment of the DOS attack?A: There is good news and complications here. There are 13 root servers. Some of them were effectively out of service for a while, but the impact on the whole community was negligible. Further good news is that a number of the servers were very, very well set up, well provisioned, have first-class staffs who rose to the occasion and worked very hard to stave off the affects of the attack and stay up in service.
In a sense, one can say, the defenses were tested and it turns out that the system is pretty good. The impact on the community was pretty modest.
Q: What's the bad news?
A: Does that mean we should all sleep soundly? Not really; suppose the attack was bigger or lasted longer?
I think the result there is somewhat nuanced. It's the nature of the DNS service that because there is a lot of caching [in other DNS servers], most of the world would go on pretty well for a long time, for a day or so, before there would be much degradation -- if all the servers went down.
If an attack went on for a day, vastly more resources would be brought to bear. It would be expensive, but I still think the impact on the community would have been relatively modest.
Q: How was the attack conducted?A: There are two elements to an attack like this. The amount of traffic sent, and how long it goes on for. At the level of traffic that was generated, which was quite substantial, it effectively stopped some of servers from responding because they were overwhelmed with noise and not real traffic. But enough of them continued to operate and provide service anyway, and they could have done that indefinitely.
To effectively stop service, you would have to have a much larger attack and somewhat more sophisticated. I don't want to get into the details, but there is some evidence that this was not the most sophisticated possible attack.
Q: What are the lessons learned from this attack?A: There are some old lessons that are just evident again. This doesn't teach us anything we didn't know before. As with any attack, it reminds us that we need to make some progress. We shouldn't say everything is fine and expect the system to survive indefinitely. There will be other attacks, and they'll be more sophisticated and they'll be more massive.
Q: Where is improvement needed?A: There are three areas for improvements. They range from relatively easy to relatively hard to do, and range from useful to more important.
The first is improving the core protocols and service for DNS, and second, tightening up the Internet against DDOS attacks by having the Internet service providers impose some discipline and authentication on the hosts. In today's Internet, it's relatively easy for a host to lie about its address and send packets with misleading return addresses. It's possible to fix this.
As part of tightening up the basic DNS system, we need to deploy the DNS security protocol [DNSSEC, a security protocol intended to improve data origin authentication] and create a wider set of implementations of BIND [the Internet Software Consortium's Berkeley Internet Name Domain server software used for DNS]. I hasten to add that lack of diversity is not actively causing any harm, and the main reason for wanting diverse implementations is general good practice. On the other hand, we do know that many people are running obsolete versions of BIND, and the older versions are known to have critical bugs.
Q: The third problem?
A: What I think our biggest problem globally is are off-the-shelf computers. The minute you plug them in they are susceptible to being enlisted unwittingly to a DOS attack. And I don't understand why that's OK. To have that same computer be used to attack someone else, it's a public nuisance issue. Computers should not be wide open.
Q: Will this incident accelerate the work of the ICANN security committee?A: I think we're pretty motivated. The attack acts as a certain amount of stimulus, but there is not enough new information in this. I think it's kind of a reflected effect. We recognize that because something like this happens, it causes other people and the media to take notice, and that increases the pressure and perhaps increases the opportunity.