[GTER] Feds Investigating "Largest Ever" Attack on Internet

Thu Oct 24 10:36:01 -03 2002

Talvez seja hora de pensarmos em uma estrutura mais distribuida de DNS.
Os servers da FAPESP poderiam ser distribuidos em regioes do Brasil.

--
Kleber Carriello de Oliveira
Gerência de Segurança Internet
Embratel -  Rio de Janeiro

-----Original Message-----
From: gter-admin at eng.registro.br [mailto:gter-admin at eng.registro.br]On
Behalf Of Andre Fucs de Miranda
Sent: Wednesday, October 23, 2002 13:52
To: gter
Subject: [GTER] Feds Investigating "Largest Ever" Attack on Internet

Ao ler isso eu pergunto... atualmente qual a chance real dos servidores
de DNS Brasileiros serem afetados por um ato semelhante? Apenas como
curiosidade... são ou já foram feitas simulações nesse sentido?

+++ início +++
Feds Investigating "Largest Ever" Attack on Internet

By Kevin Murphy

US Federal authorities are investigating an attack on the internet that has
been described as the "largest and most complex" in history. Rather than a
specific entity, the attack was aimed at the domain name system's root
servers,
essentially at the internet itself.

In a distributed denial of service attack that began 5pm US Eastern time
Monday
and lasted one hour, seven of the 13 servers at the top of the internet's
domain name system hierarchy were rendered virtually inaccessible,
sources told
ComputerWire.

"We're aware of that [the attack] and the National Infrastructure
Protection
Agency is addressing the matter," an FBI spokesperson told ComputerWire. No
more information on the investigation was available.

According to a source that preferred not to be named, the recently formed
Department of Homeland Security is involved in the investigation, as
well as
the FBI, suggesting that authorities are concerned the attack may have
originated overseas.

"It was the largest and most complex DDoS attack on all 13 roots," a source
familiar with the attacks said. "Only four of the primary 13 root
servers were
up during the attack. Seven were completely down and two were suffering
severe
degradation."

The source said each of the servers was hit by two to three times the load
normally born by the entire 13-server constellation. Paul Vixie,
chairman of
the Internet Software Consortium, which manages one of the servers, said
he saw
80Mbps of traffic to the box, which usually only handles 8Mbps.

In a DDoS flood attack, hackers take control of dozens or hundreds of
"slave"
or "drone" machines, then instruct them remotely to simultaneously flood
specified IP addresses. The attack is believed to have been an ICMP
(Internet
Control Message Protocol) ping flood, which stops networked devices
responding
to traffic by pounding them with spurious packets.

Freely downloadable hacker tools such as Tribe Flood Network, Trinity and
Stacheldraht can be used to launch ICMP floods. One such tool was used
memorably against Amazon, eBay and other big sites in the Mafiaboy
attacks of
February 2000. Mafiaboy, a Canadian schoolboy, was eventually caught after
bragging to friends about the attacks.

The DNS root servers are the master lists of domain names and IP
addresses on
the internet, the machines from which all DNS lookup information flows.
If they
were taken offline or became inaccessible, any application that uses domain
names (email and browsers at the low end) would ultimately stop functioning
properly.

The best way to counter these kinds of attacks is "massive
over-provisioning",
said the ISC's Vixie. He added that the attack did not actually crash
any of
the root servers, rather it congested devices upstream of the servers
themselves, so that very little legitimate traffic could get through.

A spokesperson for VeriSign Inc, which manages another root server, said:
"VeriSign expects that these sort of attacks will happen, and VeriSign was
prepared. VeriSign responded quickly, and we proactively cooperated with
fellow
providers and authorities."

Louis Touton, VP of the Internet Corp for Assigned Names and Numbers
(ICANN)
which runs another server, said that these types of attacks against root
servers are common, but that the scale and the fact that all 13 servers
were
targeted set Monday's incident apart. He pointed out that no end users were
affected.

DDoS attackers operate with at least one degree of separation from their
targets, and use spoofed source IP addresses to make tracing them virtually
impossible. According to Vixie, the only way to stop such attacks
happening in
future is to make it too hard to execute them and get away with it.

"The most important thing to come to light here has been known for some
time.
We've got to find a way to secure all the end stations that forge this
traffic," Vixie said. "There's an army of drones sitting out there on DSL
lines... There's no security at the edge of the network. Anyone can send
packets with pretty much any source address."

Richard Probst, VP of product management at DNS specialist Nominum Inc,
observed the attacks, and said it was interesting that the hacker chose to
attack the root servers for only one hour.

Only a sustained attack on the root servers would have had an impact on end
users, which tend to do DNS lookups in the first instance on data cached
locally at their ISP. It is only after a longer period, when cached data
starts
to purge, that an offline root server could cause problems.

"The root servers don't actually get as much traffic as others, such as
those
that handle .com, " Probst said. "It makes you wonder whether they were
trying
to stop things, or to show their knowledge of the system. It's almost as if
these folks were exploring to see how the system would respond to this
level of
attack."

© Computer Business Review Online 2002

http://www.cbronline.com/cbr.nsf/printweb/546816D8B69C048680256C5B00107E53?O
pendocument
http://www.washingtonpost.com/wp-dyn/articles/A828-2002Oct22.html
+++ fim +++

--
!
assine o -do-not-cross-
segurança, informação e opinião
http://www.cfsec.com.br/dnc/
!

--
GTER list    http://eng.registro.br/mailman/listinfo/gter