DNS attack puts Web security in perspective

A few years ago, I had the privilege of seeing some root DNS servers in action at VeriSign's main headquarters. It's something I had wanted to do for over a decade, and I was literally slightly shaking with excitement (yes, I am that big of a geek).

[ RogerGrimes's column is now a blog! Get the latest IT security news from the Security Adviser blog. ]

Physical security was high. It took three-factor authentication to get me past the two mantraps and the bomb-blast protected walls. My escort had to use handprint geometry, a PIN, a smart card, and a retinal scan to get me into the inner sanctum.

Turns out VeriSign's DNS root servers at this location are composed of two physically separate, 10-high stacked, 1U pizza-box-style IBM eServers (VeriSign said they tested many different servers, and IBM's gave them the best performance per dollar), running Solaris and Red Hat Linux. Not surprisingly, they don't run BIND and keep things intentionally diverse to protect against a platform-specific attack.

Watching the network lights rapidly blink under millions of transactions per second was a blast. Did I mention I was a geek?

Although I've walked into hundreds of high-security centers since, I've always remained impressed with the VeriSign walk-through. It wasn't too many years ago when some of the east coast DNS servers were reported as being stored in a elevator storage running inside a parking garage.

The DNS infrastructure has come a long way since then and is no longer under threat of being rammed by a car. Unfortunately, physical attacks are the easy ones to stop. The Internet's global DNS infrastructure recently experienced its first huge widespread DoS attack since the Oct. 21, 2002 incident. This year's attack happened on February 6 and only involved three of the Internet backbone's 13 root DNS servers (the 2002 attack targeted all 13).

I discussed the recent attack with VeriSign's chief security officer, Ken Silva. He said that the attack focused on root servers G (maintained by the U.S. Department of Defense) and L (maintained by ICANN), and to a lesser extent, M (maintained by Japan). During the 12-hour attack, nearly 90 percent of legitimate queries to those servers were being dropped.

That's a lot worse than I had been led to believe by other news sources. I hadn't questioned the other sources because I, like most people I know, didn't even notice the attack until it was over and had made headlines.

Silva said a couple of things made this attack less threatening than it could have been. First, as stated above, it only affected three of the 13 root servers. I asked if the attackers had decided to attack all 13 servers at once if the results would have been worse.

"Yes," he replied without missing a beat. "Some phases of the attack contained more than 1Gb of malformed data per second. Normal traffic is a half a million queries per second, or about 26 billion requests per day." These attack loads were significant enough that any DNS server would suffer even with anti-DoS protections put in place.