DNS attack puts Web security in perspective

Second, Silva said the attacks were "plain" malformed DNS requests from spoofed IP addresses. They weren't reflection or amplification attacks, which can saturate bandwidth even more.

Third, much of information served up by the root servers is often cached on downstream DNS servers locally. Most of the traffic to the root servers comes from newly started DNS servers when new top level domains that aren't already cached need to be resolved. Silva said that if the attacks had been directed at the top level domain .com resolution servers, where over 50 million .com domain names are stored, the pain would have been worse.

Finally, VeriSign and most other players have added significant server power and bandwidth since the 2002 attack. Most of the DNS root servers may be listed as one IP address, but in most cases, they are made up of many more servers. The Anycast protocol they use allows multiple computers to share one IP address; the downstream requesting client gets the closest logical DNS server.

I asked Silva what it would take to stop spoofed DoS attacks. "ISPs need to perform egress filtering and stop spoofed packets," he said. "There is an ongoing proposal called BCP 38 that addresses egress filtering."

Still, until we get the majority of ISPs to participate, spoofed IP attacks will continue. "Right now, our biggest defense is over-capacity," explained Silva. "All the DNS providers keep trying to build so much capacity that even the large attacks against the DNS structure are minimal by comparison. In the year 2000, we had a billion legitimate requests a day. Now it's 26 billion. We predict it will be 200 billion requests per day by 2010."

With both legitimate use and attack traffic in mind, VeriSign just announced an increased scaling initiative called Project Titan. It plans to increase DNS throughput tenfold by 2010 -- a "10,000-fold increase since 2000," noted Silva.

VeriSign knows a little something about scaling, and it has to. For one, it manages the first 10 of the 13 DNS root servers (A through J), resolving top-level domain .com and .net traffic. Plus, Verisign offers directory services for more than DNS; it has the exclusive RFID directory service contract to help the Wal-Marts of the world track medicines and inventory. Its near-term scale will be in the trillions of transactions per day.

Despite all this, attack traffic is currently growing even more aggressively than legitimate traffic -- up 150 fold since 2000, said Silva. This is a concern because the DNS infrastructure, which has been badly in need of a security makeover for two decades, is now used for a lot more than Web surfing and e-mail. Like it or not, VoIP applications, IP TV, cell phones, mission-critical communication links, and data repositories are now using the Internet for real-time business. If the Internet goes down today, it's going to affect far more than just your ability to check into MySpace or YouTube.