Internet survives massive attack

An attempt to cripple the computers that serve as the address books for the internet failed on Monday.

The so-called distributed denial-of-service (DDoS) attack levelled a barrage of data at the 13 domain name service root servers and apparently is ongoing, according to internet performance measurement company Matrix NetSystems.

Traffic from several ISPs has been slightly delayed but because the domain name system is spread out and because the 13 root servers are the last resort for address searches, the attack had almost no effect on the internet itself.

"There was never an end user that said there was a problem," said Paul Vixie, chairman of the Internet Software Consortium, a group that supports the open source software on which many domain name servers run.

The group also administers one of the 13 computers - specifically, the 'F' server - that routinely matches internet addresses. Like the telephone book, domain name servers match a name with a number. They also are layered like a virtual onion, so that a user who wants to go to specific address, such as 'silicon.com', will first attempt to get the information from a local server. If the domain is not found, then the request gets bumped up to a domain name server for the top-level domain, such as '.com'.

Requests should only rarely consult the root servers. Most requests that the ISC's 'F' server sees are from poorly designed networks that don't cache the previous answers for information, Vixie said.

"We answer a request and then two milliseconds later get another request from the same user for the same domain," he said.

While Vixie took issue with reports that the attack had been the "largest ever", he did say that aspects of the data flood made it unusual. "There have been [previous] attacks against the root domain servers - yes," he said. "But it is rare to have attacks against all 13 at the same time."

The Internet Software Consortium's 'F' server responds to more than 270 million domain name service queries each day, according to its site.

The 13 domain name service root servers are designated 'A' to 'M'. The most affected servers, according to internet performance firm Matrix NetSystems, were the 'A' and 'J' servers owned by VeriSign Global Registry Services, the 'G' server owned by the US Department of Defense Network Information Center, the 'H' server at the US Army Research Lab, the 'I' server located in Stockholm, the 'K' server located in London and the 'M' server in Tokyo.

Still, the results were not severe. According to Matrix NetSystems, the peak of the attack saw the average reachability for the entire DNS network drop only to 94 per cent from its normal levels near 100 per cent.

About 4,000 denial-of-service attacks hit the internet in the average week, according to data collected by the Cooperative Association for Internet Data Analysis. Many of those are aimed at domain name servers.

Attacks that broadly affect the internet are rare. In April 1997, a misconfigured router advertised itself to the internet as the quickest gateway to every other server and caused a ripple that affected communications for several hours.

Robert Lemos writes for CNET News.com