On Monday October 21 someone, it seems, tried to take down the Internet.
They did this by launching a well-known, brusque type of distributed denial of service (DDoS) attack, called an ICMP flood, on the Internet's 13 root DNS servers, the machines that translate words like "www.skyisfalling.com" into numbers like 184.108.40.206. (I made those up. Don't bother trying them.)
These 13 computers are peppered throughout the world and each is known by a single letter, A through M. The seven DNS root servers that took the biggest hit were A, G, H, I, J, K and M. The server known as H is found at the US Army Research Lab in Aberdeen, Maryland. A, G and J are located in Virginia. Server I is in Stockholm, K in London and M in Tokyo.
But DNS translations are also cached on thousands of routers. So, often when you ask for www.skyisfalling.com, you'll get 220.127.116.11 from one of these cached copies squatting on a nearby router. Your request never has to go to the root server. This is a smart architecture; the only way the ICMP flood could have succeeded is if all of the root servers remained down long enough (maybe eight or nine hours) that the router caches started to expire, which would eventually happen when their preset TTL (time to live) ran out.
That didn't happen. According to one report sent out as the attack was winding down, some of the root servers went down, but never all of them. Packet loss by the DNS network approached 10 per cent at the attack's apex (normally packet loss is less than one per cent) and reachability of DNS servers fell to around 94 per cent. Maybe you noticed sluggish Web page loads. Probably you noticed nothing. (Thank you to Ted Julian and Bruce Schneier for the refresher.)
Why all the technical talk? We'll get to that in a minute. The point is, the attack wasn't tilting at windmills, but it wasn't what you'd call a surgical strike either. Its legacy will be its target: the very backbone of the Internet. (Even though everyone knew and talked about DNS as a viable target—more proof we really don't care about something until it actually happens.)
There were two types of reaction to the DNS attack. Either it was the beginning of ever more serious attempts to bring down the Internet, or it was an isolated incident. It was either a practice run for some larger cyberterrorist attack, or it was simply, as Bruce Schneier called it, vandalism. On the one side Bill "Ches" Cheswick, a security expert with vendor Lumeta, intoned, "Next time, we may not be so lucky." On the other, John Crain, technical manager of ICANN, glibly called out: "Nothing to see. No dead bodies. Move on."
Either the sky is falling, or it is not. And whichever theory you believe discomfits those who believe the opposite.
Everyone is talking about the appropriate reaction to the DNS root server attack, but no one is actually reacting. This event is a gold mine of pertinent information for anyone involved in critical infrastructure protection. That's the reason for all the details above. Security experts have debated this stuff for years, but only in theory. Now they have real data. It's time to use it to step up those debates:
—Since the attack didn't work and this is largely a security success story, does that validate the DNS architecture?
—Do we need DNS root servers N, O, P and Q? And if so, where?
—Does the collegial management of DNS root servers still make sense?
—Is it time to build more formal security into DNS and other architectures and protocols, like BGP, that are widely known to be vulnerable?
I guess I fall into the sky-is-not-falling camp, but I understand the impulse to believe the worst, given the current climate of snipers and war and uncertainty. Cheswick is probably thinking about all this when he says we may not be so lucky next time. But if security professionals start reacting to the DNS root server attack, instead of just talking about the right way to react, then we won't have to rely on luck.
"Alarmed" is a biweekly column about security and privacy. Look for a new version every other Thursday.