The Internet was never really in danger of being knocked offline during last week’s coordinated attack on its infrastructure, most computer experts now agree. But the day is coming, some believe, when the Net will go dark for a day or so, shut down by an attacker. U.S. government officials are taking last week’s incident very seriously, partly because it might have been a test shot fired over the Internet’s bow by a group with larger plans, and partly because the incident has sparked a fresh round of speculation about attack strategies that could in fact cripple the Net.
LAST WEEK’S DENIAL of service attack against the main computers at the heart of the Internet went by, not with a bang, but a whisper. Despite initial reports, last week’s attack was relatively unsophisticated and doomed from the start, in part because attackers picked the wrong target and the wrong weapons.
That is both a blessing and a curse for those in government and private industry who are trying to defend cyberspace against future attacks. The ease with which the Internet, and its operators, brushed off the threat indicates the network’s design really is robust and full of the redundancies necessary to weather attacks at its heart. On the other hand, security experts worry that the public is wearying of stories about near-miss technology disasters, and that this latest incident may contribute to a “cry wolf” effect — creating a false sense of security.
The attack left one menacing fact indisputable: Someone is clearly willing to attack the Internet’s core with the goal of shutting it down.
“It was unique in the sense that somebody took on top level domains all at once,” said Howard Schmidt, vice chair of President Bush’s Critical Infrastructure Protection Board. “But people were saying this was the worst attack ever, and it certainly wasn’t that.”
ATTACK NEVER HAD A CHANCE
Starting Monday night, attackers sent an overwhelming stream of traffic at the Internet’s 13 core domain name servers, computers that are a bit like the Net’s telephone book. They match common Web site names, like MSNBC.com, with their real underlying numeric IP addresses.
Were the domain name system to completely fail, most people couldn’t access Web sites.
At the height of Monday’s attack, nine of the 13 servers were unreachable or debilitated by the traffic — a classic denial of service attack. Such an attack on the main domain name servers had been predicted as a doomsday scenario by many, suggesting those core computers were a choke point — where a single targeted attack could cripple the Internet.
But even at the height of the attack, Net users noticed nothing. In practice, it turns out, the domain name servers aren’t really a choke point. The critical information they supply is actually saved — a process known as “caching” — in thousands of other computers around the Internet, which stepped in immediately when the main domain computers failed. Last week’s real-life test of this fail-over system demonstrated that even a completely successful attack on the 13 main domain servers would have to last for days before having any noticeable impact. And even then, it would be gradual, and only because the quality of the “cached” data would begin the degrade, as there would be no central authority for the latest domain address information.
Most experts agree that such a prolonged digital siege is practically impossible.
“The No. 1 thing this indicates is an attack against the domain name servers alone is not sufficient to severely disrupt the Internet,” said Joel de la Garza, a security expert at Securify.com.
PRANK OR PROBE?
But was it a failed prank or a test shot? Some experts argue that sophisticated attackers would have easily predicted the unsatisfying result from a domain name server attack, and not even tried — suggesting last week’s attack was mere hacker mischief. The addresses of the 13 key domain name computers are easy to find on the Internet. Hackers regularly gather up armies of “zombie” computers and initiate denial of service attacks on each other in playful chat room war games. Some occasionally turn their traffic hoses on Web sites, such as the well-known attacks against Yahoo.com, CNN.com, and other major Web sites in 1997. It’s not a stretch to imagine a hacker choosing to turn a traffic hose on the 13 main name servers as a prank.
But other see not a prank, but rather a probe. If an organized group wanted to get a sense of reaction times and protective strategies designed by the Internet’s defenders, they might fire a quick salvo like last’s week’s attack. Information gleaned from the test could be used to launch a much different, much larger attack later on.
Ed Skoudis, vice president of security strategy at Predictive Systems, thinks there’s reason to believe last week’s attackers have something bigger in mind. Because the attack lasted only about an hour, and ended very suddenly, Skoudis believes it was an intentional probe of the system’s defenses.
“The interesting point was the number of systems they were able to turn off almost immediately,” Skoudis said. “Usually, these floods come down over time. Even if it’s automated, it could still take a few minutes. There was no trickle off here, everything just stopped. It suggests that the coordination was excellent, and their channels of communication were very good. There was careful planning that went into it. They chose their zombie sites quite carefully.”
Skoudis was actually teaching a course at the SANS Institute for computer security in Washington D.C. last week when word of the attack came. During the next two days, about 10 percent of the students — mostly law enforcement officials — scrambled out of class in response to abrupt pages and cell phone calls. That’s why he thinks the federal government is also worried that the attack was more than a prank.
INTERNET POISONING
Still, by all accounts, the domain name system and the private companies like Verisign Inc. who maintain the 13 core computers passed this test with flying colors, so why is there cause for alarm?
In truth, attackers wouldn’t have to shut down the core domain name computers to wreak plenty of havoc, said Paul Mockapetris, who invented the domain name system. There are various ways to alter, or “poison” domain information in order to prevent Internet users from reaching the Web sites they are looking for. In one scenario, users trying to reach a financial site like Brokerage.com could be sent to a hacker Web site instead, where they would be tempted to enter their personal information. Attackers could get their message out by redirecting traffic headed for a news site to a propaganda Web page instead.
“You’ve got to count on the fact that there will be more attacks on DNS in the future,” said Mockapetris, who is now chief scientist for domain-name software company Nominum.
OTHER CHOKE POINTS
Many experts also agree their are other, more fragile choke points in the Internet’s infrastructure in addition to the domain name system. And now that it’s clear hackers is testing the waters, they may discover a more successful attack strategy.
Skoudis says the system of core routers which act as Internet air traffic controllers is considerably more fragile that the domain name system, and he suggests the next wave of attacks could take on these systems. Most of the Internet’s traffic must pass through one of several dozen core routers, and if they were somehow crippled simultaneously, the Net would grind to a halt.
“If you can’t route packets, then that’s it, you’re done,” he said.
Hackers have already discovered this tactic on a smaller scale. Two years ago, access to all Microsoft Web sites, including MSNBC.com, was shut down by an attack on a core router that was central to all the firm’s Web sites. It took the company two days to fully restore service.
BUILT TO ENDURE NUKE ATTACK
But Bill Palumbo, CEO of Internet traffic measurement firm Matrix NetSystems, said such doomsday predictions about the Net are often wrong.
“This can get overly exaggerated. If you look at the structure of the Net, it was built for connectivity in nuclear disaster. It will allow you to route traffic lots of ways,” he said. He recalled an incident last year in the South China Sea when a main Internet access cable was cut — traffic to that part of the world slowed for a few hours, but Internet traffic quickly found a new route and connectivity was restored. “The network is broader now, there are more routers in the network, more diverse routes in the network. If you go back in time 10 or 15 years, maybe something like that could happen, but not now.”
Still, Schmidt said he felt router attacks presented a troublesome problem. In February, federal agents issued a major alert and even briefed Bush about the discovery of an obscure vulnerability in router software — partly because Schmidt envisioned the vulnerability could be used in just such a massive router attack, he said.
“When that first surfaced lot of us felt that was a (dangerous) thing,” he said. Most routers have now been patched to the flaw, he said, thanks in part to a massive government-led education effort.
INTERNET BLACKOUT COMING
But that will hardly be the final flaw found in router software, Skoudis said — particularly now that it’s clear hackers are probing the Internet’s infrastructure. He thinks it’s inevitable that some day a new flaw will be found and used in an attack before government and private industry can react.
“I’m a believer that the whole Net will be brought down by some attack in next 2-5 years,” he said. But he likened the event to a typical East Coast snow day, when workers will simply stay home and play with their kids while technologists work to restore the system.
“It will cause confusion, but won’t cause the death of large numbers of people. But I think it’s going to happen, eventually,” he said.
Schmidt didn’t disagree, putting the likelihood of a daylong, hacker-caused Net outage at 5 on a scale of 1 to 10. However, he said, such an outage was “much more likely two years ago than today ... and the likelihood is decreasing every day.”