[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[infowar.de] 'Net security gets root-level boost
'Net security gets root-level boost
By Carolyn Duffy Marsan and Cara Garretson
Network World, 10/27/03
A year after surviving a massive distributed denial-of-service attack,
the Internet's root servers are better fortified against hacker
activity, thanks to behind-the-scenes deployment of a routing
technique known as Anycast, experts say.
With Anycast, the root server operators have more than doubled the
number of server farms available to handle the highest-level DNS
queries. This routing technique heightens root server resilience by
multiplying the number of servers with the same IP address and
balancing the load across an army of geographically dispersed servers.
A handful of the 13 root server operators have begun deploying Anycast
since last year's attack, which didn't succeed in crashing DNS but
rendered several root servers unavailable for legitimate queries.
Experts say the deployment of Anycast is making the entire root-server
system more resistant to outage.
"More of the root server operators are doing this routing technique,
and the DNS is more robust than ever," says Paul Mockapetris, inventor
of the DNS and chairman of DNS software vendor Nominum. "The DNS is
more resilient than it was a year ago by a factor of two."
A reinforced DNS is a boon to enterprise network managers who need a
rock-solid root server and DNS system for all of their IP services to
function. However, one network executive resists putting much faith in
a new DNS technique until it's been tested under attack.
DNS is "still not as secure as it could be, or should be," says
Stephen Lengel, systems engineering manager at The ServiceMaster Co.
in Downers Grove, Ill., which provides heating, cooling, landscaping,
pest control and appliance maintenance services, and has about 20,000
users on its network. Despite the use of techniques such as Anycast,
no technology is 100% safe from attack, he adds. "It's usually just a
matter of time before someone exploits it or finds a hole in it."
While distributed DoS attacks have occurred for years, last October's
assault on the Internet's 13 root servers - which run the master
directory for lookups that match domain names with their corresponding
IP addresses - served as a wake-up call to the vulnerabilities
inherent in the distributed design of DNS. Below the root servers are
the servers that support top-level domains such as .com, .net and
.org, and below the top-level domain servers are hosts of Web sites.
During a distributed DoS attack, a hacker hijacks machines across the
Internet and uses them to send a flood of requests to a server until
it becomes overwhelmed and stops functioning.
Last October, the root servers were under a distributed DoS attack for
about an hour, causing several servers to stop being available to
regular Internet traffic. However, the remaining root servers
withstood the attack and ensured that the Internet's overall
performance was not degraded. Nonetheless, this was the most serious
hacker attack ever on this key piece of the Internet infrastructure,
and it was an eye-opener for the root-server operators.
Without the root servers, the Internet cannot function. Named by the
letters A through M, the root servers are operated by U.S. government
agencies, universities, nonprofit organizations and companies such as
VeriSign. Of the original 13 root servers, 10 are located in the U.S.,
one in Asia and two in Europe.
With Anycast, the root server operators are replicating these servers
around the world. Four of the root-server operators - including the
Internet Software Consortium and VeriSign - have mirrored their root
servers. There are now 34 locations worldwide with root servers or
Using this technique, Internet addresses are "more like 800 numbers
that get routed to call centers," Mockapetris says. "There are...more
root servers scattered around the network than there used to be. It's
not necessarily that the servers are more available but that the [data
is] more distributed."
As extra root servers are deployed using Anycast, the root server
system acquires additional capacity if another distributed DoS attack
occurs. DNS experts say the root server system is much better equipped
to respond to this type of attack than it was a year ago, because of
Anycast and concurrent hardware and software upgrades.
"Trying to attack the root DNS servers is probably one of the most
foolish things you can do," says Daniel Golding, senior consultant
with Burton Group. "It's easy to down a single [Web] site, but with a
distributed infrastructure that's moving to Anycast, it's just really
kind of dumb. It's not going to be that effective."
Anycast is a routing technique that announces a particular block of IP
addresses can be reached from a number of routers. The technique tells
the Internet that queries to that address space should go to the
closest available router. The 10-year-old technique is built into
IPv6, the next-generation of IP, but this is the first time Anycast
has been deployed in the DNS.
"Anycasting is something that had been discussed among all of the root
operators for a considerable amount of time, long before the attacks
[of last October]," says Ken Silva, vice president of networks and
information security at VeriSign. But after the attacks "was the time
to roll it out," he says.
Starting last November, the Internet Software Consortium began
deploying mirrored copies of its F root server around the globe using
Anycast. Since then, the consortium has announced mirrored copies of
its U.S.-based root server being deployed in Brazil, Canada, Hong
Kong, Korea, New Zealand and Spain. Today, the F root server and its
replicas are located in 12 sites.
A year ago, VeriSign had a single address space for both its A and J
root servers, both of which remained operational during the
distributed DoS attack. Since then, VeriSign has acquired new address
space for the J root and deployed mirrored copies of it around the
VeriSign this year used Anycast to mirror its J root server in six
locations in the U.S. plus London and Amsterdam. VeriSign also has two
mobile Anycast sites for its J root, which can reside anywhere within
VeriSign's global network infrastructure if needed.
"We tested Anycast for about a year...to monitor its behavior," Silva
says. "These are important servers, and we didn't want to make any
rash decisions about deploying it." Silva says Anycast is working well
and hasn't introduced any major complexities or problems into the
However, VeriSign has not used Anycast to mirror the A root server
that sits in a highly secured facility in Dulles, Va.
"The A root sits on an address block that is shared with other legacy
services such as Whois and an InterNIC FTP server, so Anycasting that
address block is not a good idea right now," Silva says. "The A root
server has sufficient capacity for now, but we ultimately will Anycast
that server" after splitting off the legacy services.
Anycast has many benefits besides protection against distributed DoS
attacks. ISPs get faster response times to their root-server lookups
because the closest available server handles the queries and the
servers are more distributed.
The root-server system is more resilient now because many regions of
the world have local root servers that can continue to operate if a
major physical connection to the rest of the Internet suffers an
The root-server operators have spent millions of dollars on the
hardware, software and engineering expertise required to set up
mirrored sites around the globe using Anycast. VeriSign says it has
spent $150 million in the past two and a half years rolling out a more
secure and resilient infrastructure for its A and J roots and the .com
and .net top-level domains. This investment includes the deployment of
"The attacks of October last year didn't come as a surprise to us,"
Silva says. "We feel we were prepared, but now we feel like we need to
be prepared for something even bigger."
Mail an infowar -
- infopeace -
de mit "unsubscribe" im Text.