Suche innerhalb des Archivs / Search the Archive All words Any words

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[] 'Net security gets root-level boost,

'Net security gets root-level boost

By Carolyn Duffy Marsan and Cara Garretson
Network World, 10/27/03

A year after surviving a massive distributed denial-of-service attack, 
the Internet's root servers are better fortified against hacker 
activity, thanks to behind-the-scenes deployment of a routing 
technique known as Anycast, experts say. 

With Anycast, the root server operators have more than doubled the 
number of server farms available to handle the highest-level DNS 
queries. This routing technique heightens root server resilience by 
multiplying the number of servers with the same IP address and 
balancing the load across an army of geographically dispersed servers. 

A handful of the 13 root server operators have begun deploying Anycast 
since last year's attack, which didn't succeed in crashing DNS but 
rendered several root servers unavailable for legitimate queries. 
Experts say the deployment of Anycast is making the entire root-server 
system more resistant to outage. 

"More of the root server operators are doing this routing technique, 
and the DNS is more robust than ever," says Paul Mockapetris, inventor 
of the DNS and chairman of DNS software vendor Nominum. "The DNS is 
more resilient than it was a year ago by a factor of two." 

A reinforced DNS is a boon to enterprise network managers who need a 
rock-solid root server and DNS system for all of their IP services to 
function. However, one network executive resists putting much faith in 
a new DNS technique until it's been tested under attack. 

DNS is "still not as secure as it could be, or should be," says 
Stephen Lengel, systems engineering manager at The ServiceMaster Co. 
in Downers Grove, Ill., which provides heating, cooling, landscaping, 
pest control and appliance maintenance services, and has about 20,000 
users on its network. Despite the use of techniques such as Anycast, 
no technology is 100% safe from attack, he adds. "It's usually just a 
matter of time before someone exploits it or finds a hole in it." 

While distributed DoS attacks have occurred for years, last October's 
assault on the Internet's 13 root servers - which run the master 
directory for lookups that match domain names with their corresponding 
IP addresses - served as a wake-up call to the vulnerabilities 
inherent in the distributed design of DNS. Below the root servers are 
the servers that support top-level domains such as .com, .net and 
.org, and below the top-level domain servers are hosts of Web sites. 

During a distributed DoS attack, a hacker hijacks machines across the 
Internet and uses them to send a flood of requests to a server until 
it becomes overwhelmed and stops functioning. 

Last October, the root servers were under a distributed DoS attack for 
about an hour, causing several servers to stop being available to 
regular Internet traffic. However, the remaining root servers 
withstood the attack and ensured that the Internet's overall 
performance was not degraded. Nonetheless, this was the most serious 
hacker attack ever on this key piece of the Internet infrastructure, 
and it was an eye-opener for the root-server operators. 

Without the root servers, the Internet cannot function. Named by the 
letters A through M, the root servers are operated by U.S. government 
agencies, universities, nonprofit organizations and companies such as 
VeriSign. Of the original 13 root servers, 10 are located in the U.S., 
one in Asia and two in Europe. 

With Anycast, the root server operators are replicating these servers 
around the world. Four of the root-server operators - including the 
Internet Software Consortium and VeriSign - have mirrored their root 
servers. There are now 34 locations worldwide with root servers or 
replicas deployed. 

Using this technique, Internet addresses are "more like 800 numbers 
that get routed to call centers," Mockapetris says. "There are...more 
root servers scattered around the network than there used to be. It's 
not necessarily that the servers are more available but that the [data 
is] more distributed." 

As extra root servers are deployed using Anycast, the root server 
system acquires additional capacity if another distributed DoS attack 
occurs. DNS experts say the root server system is much better equipped 
to respond to this type of attack than it was a year ago, because of 
Anycast and concurrent hardware and software upgrades. 

"Trying to attack the root DNS servers is probably one of the most 
foolish things you can do," says Daniel Golding, senior consultant 
with Burton Group. "It's easy to down a single [Web] site, but with a 
distributed infrastructure that's moving to Anycast, it's just really 
kind of dumb. It's not going to be that effective." 

Anycast is a routing technique that announces a particular block of IP 
addresses can be reached from a number of routers. The technique tells 
the Internet that queries to that address space should go to the 
closest available router. The 10-year-old technique is built into 
IPv6, the next-generation of IP, but this is the first time Anycast 
has been deployed in the DNS. 

"Anycasting is something that had been discussed among all of the root 
operators for a considerable amount of time, long before the attacks 
[of last October]," says Ken Silva, vice president of networks and 
information security at VeriSign. But after the attacks "was the time 
to roll it out," he says. 

Starting last November, the Internet Software Consortium began 
deploying mirrored copies of its F root server around the globe using 
Anycast. Since then, the consortium has announced mirrored copies of 
its U.S.-based root server being deployed in Brazil, Canada, Hong 
Kong, Korea, New Zealand and Spain. Today, the F root server and its 
replicas are located in 12 sites. 

A year ago, VeriSign had a single address space for both its A and J 
root servers, both of which remained operational during the 
distributed DoS attack. Since then, VeriSign has acquired new address 
space for the J root and deployed mirrored copies of it around the 

VeriSign this year used Anycast to mirror its J root server in six 
locations in the U.S. plus London and Amsterdam. VeriSign also has two 
mobile Anycast sites for its J root, which can reside anywhere within 
VeriSign's global network infrastructure if needed. 

"We tested Anycast for about a monitor its behavior," Silva 
says. "These are important servers, and we didn't want to make any 
rash decisions about deploying it." Silva says Anycast is working well 
and hasn't introduced any major complexities or problems into the 

However, VeriSign has not used Anycast to mirror the A root server 
that sits in a highly secured facility in Dulles, Va.

"The A root sits on an address block that is shared with other legacy 
services such as Whois and an InterNIC FTP server, so Anycasting that 
address block is not a good idea right now," Silva says. "The A root 
server has sufficient capacity for now, but we ultimately will Anycast 
that server" after splitting off the legacy services. 

Anycast has many benefits besides protection against distributed DoS 
attacks. ISPs get faster response times to their root-server lookups 
because the closest available server handles the queries and the 
servers are more distributed. 

The root-server system is more resilient now because many regions of 
the world have local root servers that can continue to operate if a 
major physical connection to the rest of the Internet suffers an 

The root-server operators have spent millions of dollars on the 
hardware, software and engineering expertise required to set up 
mirrored sites around the globe using Anycast. VeriSign says it has 
spent $150 million in the past two and a half years rolling out a more 
secure and resilient infrastructure for its A and J roots and the .com 
and .net top-level domains. This investment includes the deployment of 

"The attacks of October last year didn't come as a surprise to us," 
Silva says. "We feel we were prepared, but now we feel like we need to 
be prepared for something even bigger."

Liste verlassen: 
Mail an infowar -
 de-request -!
- infopeace -
 de mit "unsubscribe" im Text.