[merlin]

During the evening of Monday, 21 October 2002, 13 vital pieces of Internet infrastructure suffered an hour-long attack that almost brought them to their virtual knees.
The domain name system, or DNS, allows users to type mnemonic names (such as "www.extremetech.com") instead of cryptic IP addresses (such as 63.111.13.100). It's structured as a distributed database. Each level of the name -- from the ".com" backward to the "www" -- may be determined by a different server in a different part of the world.

The 13 DNS "root servers" lie at the top of the hierarchy, and are the first stop when your ISP's equipment looks up the name preceding the ".com" for you. For example, your ISP might go to the root servers to find the address of the name server responsible for the domain "extremetech.com". It then goes to that name server to find out the address of the host "www" within the domain "extremetech.com". Your ISP saves, or caches, the addresses associated with names that were recently looked up, so you might not even notice a brief outage in the root servers. But if those servers were to stop running for more than a short while, the Internet would grind nearly to a halt.

A Washington Post article gives a general description of the attacks. Other sources say that the attack consisted of ICMP packets -- the kind used by the "ping" network utility. (An attack that overwhelms a machine with such packets is called a ping flood). However, the article does not mention whether the root server operators were able to identify the Trojan horse or worm that infected and controlled the attacking machines.

 

[Pseudocyber]

I disagree about the "internet being brought to its knees" This is just sensationalism in order to sell newspapers and get people to watch the news.

The root servers are certainly very important. However, DNS is designed to cache information at a lower level to minimize requests to the root servers.

I doubt anyone noticed a problem on Monday with not being able to reach any webpages while the attack was occurring.

Now, I have thought it would be a cool movie about terroritsts attacking the root servers and holding them hostage, blah, blah, blah - but if that occurred, I'm sure they have hot mirror sites which they could fail over too (or I would hope). Anyway, check out this NSLOOKUP response and see that the lookup to www.extremetech.com didn't hit the root servers - UUNet had it cached on two different DNS servers.

> www.extremetech.com
Server: DNS.x.com
Address: 216.x.x.x

------------
SendRequest(), len 52
HEADER:
opcode = QUERY, id = 3, rcode = NOERROR
header flags: query, want recursion
questions = 1, answers = 0, authority records = 0, additional = 0

QUESTIONS:
www.extremetech.com.x.com, type = A, class = IN

------------
------------
Got answer (126 bytes):
HEADER:
opcode = QUERY, id = 3, rcode = NXDOMAIN
header flags: response, auth. answer, want recursion, recursion avail.
questions = 1, answers = 0, authority records = 1, additional = 0

QUESTIONS:
www.extremetech.com.x.com, type = A, class = IN
AUTHORITY RECORDS:
-> x.com
type = SOA, class = IN, dlen = 48
ttl = 3600 (1 hour)
primary name server = DNS.x.com
responsible mail addr = hostmaster.X.com
serial = 1691
refresh = 1800 (30 mins)
retry = 600 (10 mins)
expire = 86400 (1 day)
default TTL = 3600 (1 hour)

------------
------------
SendRequest(), len 37
HEADER:
opcode = QUERY, id = 4, rcode = NOERROR
header flags: query, want recursion
questions = 1, answers = 0, authority records = 0, additional = 0

QUESTIONS:
www.extremetech.com, type = A, class = IN

------------
------------
Got answer (104 bytes):
HEADER:
opcode = QUERY, id = 4, rcode = NOERROR
header flags: response, want recursion, recursion avail.
questions = 1, answers = 1, authority records = 2, additional = 0

QUESTIONS:
www.extremetech.com, type = A, class = IN
ANSWERS:
-> www.extremetech.com
type = A, class = IN, dlen = 4
internet address = 63.111.13.100
ttl = 21600 (6 hours)
AUTHORITY RECORDS:
-> extremetech.com
type = NS, class = IN, dlen = 18
nameserver = auth40.ns.uu.net
ttl = 21600 (6 hours)
-> extremetech.com
type = NS, class = IN, dlen = 9
nameserver = auth62.ns.uu.net
ttl = 21600 (6 hours)

------------
Non-authoritative answer:
Name: www.extremetech.com
Address: 63.111.13.100

 

[Pseudocyber]

From CNN.com

The attack failed to disrupt service because the data on the 13 key servers is replicated tens of thousands of times by Internet service providers and other computers around the world.

Only a small fraction of such requests -- as low as 6 percent by some estimates -- ever hit the 13 systems. Many of them are for domains that don't exist, misconfigured queries or seldom-visited sites, Balakrishnan said.

http://www.cnn.com/2002/TECH/internet/10/23/net.attack/index.html