The October 21 DDoS attacks against the 13 root-name servers containing the master domain list for the Internet’s Domain Name System (DNS), (which reportedly took offline 9 of the 13 servers) remain a clear and daunting reminder of the vulnerabilities associated with online security. Many DNS authorities have named the most recent hit the largest DDoS attack against the root server system. Chris Morrow, network security engineer for UUNET, the service provider for two of the world’s 13 root servers, recently told The Washington Post that, “This is probably the most concerted attack against the Internet infrastructure that we’ve seen.” Although the attack only lasted for approximately an hour, and end users were not affected, it still provides an opportunity to bring a heightened awareness to DNS management best practices, ensuring that Internet security isn’t impaired by oversight. Morrow also added that, “This could be someone just messing around, but it could also be something more serious. It’s too soon to say. Obviously, the prevalence of the attacks does make it important to have increased focus on the need for security and stability of the Internet.”

Also, it is important to underscore that attacks of this nature and magnitude are often meant to act as a stimulus for improvement and change. Not only is it paramount for managers of DNS name servers to take notice of the severity of the recent DDoS attack, but to also look at other vulnerabilities associated with the Domain Name System. By critically analyzing the DNS system itself and the recent security threats, we are, in effect, searching for best practices and putting the Internet in a better position to fend against future attacks. Why should we be acting proactively as opposed to reactively? What are the problems with DNS? Where is improvement needed in DNS system security? Read on.

What was different this time?

Large-scale DDoS attacks are not anything new. A serious problem occurred in July of 1997 where Internet traffic came to a halt after experts transferred a garbled directory list to seven root servers and failed to correct the problem. In early 2000, a coordinated series of attacks crippled numerous high-traffic sites, including Microsoft, Yahoo, CNN.com, and ZDNet. More recently, in the wake of last year’s September 11 attacks, the Internet Corporation for Assigned Names and Numbers (ICANN) devoted its 2001 annual meeting to a discussion of computer security proving the increased need to focus on this problem. An International Data Group (IDG) report summed up the concern held by both government and business, stating “security experts warn that future attacks could target businesses’ computer networks, destroying critical information or knocking them offline and striking a further blow to the U.S. economy”. Considering the most recent DDoS attacks, this concern is even stronger than ever.

“It is clear that a stunning number of companies have serious DNS configuration problems which can lead to failure at any time.” states Cricket Liu, DNS specialist and author of the O’Reilly & Associates’ Nutshell Handbook ‘DNS and BIND’. “It’s unfortunately widely known that DNS health on a global scale is poor. Anyone doing business on the Internet needs to take DNS outages seriously.”

Indeed, Liu’s comments should be taken into thoughtful consideration as numerous media reports highlight that the attack was the “largest ever”. In an interview with CNET, Paul Vixie, Chairman of the Internet Software Consortium (ISC) noted that, “There have been previous attacks against the root domain servers - yes. But it is rare to have attacks against all 13 at the same time.”

The problem with DNS

It is well known that one of the most vulnerable online targets is the DNS server. Nearly every online function - from e-mailing, purchasing, to simply typing in a Web address in a browser - requires a functioning DNS. Although a hierarchy of thousands of DNS servers makes up the backbone of the Internet, the DNS server is also the Internet’s largest security weakness. Like many other protocols on which the Internet depends on, the DNS was designed years ago and has some inherent weaknesses that are well known in the security underground. Hackers targeting DNS servers have caused outages or breaches at Microsoft, Yahoo, the FBI and numerous other high profile corporate and government sites (not to mention the possibility of thousands of undetected attacks).

The reason? 90% of DNS servers run on an open-source code known as BIND. Patrick Thibodeau, reporting on last year’s ICANN security meeting said, “Some of the vulnerabilities potentially affecting the domain name system include its heavy reliance on Berkeley Internet Name Domain (BIND) software, which is freely distributed by the Internet Software Consortium.” With the source-code to BIND readily available, malicious hackers can inspect the code and pinpoint vulnerabilities. Once a DNS is breached, hackers have access to the contents of the entire network. “Virtually all the name server software is derived from one code base, BIND, which has since been rewritten to two code bases,” said Steven Bellovin of AT&T Corp. “That’s not a lot. If there were a fatal flaw in the two main implementations of BIND, we would lose all 13 [root] name servers to just two bugs. That’s not a comforting thought.”

In response to the recent DDoS attacks, Ted Julian, chief strategist at Arbor Networks, a Waltham, Mass., company that sells anti-DDoS solutions, pointed out to eWEEK that, “If the Internet is going to work, it needs to be open, but that openness leads to problems,” said Julian. “The Internet is based on protocols that were designed a long time ago, and whether it’s a compromise of the protocol itself or a compromise of the design of the system, these [DDoS] attacks represent the greatest threat we have.”

It is clear that most experts admit there are weaknesses present in the backbone of the Internet. DNS security becomes even more critical as the magnitude of such attacks increases. Are there DNS management alternatives that can act as buffers against such attacks? Are there best practices that go hand-in-hand with the alternatives? Are there preventative DNS security measures? Look for the November 20 issue of CircleID where I will attempt to address these critical DNS issues in Part II of this article.