On the morning of February 2, 2007, someone launched a distributed denial-of-service attack on Domain Name Service (DNS) servers worldwide, temporarily shutting down 2 of the 13 global databases. However, the Internet, which relies upon a hierarchy of DNS servers to resolve common name addresses (such as CNET.com) into a numerical IP address, was in no great danger. A previous attack in October 2002 managed to shut down most of the 13 servers for a few hours and produced little effect. There is great redundancy built into the system; common requests (such as Google.com) are cached on local DNS servers, so the loss of the main 13 DNS servers would not be felt for a few days--and so far, no one has managed to pull off a sustained denial-of-service attack against the DNS servers. Plus, since the attack in 2002, ICANN, the administrators, and the DNS system have implemented a new technology, Anycast, which further buttresses the DNS system. Now, roughly a month after the attack, ICAAN is suggesting that the attack wasn't just malicious; it was a sales pitch. A sales pitch for a fairly large botnet.
The root servers for the DNS system (lettered A though M) contain pointers to all top-level domains such as .com, .org, or .info. The root servers are not one physical server, per se, but several servers, so that while some servers know all the addresses related to .com, another server has another top-level domain, and so on. The February 2007 attack crippled a DNS server responsible for the various top-level domains in the United Kingdom; the other crippled a server that handled U.S. government domains.
ICAAN is suggesting that the attack wasn't just malicious; it was a sales pitch. A sales pitch for a fairly large botnet.
Of the 13 root servers, a majority are located within the United States, with 4 in California. There is great redundancy within the root-level system, such that if only one of the 13 was up and running, the Internet would continue to function as we know it today. In October 2002, 9 of the 13 were hit with a massive denial-of-service attack. It was after that attack that ICANN, the agency that administers the DNS system, started putting in a technology called Anycast, which distributes signals so that servers anywhere in the world can act as though they are in the same physical space. The February 2007 attack proved the worthiness of Anycast (with most of the six targeted servers withstanding the attack), and it will now be rolled out to all the root servers. The advantage with Anycast is if something were to happen at one of the root servers, for instance an earthquake in California, Anycast could redistribute the queries for IP addresses to other servers around the world, without the world knowing.
The February 2007 attack
ICAAN says that starting at 4 a.m. PST (12:00 UTC) on February 6, 2007, a massive distributed denial-of-service attack hit six of the root servers like a brick wall, with a wave of bogus queries hitting the root servers at the rate of 1GB per second. Two of the root servers were immediately and severely compromised; four fared well under the strain. According to ICAAN, the amount of data sent to the DNS root servers during the attack was roughly equivalent to receiving 13,000 e-mails every second, or 1.5 million every two minutes.
With a record number of back-door Trojans active on the Internet today, some computers are owned not once but several times over by rival botnets.
Analysis has shown that most of the traffic associated with this attack came from South Korea, but security researchers are quick to caution that South Korea is one of the most wired nations on earth, with more high-speed, broadband-enabled computers per capita than most nations. Further investigation suggests that the zombies in South Korea, and the Asia-Pacific region, might have been under control from someone in Germany.
To create such a massive denial-of-service attack, that 1GB-per-second traffic, you'll need a dedicated army of slaves or zombie PCs. To enslave a remote PC, one need only infect it with a Trojan horse. A trip to a compromised Web site can result in such an infection, as can the more traditional approach of opening an e-mail with a malicious file attachment. With a record number of back-door Trojans active on the Internet today, some computers are owned not once, but several times over by rival botnets.
And Security experts predict the botnet pandemic will get worse before it gets better.
Researchers are now seeing a move away from the traditional botnet management tools of Internet Relay Chat. At Black Hat DC, veteran security researcher Jose Nazario of Arbor Networks says he's seeing increased use of HTTP and the deployment of peer-to-peer botnets. What this means for those stalking the bad guys is that botnets are going underground, and we can't eavesdrop on their communications or their sets of commands. Where IRC traffic can be spotted, monitored, and stopped, HTTP traffic or direct communication among botnets is much more difficult or even impossible to detect.
Currently, the Trojan Nugache, which Arbor Networks has linked to 20,000 to 100,000 zombie PCs worldwide, is using both peer-to-peer connections and encrypting those communications. Nazario wrote in his summary, "What this means to botnet monitoring I'm not entirely sure, but we knew this day was coming."
Botnets for sale
Indeed, we're seen a steady evolution in botnets within the last eighteen months or so. A year ago I wrote about Jeanson James Ancheta, a then-20-year-old Downey, California, resident, who was arrested for leasing out a botnet to others that linked to a denial-of-service attack. It may have been that denial-of-service attack against King Pauo Electronic Company and Sanyo Electric Software Company that led U.S. federal authorities to Ancheta's activities, which included using botnets to derive income from various pay-per-client services. In retrospect, that's all small stuff.
If someone did use the attack on the Internet's core DNS servers as a demonstration, then imagine what else could be done with a network of dedicated zombies producing traffic of 1GB per second on a lesser target. And what if the demonstration was scaled back, not the full potential, just a sample?
What can you do?
Unfortunately, there are a lot more unprotected computers on the Internet than those sitting at home; there are machines in offices and universities that are outward facing, outside the firewall, that also are contributing to the botnet problem. Still, it would help if everyone took the time to secure his or her own computer and laptop with a firewall and antivirus/antispyware protection (an Internet Security Suite does the trick).
Whether you agree or not with the idea of paying someone to protect your PC, the danger is there nonetheless. I find it just easier to have an Internet security suite installed than monitor my own system registry. What can be done about botnets? What should be done about botnets? TalkBack to me.