To print: Click here or Select File and then Print from your browser's menu

This story was printed from silicon.com, located at http://www.silicon.com/

Story URL: http://software.silicon.com/security/0,39024655,39166293,00.htm

Why DDos attack didn't bring down the net
Icann reveals tech that saved the servers...

By Joris Evers

Published: Monday 12 March 2007

An attack in early February on key parts of the backbone of the internet had little effect thanks to new protection technology, according to a report.

The distributed denial of service attack on the Domain Name System (DNS) proved the effectiveness of the Anycast load-balancing system, the Internet Corporation for Assigned Names and Numbers (Icann) said in a document published last week. Icann regulates internet domain name and address registration and operates one of the main so-called root DNS servers.

According to the document: "The internet sustained a significant distributed denial of service attack, originating from the Asia-Pacific region but stood up to it." It attributed the internet's fortitude to Anycast's routing of traffic to the nearest server.

During the attack, which lasted almost eight hours, six of the 13 root servers that form the foundation of the net's DNS were targeted, Icann said. However, only two were noticeably affected. These two did not have Anycast installed because the technology was still being tested, it added.

It said: "With the Anycast technology apparently proven, it is likely that the remaining roots - D, E, G, H and L - will move over soon." The letters refer to the five of the 13 official root DNS servers that do not yet have Anycast installed.

The root DNS servers sit at the top of the DNS hierarchy and only get queried if other DNS servers, like those at an ISP, don't have the right address for a specific website. The 13 root servers are spread out across the globe and are represented by physical servers in more than 100 places geographically.

Anycast was developed after a similar denial of service attack hit the DNS root in 2002. That attack managed to swamp nine of the 13 root servers. Icann said: "The internet continued to run but it was a wake-up call for the root server operators," who set out to develop Anycast.

If the DNS system goes down, websites would be unreachable and email undeliverable. But DNS is built to be resilient and attacks on the system are rare.

Icann has yet to determine the exact techniques used in the February attack. The incident will be discussed at a meeting of DNS root server operators later this month, the organisation said.

Joris Evers writes for CNET News.com