Network News

X My Profile
View More Activity

Internet Attacked! (Did Anyone Notice?)

Tuesday marked the fourth anniversary of "Safer Internet Day," a 40-country effort to raise awareness about computer and Internet security. But the day probably didn't feel too safe for the dozens of unheralded technologists responsible for defending the World Wide Web against one of the most concerted attacks against the Internet's core since a similar assault in 2002.

Details about the sources, size and methods used in the attack are still trickling in, but like the celebration of Safer Internet Day, it's not clear that anyone using the Web at the time even took notice. That's largely a good thing, and I'll explain why later in this post.

At around 7 p.m. ET on Monday, three of the Internet's 13 "root servers" -- the computers that provide the primary roadmap for nearly all Internet communications -- came under heavy and sustained attack from a fairly massive, remote-controlled network of zombie computers. These are machines infected surreptitiously with programs that allow criminals to control them remotely. The zombies were programmed to try to overwhelm several of the root servers with massive amounts of traffic.

Among the apparent targets was a root server controlled by the Department of Defense Network Information Center. There is also evidence to suggest the attackers targeted the servers responsible for managing the stability of the ".uk" and ".org" domains.

A number of technologists I spoke with who helped defend against the attack said it's too early to say definitively where the attack came from, but this perspective from an operator responsible for maintaining one of the root servers suggests that South Korea, China and the United States were the biggest source of computers used in the attack (the initial analysis suggest that 13 percent of machines involved in the attack were located here in San Francisco, the site of the RSA Security Conference, from which I'm currently blogging.)

In the news coverage so far, theories about the motives behind the attack varied widely, from speculation that it was just hacker mischief to notions that it was cooked up by curious criminals bent on testing their ability to extort the many wealthy and powerful interests that rely on a functioning Internet.

The truth is that no one but the attackers knows the true reason. Paul Levins, vice president of the Internet Corporation for Assigned Names and Numbers (ICANN) -- the entity charged with, among other tasks, coordinating responses among root server providers in such attacks -- said it would likely be at least a week before the more meaningful facts come out.

"This is a fact based community, and we're waiting for the facts to come in after the analysis before we can make committed statements about what the origins were, and its intended targets," Levins said.

This attack highlights a couple of important but often overlooked points, one dark and troubling, and the other somewhat more hopeful. First, the tools and resources used by organized cyber criminals -- namely hacked personal computers that can be remotely controlled by attackers -- are so abundant that they've become virtually disposable. Experts estimate that at any given time there are tens of millions of hacked personal computers that are used in attacks or, more commonly, in sending spam and hosting phishing Web sites.

On the other hand, the fact that there is scant evidence that anyone surfing the Web at the time of the attack even noticed is testament to the resiliency of the global Internet infrastructure, as well as to the swift action on the part of the technologist and experts charged with maintaining the network most of us have come to take for granted.

Not that you can ever have enough security and capacity to handle these types of attacks. The various organizations that operate the 13 root servers are constantly upgrading bits and pieces of their systems to make them more robust and resilient, and one root-server operator -- Verisign Inc. -- is announcing Thursday that it plans to spend $100 million over the next three years to achieve a tenfold increase in its capacity to handle Internet traffic requests.

By Brian Krebs  |  February 8, 2007; 12:05 AM ET
Categories:  Latest Warnings  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: FTC Issues Fraud and ID Theft Data for 2006
Next: A Dozen Patches Expected From Microsoft Next Week

Comments

Everything seemed slower to me, that is for sure & I wasn't even getting much spam, let alone normal emails, so I was wondering & I did get an email from dyndns.org about their servers coming under a heavy DDOS attack, but you seem to be the first person to actually write an article about it. I searched Google news and came up with **nothing** previously to this article, thanks for writing it.

Posted by: anima topia | February 8, 2007 1:04 AM | Report abuse

Things did seem a bit slower and i too could not get into a server but for the most part things seemed okay. Maybe if i was on a slower connection it would have been a different story.

Posted by: E | February 8, 2007 1:19 AM | Report abuse

I didn't notice, but I can tell you that I certainly do appreciate the work these admins do for us all! Especially when I want nothing to do with networking. Eric Swanson (http://www.ericis.com)

Posted by: Eric Swanson | February 8, 2007 1:32 AM | Report abuse

things did seem to be abit slower, augusta ga

Posted by: chuck stewart | February 8, 2007 2:15 AM | Report abuse

Some of our corporate clients have noticed it and called with questions, although most home users were not affected much (if at all).

Vlad Mayzel, Operations Manager
604-GET-HELP On-Site Computer Services
http://www.604-GET-HELP.com

Posted by: Vlad Mayzel | February 8, 2007 2:51 AM | Report abuse

Ha Ha, seemple ahmareekuhns, we have set you us up teh bm0b, h4x h4x h4x, CATS: ha ha ha

Posted by: Kim Jong iLL | February 8, 2007 2:56 AM | Report abuse

I noticed this while browsing Youtube. It took absolutely FOREVER to load youtube pages even though I get 300kb+ up/download speeds. Obviously someone has absolutely no life.

Posted by: Chris | February 8, 2007 5:43 AM | Report abuse

There was definitely a noticeable problem. Go ask anyone using v-hosting for multiple domain names, it was a bit frustrating trying to figure out why most domain names resolved while a few did not. Overall though, I agree it could have been much worse. 3 cheers for those net admins, I am sure it was frustrating for them.

Posted by: JimBob | February 8, 2007 7:06 AM | Report abuse

Internet is slow now. Are we under attack again?
Youtube is always sluggish lately.

Posted by: Mr Tang | February 8, 2007 7:11 AM | Report abuse

Is the internet under attack again?

Posted by: What's Going On? | February 8, 2007 7:17 AM | Report abuse

"Experts estimate that at any given time there are tens of millions of hacked personal computers that are used in attacks or, more commonly, in sending spam and hosting phishing Web sites."

Is there a simple way to determine if your computer is being used in such an attack? Is there an easy way to prevent it from happening to your computer?

Posted by: protection? | February 8, 2007 7:19 AM | Report abuse

For a free program to check agains spyware you can download AVG Anti spyware or Ad-ware from Lavasoft.

Posted by: Volcanus | February 8, 2007 7:40 AM | Report abuse

I definitely noticed - I couldn't access one of my internet based programs for work for several hours. Our tech support told us about the attack, but this is the first media article I've seen.

Posted by: Jshaden | February 8, 2007 8:02 AM | Report abuse

I maintain a number of websites and I was acutely aware of the slowdown on Tuesday, although I had no way of knowing whether the problem was local at my ISP or more widespread. I had to upload a massive amount of data to one of my servers on the .org domain and my transfer speed was cut by over 80% of its normal rate. Also, I was getting frequent timeouts on various websites I tried to browse that day. Things were back to normal yesterday, however. I wish they could catch these hackers and tie them up by their thumbs. By the way, spyware is only a small part of the problem. Most of these zombies run through rootkits, which are more difficult to detect or remove than either spyware or viruses/worms/trojans. Several companies including AVG make free rootkit detection software, and you can obtain them through majorgeeks, at the URL you would naturally presume for something called majorgeeks.

Posted by: Woody Smith | February 8, 2007 8:35 AM | Report abuse

i could not access a few sites like msn & google, but yahoo was ok. i was wondering what happened, i thought my isp was blocking them.

Posted by: alig | February 8, 2007 9:19 AM | Report abuse

There should be the most extreme penalties for orchestrating 'internet terrorism'. The players know that nothing will result and if anything they will most likely profit. Sad but true.

Posted by: DJD | February 8, 2007 9:28 AM | Report abuse

Its now Thursday and Internet access is still very sluggish. Both email and web browsing times out or takes a long time to respond.

Posted by: ABS | February 8, 2007 9:42 AM | Report abuse

"initial analysis suggest that 13 percent of machines involved in the attack were located here in San Francisco, the site of the RSA Security Conference,"

Are you suggesting the public-access full-admin RSA Conference machines were part of the attacking botnet? Too funny.

Posted by: PhunKey | February 8, 2007 9:48 AM | Report abuse

One nit. They defended _The Internet_, not _The World Wide Web_.

The Web runs as a distributed application (as it were) on The Internet.

Posted by: Lonebear | February 8, 2007 10:08 AM | Report abuse

I couldn't tell the difference. I'm always on the internet and i couldn't tell

Posted by: Raven_Eyes | February 8, 2007 10:36 AM | Report abuse

I noticed a slowdown most of the day, Central Standard Time, and email was so slow that I went to a broadband forum to see if there was a local cause. There was no mention of slowdown there. In view of today's knowledge of the attack, that seems strange, for everybody's email probably slowed down, at least in my area.

Posted by: Jon Rutherford | February 8, 2007 10:51 AM | Report abuse

this isnt the only report of the attack..
theres another one on google news.
anyways yea i did notice ALOT of the speeds. my normal rates are 500K-1MB and the frgging thing went to 34.5K i was aarrg. but yea youtube is sluggish lately.

Posted by: suicide silence | February 8, 2007 10:55 AM | Report abuse

For those of you complaining of download speed problems:

This attack wouldn't have affected your download speeds. What it does affect is the ability to contact and resolve domain names into IP addresses. What you should have noticed is a great deal of 'time outs' when contacting web pages. The fact that 'Youtube is slow on my 3MB line' or 'my email was slow' is an unrelated problem although some speed problems could be attributed to it.

The reason why you wouldn't notice much of a problem is because most ISP's from the national backbones to the local level(even your PC) maintain a 'cache' of DNS entries. For example, lets say you want to go to www.google.com.. you type the address in your browser and hit enter. The first thing that happens is your computer checks its local cache, if it doesn't have the IP address, it forwards the request to your ISP(or router if it caches) and so on and so on until it gets an answer. Its estimated that on a daily bases only 3-5% of requests actually make it to the root servers. However, when a top-level cache doesn't have the answer for a dns request.. it must look to the root servers to get it. So newer websites, moved servers, and viewing a page that no-one in your area has before, can create a request that actually makes it to the root server. This whole system is called a Forward Looking DNS and this combined with Proxy-Caches, makes the internet extremely robust and resilient as it is.

I would really like to see a map put together of the traffic flow for that day and compare it to a normal business day. I bet those Admins could find where the bottlenecks are and improve on the system even more.

-Mike Jankowski
IT Consultant
mjank@mjankowski.com

Posted by: Mike Jankowski | February 8, 2007 11:25 AM | Report abuse

One easy way to check if your computer is participating in a bot attack, is to look at the lights on your router or the modem. If they are constantly flashing, while you know that you are not downloading/uploading anything, it could be that your computer is sending data to the target of an attack. But ofcourse, with so many auto-update apps it is difficult to distinguish from good traffic and bad just from looking at the LED's.

Posted by: Anton | February 8, 2007 11:43 AM | Report abuse

local internet speeds vary on any given day and for a variety or reasons. chances are any speed decrease that you experienced the other day was for a reason other than the failed "attack on the internet." I personally did not notice any difference.

and there have literally been hundreds of news reports on this issue since right when the story broke.

Posted by: Anonymous | February 8, 2007 11:43 AM | Report abuse

The impact that some have claimed to witness was not related to the DNS attacks. The transmission speed is independent of the functioning of the root servers. And, because so many of us visit the same sites the DNS records of those sites are cached at many different levels (locally, in your home/work router and by your ISP). For most sites it would take more than 24 hours of complete inoperability of all DNS before users would notice. For less popular sites the effect would have been more immediate. So, if you had trouble visiting a popular site like Yahoo, Google or YouTube, it wasn't because the DNS servers were having issues.

Also, I have yet to see any evidence that the DNS servers were the target. If this was a reflective attack using openly recursive DNS servers then the TLD and root servers would have seen a dramatic increase in traffic even though they weren't directly targeted. This was the case with the attacks that happened last January/February.

Posted by: BobBob | February 8, 2007 11:52 AM | Report abuse

is it illegal to attack the internet idk but seems pretty odd to do and what were they after and why plus wtf would happen if they won the battle for the intnernet

Posted by: chris anders | February 8, 2007 11:54 AM | Report abuse

That is really a bad step , why peoples do that why the try to hacked and attack in servers and pcs and others.
Why
Why

Posted by: Razashah | February 8, 2007 12:34 PM | Report abuse

I didn't notice anything. Except now that I read this and think about, at some point in the last few days my e-mail spam dropped from 6-14/day to about 1-2 a day. I'm not sure if it could be related in any way.

Posted by: Chris L | February 8, 2007 12:37 PM | Report abuse

I noticed an interuption of my internet service at about 1:00 AM EST last night. I don't know if it was a coincidence or not.

Posted by: Anon | February 8, 2007 12:55 PM | Report abuse

regarding the dns, i noticed that some odd websites(not surfed usually) take forever to download or shows "canot be resolved" , though common websites like google,yahoo are of no problem. this might be linked to dns issues.

Posted by: rs | February 8, 2007 12:58 PM | Report abuse

Wow, big mystery! Set up a day claiming to bolster internet security and (gasp) hackers choose that day to make an attack.
By the way, there are about 20 different reasons why internet traffic could slow down and *none* of them have to do with any malicious activities.

And Bobbob...yes, attacking the internet is illegal. The internet police will knock on your door and arrest you. They will take you to the internet detention centre where you will be tried for willful ignorance.

Posted by: P | February 8, 2007 1:09 PM | Report abuse

I use Firefox and the only thing I noticed was that there were a lot of warning pages of the 'server can't find this site' type thing. I probably missed the worst of it though, because I work nights (not at a computer) and sleep most of the day and only get on line like around six pm til say ten GMT.
And I'd just like to take this chance to thank all those working out there to keep us innocent Net surfers safe from the worst harm, Mr Krebs included.

Posted by: Sarah | February 8, 2007 1:14 PM | Report abuse

Yeah, I noticed the same thing Wednesday with my DSL ISP. I thought at first it was the ISP - but after getting hacked off at the ignorance of my ISP's tech support, I discovered that it was the DNS servers having issues, that once I was routed to the actual site, things ran fine. Just waited for a long time for the DNS to get me there.

Posted by: EagleEye69 | February 8, 2007 1:40 PM | Report abuse

I saw the story on Lifehacker yesterday, and they got it from cnet.

I'd like to know if the D root server was hit since I go to Maryland, and work for their IT department, and haven't heard anything yet.

By the by, if you don't know what a root server is, you might want to check out the wikipedia article: http://en.wikipedia.org/wiki/DNS_root_server

Posted by: emma | February 8, 2007 1:46 PM | Report abuse

I was wondering why my online game, Diablo II Lord of Destruction, kept lagging me out. It really puts me at a huge disadvantage when I think I am killing evil monsters or picking up rare amulets, only to find out that the server lagged out 10 minutes prior and I have been killed and lost my loot. I can't wait until the Versign and whoever else improves things. Keep up the good work! Back to left-click monster cleansing :)

Posted by: Sean | February 8, 2007 2:08 PM | Report abuse

I didnt really notice anything. Only one wiki site that I frequent would not respond (all of the other sites I frequent worked fine).

Posted by: bob | February 8, 2007 2:22 PM | Report abuse

Problem I had was w/ e-mail. Took a long time to access 'web-mail', & then couldn't open anything. Is this related to this attack?

Posted by: Ed J | February 8, 2007 2:34 PM | Report abuse

Internet under attack?!?

That is like saying that there are birds in the sky right now somewhere - amazing, isnt it?

The internet is almost always under some kind of attack - this one was just a little bigger than most :)

Posted by: Adam | February 8, 2007 5:20 PM | Report abuse

hey you guys need to STFU! if you don't like it than leave the internet! STFU!

Posted by: jonny rocket | February 8, 2007 6:32 PM | Report abuse

I run a small recruitment company in Sydney Australia. Our servers were hacked and our email servers came to a standstill. When we got in at 8.30am there were over 100,000 emails in the queue which stopped all the consultants working. Could this have been related, could anyone give me any insight as this stopped work for a whole day and it took us a whole day to recover

Posted by: Quamy Dean | February 8, 2007 6:37 PM | Report abuse

Here from Brazil, and other latin american countries as well most .com and europeen sites where not avaible for days. Even sites like google and hotmail could not be accessed. Impressive..

Posted by: David Lima | February 8, 2007 6:45 PM | Report abuse

re: millions of computers rendered into zombies...

Three thoughts: 1) The Dept of Homeland Security and other interested organizations really must put out more public service announcements about PC security. For most of the general public, "zombies" are only in horror films and using the term "bot-nets" is like speaking Greek.

2) Computer makers and OS publishers need to do a better job of securing computers and their software from such abuse. I know that a particular operating system is a *huge* target and is also patched frequently. Continued innovation on security and recovery mechanisms is a must, though.

3) End-users and server admins need to take greater responsibility for the computers under their care. Just as a person must maintain other mechanical devices in order to keep them from being a public hazard, so too should computers undergo a regular maintenance routine. Yep. I am aware of the costs involved with increased computer maintenance and literacy, but I'd prefer resources be allocated towards bringing the population up into an more educated state rather than see an investment into well-battered defenses that are subject to massive attacks by ever-increasing numbers and processing power.

The bottom line: let's take away the attackers' tools.

Posted by: C.B. | February 8, 2007 6:55 PM | Report abuse

http://www.internethealthreport.com

You can see where high traffic is present at any moment.

Posted by: Woodrow | February 8, 2007 7:09 PM | Report abuse

I was unable to access the server for my computer networking course for about an hour, starting at 12:00 am EST on Tues Feb. 6.

Apparently DNS was the issue since the ip address wouldn't resolve.

I believe all the easy answers regarding internet security have already been implemented. The biggest problem continues to be the naive users that take no interest or responsibility for their personal computer security.

The ISP's are in the best position to monitor for port scanners, botnets, and hackers in general. Privacy and liability concerns seem to prevent them from taking a more proactive approach.

Posted by: Hoku | February 8, 2007 11:59 PM | Report abuse

Many bot computers belong to individuals that do not realize their machine is being used in these attacks. Is it possible to send to the offending originating ip addresses a popup message alerting the operator that that machine is being used for inappropriate purposes and that the owner should check for viruses, etc?

Posted by: Jon | February 9, 2007 11:33 AM | Report abuse

I am really impressed of the mass ignorance and lack of understanding of how things work.

You guys need to get to read some documentation - Internet's primary purpose was to let information circulate fast and easy. So instead of using it to go find girls in your corner/play Diablo/get DVD or whatever, sit on your chair and READ THE MANUAL.

Please Internet users understand that IGNORANCE KILLS.

There are some great knowledge centers like http://wikipedia.org and http://www.tldp.org.
If you try to understand is your computer used by someone else while looking at router's leds... well... it's.. hm.. like trying to check if a plate in the oven is ready while smelling at it - often is too late. Your computer may be infected but stay latent, up to the next attack.

Most of the infected computers are using the Windows operating system. Get yourself a linux/Mac and start to learn how to use a computer and what a computer is. YOUR COMPUTER IS NOT A WATER BOILER. It is a not so complicated calculating machine with a huge power that you ignore probably.
When you start to read some documentation you will be amazed by the things you can do with your computer. I blame Windows of that they intentionally try to make it easy to use. Using a computer nowadays is maybe easier than to set-up your TV receiver. And all that easyness KILLS YOUR BRAIN CELLS or makes them FAT and LAZY.

If you are really really infected by the Windows Syndrom (yes this is a syndrom) and in no way you want to change your operating system, then get yourself a free antivirus program and a firewall. Great choices (but not the only) are Sygate Personal Firewall and Avast Home edition antivirus. Both softwares have a free version.

Please be responsible and don't say "I want just to use my computer and don't want to know how it works" because this is criminal behaviour IMHO.

Start to read and learn how things work.
Cheers

Posted by: Anonymous | February 10, 2007 8:56 AM | Report abuse

I've never seen so many morons say so much about something they know so little about.

Posted by: Dick Schmaltz | February 10, 2007 11:12 AM | Report abuse

I noticed.

Posted by: Rob | February 10, 2007 11:32 AM | Report abuse

In L.A. everything was good as normal.....

Posted by: Burnero | February 10, 2007 11:39 AM | Report abuse

Jon,
>>Is it possible to send to the offending originating ip addresses a popup message alerting the operator that that machine is being used for inappropriate purposes and that the owner should check for viruses, etc?

Yes.
http://groups.google.com/group/news.admin.net-abuse.email/msg/475f0b9cea3b0c5c
http://groups.google.com/group/news.admin.net-abuse.email/msg/a5749c4a3ab9073a

Posted by: Mark Odell | February 10, 2007 2:52 PM | Report abuse

C.B. mentions that major OS companies need to do a better job of updating their security and patches.

doesn't it make sense that with each update, also comes a rootkit revealer / malware detection that would run at boot time? and tell the clueless pc users that they've been compromised? if gibson research can scan me thru a web interface, can't the actual manufacturer install something to raise their users awareness?

ignorance only enables the malefactors.

Posted by: dopey-o | February 10, 2007 11:36 PM | Report abuse

Hey, could that be a reason why a certain UK cluster server was inaccessible for a period of five hours?

I'd say chances are 50-50 according to how bad that site is for accessability...

Posted by: Havvy | February 11, 2007 12:52 AM | Report abuse

For future reference (Catch 22 - if you can get to it during an attack):

DNS Name Server Status Summary
> http://www.cymru.com/monitoring/dnssumm/index.html


.

Posted by: J. Warren | February 11, 2007 3:26 PM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company