FBI: DNS server attacks came from U.S., Korea

The distributed denial of service (DDoS) attacks against 13 of the Internet’s core servers has been traced to computers in the U.S. and Korea, according to statements made by U.S. Federal Bureau of Investigation (FBI) director Robert Mueller.

The FBI director, who made the statements while speaking at a conference in Falls Church, Va., would not elaborate on what information his agency has obtained, saying that the investigation was ongoing.

“I can’t give you a brief on where the investigation has led us,” Mueller said, according to a transcript of his comments provided by the FBI.

The attack, which began on Oct. 21, flooded all 13 of the root servers of the Internet Domain Name System (DNS), a network of computer servers that communicate by matching up Internet domains used by people, such as www.idg.com, with numeric equivalents used by computers. [Please see Net backbone withstands major attack.]

All 13 of the root servers were flooded with Internet traffic using ICMP (Internet Control Message Protocol) at more than 10 times the normal rate of traffic, said Brian O’Shaughnessy, a spokesperson at VeriSign Inc. after the DDoS attack happened. VeriSign manages the “A” and “J” root servers.

Roughly two thirds of those servers were temporarily disabled or severely hampered in serving legitimate user requests by the attack, according to O’Shaugnessy and others. However, four or five of the 13 servers remained online throughout the attack and the majority of Internet users did not experience any interruption in service.

South Korea, along with the U.S. is a frequent source of cyberattacks because of the large number of computer users in that country and the widespread availability of broadband Internet access such as a DSL (digital subscriber lines) or cable modems.

Unlike machines that connect to the Internet using dial-up modems, machines with broadband connections maintain a constant, high-capacity connection to the Internet when they are turned on. As a result, attackers, viruses and e-mail worms can compromise these computers often without the knowledge of the computer’s owner. Those machines then act as “zombies” in a distributed denial of service attack, controlled remotely by the attacker and used to send a steady stream of information packets to the targeted Web site or server.

Allan Paller of the nonprofit SANS Institute Inc. said Friday that investigators may be able to use billing logs from the Internet service providers involved to trace the attacks back to their source.

However, Paller noted that lists of machines that are known to have been compromised by hackers or worms such as Code Red and Nimda are frequently traded on the Internet. Investigations into the source of the Oct. 21 attack will likely lead back to those compromised machines in the U.S., Korea and elsewhere.

From there, the job of identifying the actual perpetrators gets more difficult.

The fact that computers in Korea took part in the attack does not mean that the attackers were Korean, Paller said. Attackers frequently compromise and control such machines from afar using one or more intermediate machines to cover their tracks.

Mueller did not say whether any progress had been made in locating the actual perpetrators behind the attack and an FBI spokesman would not comment on whether the agency is close to identifying the individuals responsible for the DNS attacks.