A year after surviving a massive distributed denial-of-service (DoS) attack, the Internet’s root servers are better fortified against hacker activity, thanks to behind-the-scenes deployment of a routing technique known as Anycast, experts say.
With Anycast, the root server operators have more than doubled the number of server farms available to handle the highest-level DNS queries. This routing technique heightens root server resilience by multiplying the number of servers with the same IP address and balancing the load across an army of geographically dispersed servers.
A handful of the 13 root server operators have begun deploying Anycast since last year’s attack, which didn’t succeed in crashing DNS but rendered several root servers unavailable for legitimate queries. Experts say the deployment of Anycast is making the entire root-server system more resistant to outage.
“More of the root server operators are doing this routing technique, and the DNS is more robust than ever,” says Paul Mockapetris, inventor of the DNS and chairman of DNS software vendor Nominum Inc. “The DNS is more resilient than it was a year ago by a factor of two.”
A reinforced DNS is a boon to enterprise network managers who need a rock-solid root server and DNS system for all of their IP services to function. However, one network executive resists putting much faith in a new DNS technique until it’s been tested under attack.
DNS is “still not as secure as it could be, or should be,” says Stephen Lengel, systems engineering manager at The ServiceMaster Co. in Downers Grove, Ill., which provides heating, cooling, landscaping, pest control and appliance maintenance services, and has about 20,000 users on its network. Despite the use of techniques such as Anycast, no technology is 100 per cent safe from attack, he adds. “It’s usually just a matter of time before someone exploits it or finds a hole in it.”
While distributed DoS attacks have occurred for years, last October’s assault on the Internet’s 13 root servers, which run the master directory for lookups that match domain names with their corresponding IP addresses, served as a wake-up call to the vulnerabilities inherent in the distributed design of DNS. Below the root servers are the servers that support top-level domains such as .com, .net and .org, and below the top-level domain servers are hosts of Web sites.
During a distributed DoS attack, a hacker hijacks machines across the Internet and uses them to send a flood of requests to a server until it becomes overwhelmed and stops functioning.
Last October, the root servers were under a distributed DoS attack for about an hour, causing several servers to stop being available to regular Internet traffic. However, the remaining root servers withstood the attack and ensured that the Internet’s overall performance was not degraded. Nonetheless, this was the most serious hacker attack ever on this key piece of the Internet infrastructure, and it was an eye-opener for the root-server operators.
Without the root servers, the Internet cannot function. Named by the letters A through M, the root servers are operated by U.S. government agencies, universities, nonprofit organizations and companies such as VeriSign Inc. Of the original 13 root servers, 10 are located in the U.S., one in Asia and two in Europe.
With Anycast, the root server operators are replicating these servers around the world. Four of the root-server operators, including the Internet Software Consortium and VeriSign, have mirrored their root servers. There are now 34 locations worldwide with root servers or replicas deployed.
Using this technique, Internet addresses are “more like 800 numbers that get routed to call centres,” Mockapetris says. “There are…more root servers scattered around the network than there used to be. It’s not necessarily that the servers are more available but that the (data is) more distributed.”
As extra root servers are deployed using Anycast, the root server system acquires additional capacity if another distributed DoS attack occurs. DNS experts say the root server system is much better equipped to respond to this type of attack than it was a year ago, because of Anycast and concurrent hardware and software upgrades.
“Trying to attack the root DNS servers is probably one of the most foolish things you can do,” says Daniel Golding, senior consultant with Burton Group. “It’s easy to down a single (Web) site, but with a distributed infrastructure that’s moving to Anycast, it’s just really kind of dumb. It’s not going to be that effective.”
Anycast is a routing technique that announces a particular block of IP addresses can be reached from a number of routers. The technique tells the Internet that queries to that address space should go to the closest available router. The 10-year-old technique is built into IPv6, the next-generation of IP, but this is the first time Anycast has been deployed in the DNS.
“Anycasting is something that had been discussed among all of the root operators for a considerable amount of time, long before the attacks (of last October),” says Ken Silva, vice-president of networks and information security at VeriSign. But after the attacks “was the time to roll it out,” he says.
Starting last November, the Internet Software Consortium began deploying mirrored copies of its F root server around the globe using Anycast. Since then, the consortium has announced mirrored copies of its U.S.-based root server being deployed in Brazil, Canada, Hong Kong, Korea, New Zealand and Spain. Today, the F root server and its replicas are located in 12 sites.
A year ago, VeriSign had a single address space for both its A and J root servers, both of which remained operational during the distributed DoS attack. Since then, VeriSign has acquired new address space for the J root and deployed mirrored copies of it around the globe.
VeriSign this year used Anycast to mirror its J root server in six locations in the U.S. plus London and Amsterdam. VeriSign also has two mobile Anycast sites for its J root, which can reside anywhere within VeriSign’s global network infrastructure if needed.
“We tested Anycast for about a year…to monitor its behaviour,” Silva says. “These are important servers, and we didn’t want to make any rash decisions about deploying it.” Silva says Anycast is working well and hasn’t introduced any major complexities or problems into the Internet.
However, VeriSign has not used Anycast to mirror the A root server that sits in a highly secured facility in Dulles, Va.
“The A root sits on an address block that is shared with other legacy services such as Whois and an InterNIC FTP server, so Anycasting that address block is not a good idea right now,” Silva says. “The A root server has sufficient capacity for now, but we ultimately will Anycast that server” after splitting off the legacy services.
Anycast has many benefits besides protection against distributed DoS attacks. ISPs get faster response times to their root-server lookups because the closest available server handles the queries and the servers are more distributed.
The root-server system is more resilient now because many regions of the world have local root servers that can continue to operate if a major physical connection to the rest of the Internet suffers an outage.
The root-server operators have spent millions of dollars on the hardware, software and engineering expertise required to set up mirrored sites around the globe using Anycast. VeriSign says it has spent US$150 million in the past two and a half years rolling out a more secure and resilient infrastructure for its A and J roots and the .com and .net top-level domains. This investment includes the deployment of Anycast.
“The attacks of October last year didn’t come as a surprise to us,” Silva says. “We feel we were prepared, but now we feel like we need to be prepared for something even bigger.”
