The Feb. 6 DDoS attack on the systems regarded as the backbone of the internet badly damaged two of the web's 13 root servers, but were prevented from causing more damage by Anycast load-balancing technology, according to the Internet Corporation for Assigned Names and Numbers (ICANN).Beginning at 1 a.m. on Feb. 6, the web’s main support system was attacked for 2 1/2 hours, followed hours later by an attack twice that duration. The attack originated somewhere in the Asia-Pacific region, according to an ICANN fact sheet released earlier this month.
Six of the 13 internet root servers were affected by the attack, but the two that were significantly damaged did not have Anycast technology installed, according to the fact sheet, which also cautioned that more analysis is needed before a full report can be released.
The two servers badly damaged by the DDoS attack were the "g-root," run by the U.S. Department of Defense and physically located in Ohio, and the "i-root," operated by ICANN and based in California, according to ICANN.
The web’s 13 root servers are based around the world and are named "A" through "M." In theory, the web can function as long as one of the root servers is running. During an October 2002 DDoS attack, nine of the 13 servers were swamped, according to the ICANN report.
An ICANN representative could not immediately be reached for comment.
Despite its ability to fight off a mass DDoS attack, not all root servers are using Anycast "because if everyone ran the same software on the same operating system, there is the risk that a specific security hole could take down the whole system. Running a wide variety reduces that risk," according to the ICANN report.
The report speculated that the attack could have been carried out for bragging rights.
"The technical challenge associated with bringing down some of the world’s most heavily protected servers is certainly one explanation. The desire to say that you brought down the internet is something that is likely to inspire a small group of individuals," according to the report. "One possible explanation for the root server attacks is that they act as an advertisement for a particular botnet."
Sam Curry, vice president of security management at CA, told SCMagazine.com today that the attack could have come from foreign nationals testing web defenses or a friendly hacker trying to send a warning sign about the web’s security.
"It could be someone who has a national agenda — especially someone with an interest in western economies — who wants to predict how a cyberattack would go, or it could be the good guys wanting to see the same attack," he said. "Either one is possible, although the latter one is less likely."