Enterprises Survive Last Week's DDoS Attack

Symantec security expert sheds light on what last week's DDoS attacks say about a secure Internet.

At approximately 4:00 p.m. Eastern time last Monday, a distributed denial-of-service (DDoS) attack was launched against the 13 root servers that direct worldwide Internet traffic. The servers, which are administered by universities, corporations, private entities and U.S. government agencies, were hit with a barrage of data. The attack on Oct. 21 was snuffed out with little impact on users.

Still, the question remains: What if the attack had been able to disable all 13 servers? What would that scenario mean for the enterprise?

In an attempt to answer some of the questions last week's DDoS attack raises, Security Strategies held a Q&A session with Elias Levy, a researcher with the security response team for Symantec Corp.

SS: What, exactly, happened last Monday night?

Symantec: A number of the root DNS servers were subjected to one or more denial-of-service attacks.

SS: What level of sophistication does someone have to have to be able to initiate an attack on the 13 root servers for the Internet?

Symantec: Launching such an attack does not require much sophistication. All an attacker requires is access to a sufficient number of machines with good network connectivity (high bandwidth). Software to launch the attack is readily available.

SS: Does the relative ineffectiveness of the attack serve as an example of the power of today's security technology or just the simplicity of the attack?

Symantec: Neither. The attacks were mitigated for a number of reasons and in a number of ways. First, there are 13 root DNS servers. A successful attack would have to take down a greater number of them than it did Monday. Two, the people responsible for the root DNS servers responded to the attack to mitigate its impact on the servers they manage. And, third, the fact that intermediate DNS server cache information means that the root DNS servers do not need to be contacted to resolve every DNS query. Thus, even if they became unavailable it may take some time before a query failed.

SS: How savvy in devising an attack would a hacker have to be to actually disable 13 root servers?

Symantec: We would simply require more resources in the form of more computers with better network connectivity. These resources can be readily found given the large number of insecure computers on the Internet.

SS: What would the ramifications have been for the enterprise if the DDoS attack had been able to take the servers down for a lengthy period of time?

Symantec: Disabling the root DNS servers for a significant length of time would result in DNS queries failing. The DNS system maps hostnames to IP addresses. Most users are only aware of hostname. Thus, losing this mapping would mean that most users would not be capable of accessing network resources across the Internet.

About the Author

Matt Migliore is regular contributor to He focuses particularly on Microsoft .NET and other Web services technologies. Matt was the editor of several technology-related Web publications and electronic newsletters, including Web Services Report, ASP insights and MIDRANGE Systems.