Sources say the one-hour attack, which was hardly noticeable to the average end-user, was done via ICMP requests (ping-flooding) to the root servers. In a typical DDoS attack, hundreds of "drone" machines are used to remotely pound IP addresses. While the common ping program sends on 64-byte datagram per second, "ping flooding" attacks can emit ICMP echo requests at the highest possible frequency, experts explained.
Internet Software Consortium (ISC) chairman Paul Vixie confirmed the ICMP request source of the attack on the NANOG mailing list but maintained the DDos attack "was only visible to people who monitor root servers or whose backbones feed root servers."
"DDoS attacks often end up hurting intermediate links in the path more than the destination of the flow... The average person who just wanted to use DNS to get work done didn't seem to notice it at all," Vixie added.
The ISC, which manages one of the targeted root servers, reported 80Mbps of traffic to its box, more than ten times the normal load but sources say the attack merely slowed sections of the Web and did not completely block service. Other root servers managed by Verisign and ICANN saw more than three times the load they normally handle.
During the course of the ping-flood pounding, only four of 13 root servers remained up and running while seven were completely crippled. (See graphs here).
The 13 DNS root servers are the backbone that runs the domain names and IP addresses on the Web.
Despite the fact that the attack appeared to have minimal impact, the Federal Bureau of Investigation (FBI) and the U.S Government's new Department of Homeland Security are investigating and published reports say the early suspicion is that that attacks originated overseas.
A spokesman for the FBI's National Infrastructure Protection Center (NIPC), which tracks service attacks on the Internet, confirmed an investigation was underway.
While DNS server attacks aren't uncommon, the latest pounding to the 13 root servers stood out because it was orchestrated over a one-hour window and appeared to be the work of experts.
Coming on the heels of cyber-terrorism threats and the government's own warnings, security officials say the FBI must take this issue seriously. "Attacks orchestrated with this kind of complexity and power generally can't be executed by your run-of-the-mill "Script kid." It would take a lot of firepower, to amass the servers capable of that kind of bandwidth," said a freelance security consultant, who declined to be named.
A spokesman for UUNET, which is the service provider for two of the root servers, told internetnews.com it was the "largest, most targeted attack" ever seen. "This did not affect the end user but it was huge and concerted. It was rare because it was aimed at all 13 servers. It was an attack on the Internet itself and not a particular Web site or service provider," he explained.
While the ISC's Vixie noted that the only way to thwart an attack of this magnitude would be to over-provision, many believe that if the attack was sustained for a longer period, the effects could have been catastrophic.