Sources say the one-hour attack, which was hardly noticeable to the average end-user, was done via ICMP requests (ping-flooding) to the root servers. In a typical DDoS attack, hundreds of "drone" machines are used to remotely pound IP addresses. While the common ping program sends on 64-byte datagram per second, "ping flooding" attacks can emit ICMP echo requests at the highest possible frequency, experts explained.
Internet Software Consortium (ISC) chairman Paul Vixie confirmed the ICMP request source of the attack on the NANOG mailing list but maintained the DDos attack "was only visible to people who monitor root servers or whose backbones feed root servers."
The ISC, which manages one of the targeted root servers, reported 80Mbps of traffic to its box, more than ten times the normal load but sources say the attack merely slowed sections of the Web and did not block service. Other root servers managed by Verisign and ICANN saw more than three times the load they normally handle.
During the course of the ping-flood pounding, only four of 13 root servers remained up and running while seven were completely crippled.
The 13 DNS root servers are the backbone for the domain name and IP address services on the Web.
Despite the fact that the attack appeared to have minimal impact, the Federal Bureau of Investigations and the U.S Government's new Department of Homeland Security are investigating and published reports say the early suspicion is that the attacks originated overseas.
A spokesman for the FBI's National Infrastructure Protection Center (NIPC), which tracks service attacks on the Internet, confirmed an investigation was underway.
While DNS server attacks aren't uncommon, the latest pounding to the 13 root servers stood out because it was orchestrated over a one-hour window and appeared to be the work of experts.
Coming on the heels of cyber-terrorism threats and the government's own warnings, security officials say the FBI must take this issue seriously. "Attacks orchestrated with this kind of complexity and power generally can't be executed by your run-of-the-mill "Script kid." It would take a lot of firepower to amass the servers capable of that kind of bandwidth," said a freelance security consultant, who declined to be named.
A spokesman for UUNET, which is the service provider for two of the root servers, said it was the "largest, most targeted attack" ever seen. "This did not affect the end user but it was huge and concerted. It was rare because it was aimed at all 13 servers. It was an attack on the Internet itself and not a particular Web site or service provider," he explained.
While the ISC's Vixie noted that the only way to thwart an attack of this magnitude was to over-provision, many believe that if the attack was sustained for a longer period, the effects could have been catastrophic.