biggest internet attack ever coming our way ?
We have seen a lot of internet attacks the last year but the biggest was in 2002 when part of the internet was out of order because half of all the domain name servers (that are responsable for the fact that you type a name like microsoft.com and not an ip address like 127.89.09.00) were put out of order after an DDOS attack (sending so much traffic they can't handle until they go down, or the router (infrastructure) before them. Nobody ever found an effective way to handle DDOS attacks (except human controle and coordination between hosts, ISP's and network administrators). The coming of the botnets changed that even further because now the attacks were not coming from one network or some hacked servers, but from thousands of computer coming from all around the place which makes it extremely difficult to stop these attacks (except if everybody works together). What changed the situation in december - and spread the panic in the security community is that 30.000 servers that attacked some infrastructure in South Africa and succeeded in bringing it down very quickly was not that it was overwhelming (as any botnet attack), but that the computers in the botnet were domain name servers that were controlled and spoofed. Some articles were already published on dns networks on botnets but these were used to hide criminal servers or to send people to phishing sites (false bank sites) but such a coordinated spoofed DNS attack by so many dns servers (even if there are 1 million of them). The problem is that dns servers each take a part of the enormous job of changing ip adresses to domainnames and so they have to trust each other and accept bogus spoofed attack traffic from the botnetdns servers and send it through, multiplying the effect by 64. So this means you can create spoofed traffic as if it were send by 1 million servers..... Over and out.
What can the community do
First correctly set up or close down your dns servers. Internal dns servers should not accept or treat outside addresses. http://www.google.com/search?hl=en&lr=&q=open+rec... This is just the same as with mailservers that until the spam crisis accepted any mail from anyone to anyone (open relay servers) and are now closed down mostly.
Secondly you should upgrade your BIND software to the latest version and not keep running them on version 8. It were the open source BIND servers that were used and attacked.
Thirdly ISP's should have the legal right to stop traffic with false IP adresses and spoofed forwards and so on if they conclude it is being part of an attack.
And as always plan for a time in which there will be - for some time at least - no internet, no servers, nothing of that kind. So have backups of your online stuff.
and for the belgian irresponsable politicians that can't get their Internet Storm Center on track, wake up
<a href="http://del.icio.us/post" onclick="window.open('http://del.icio.us/post?v=4&noui&jump=close&url='+encodeURIComponent(location.href)+'&title='+encodeURIComponent(document.title), 'delicious','toolbar=no,width=700,height=400'); return false;"> Save This Page</a>