Security Experts Warn of Devastating Web Attack

A powerful new twist on the most common kind of Internet attack could overwhelm even the most popular and well-fortified Web sites and disrupt e-mail traffic by enlisting the network infrastructure servers that manage Internet traffic worldwide, security experts warn.

First detected as early as 2002, the assault, known as a distributed reflected denial-of-service (DRDoS) attack, bombards targeted Web servers with such massive amounts of spurious data that even flagship technology companies would not be able to cope.

In one case examined, an unknown assailant used an Internet domain-name server in South Africa to unknowingly bombard targeted computers with overwhelming floods of amplified data.

Domain-name servers are specialized computers that help direct Internet traffic. Computers see Web addresses as a string of numbers called an IP address; a domain-name server translates a user's request for, say, "" into the IP address ""

Experts traced at least 1,500 attacks that briefly shut down commercial Web sites, large Internet providers and leading Internet infrastructure companies during a period of weeks beginning late last year.

The attacks were so targeted that most Internet users did not notice widespread effects.

Like a standard "denial-of-service" (DoS) attack, a DRDoS attack exploits the standard TCP/IP "three-way handshake" between a client and server machine.

Typically, a "client" PC looking up a Web site sends a request for acknowledgement, including its own return IP address, to the Web site's server. The server acknowledges the request, and in turn asks the client for a confirmation the request was made. The client sends its own acknowledgement, and data then flows freely between the two machines.

In a standard DoS attack, a malicious machine takes down a Web site by flooding it with requests containing false IP return addresses, which the server will acknowledge. But since it the acknowledgement goes to a non-existent IP address, the server will get no reply, and will keep trying again and again.

Enough false requests will overload a server and make a Web site unavailable. In in the case of a distributed denial-of-service (DDoS) attack, a hacker, having secretly taken command of hundreds or thousands of "zombiefied" ordinary PCs by infecting them with computer viruses, enlists them all in bombarding the targeted Web server.

A DRDoS attack takes the concept to a new level. The malicious requests, again coming from countless "zombie" machines, contain a legitimate return IP address — in this case, the IP address of the server being targeted.

The requests go not to the target, but to hundreds of intermediate infrastructure servers, often owned by large technology companies, which help direct Web traffic. The infrastructure servers, which are innocently doing their jobs and can easily handle huge numbers of requests, "return" the acknowledgements to the target machine, which is quickly overwhelmed.

Ken Silva, chief security officer for VeriSign Inc., compared the scale of a possible DRDoS attack to the damage caused in October 2002 when nine of the 13 computer "root" servers that make up the core of the Internet were crippled by a powerful straight-on DDoS attack.

VeriSign operates two of the 13 root server computers, but its machines were unaffected.

"This is significantly larger than what we saw in 2002, by an order of magnitude," Silva said.

Silva said the attacks earlier this year used only about 6 percent of the more than 1 million domain-name and other infrastructure servers across the Internet to flood victims' servers.

Still, the attacks in some cases exceeded 8 gigabits per second, indicating a remarkably powerful electronic assault.

"This would be the Katrina of Internet storms," Silva said.

The U.S. Computer Emergency Readiness Team, part of the Homeland Security Department, warned network engineers in December to properly configure their domain-name servers to prevent hackers from using them in attacks.

It called the attacks "troublesome" because domain-name servers must operate to help direct Internet traffic.'s Paul Wagenseil and The Associated Press contributed to this report.