As schools increasingly rely on the internet for their mission-critical operations, the concern among educators for potential service disruptions increases, too. This week, tech-savvy educators were following with keen interest the ongoing investigation into one of the most serious attacks on the internet yet.

The White House on Oct. 23 sought to allay concerns about an unusual attack against the 13 computer servers that manage global internet traffic, stressing that disruption was minimal and that the Federal Bureau of Investigation is working to trace the attackers.

Most internet users didn’t notice any effects from the Oct. 21 attack, because it lasted only one hour and because the internet’s architecture was designed to tolerate such short-term disruptions, experts said.

The White House said it was unclear where the attack originated, who might be responsible, or whether the attack could be considered cyber-terrorism.

“We don’t know. We’ll take a look to see if there are any signs of who it may or may not be,” spokesman Ari Fleischer said. “I’m not aware there’s anything that would lead anybody in that direction. History has shown that many of these attacks actually come from the hacker community.

But that’s why an investigation is under way.” The FBI’s National Infrastructure Protection Center and agents from its cyber-crime division were investigating, FBI spokesman Steven Berry said.

Civilian technical experts assisting with the investigation, speaking on condition of anonymity, said the FBI was reviewing electronic logs of computers used in the attack to determine the origin of those responsible.

“It’s the nature of these things that they’re never easy to untangle, and yet sometimes there are clues left behind,” said Steve Crocker, chairman of an advisory committee on the security and stability of these servers for the Internet Corporation for Assigned Names and Numbers.

Another expert, Paul Mockapetris, the chief scientist at Nominum Inc., said those responsible appeared to use generic “ping flood” attack software that had been installed on computers across the globe using many different internet providers. His company provides consulting advice to some of the organizations operating the servers.

“It was a fairly large attack, but it doesn’t look to be an attack designed to do maximum damage,” said Richard Probst, a vice president at Nominum. “Either it was a wake-up call, or a publicity stunt, or a probe to understand how the system works.”

In so-called “denial of service” attacks, hackers traditionally seize control of third-party computers owned by schools, corporations, and even home users and direct them to send floods of data at pre-selected targets.

The Oct. 23 attack was notable because it crippled nine of the 13 servers around the globe that manage internet traffic. Seven failed to respond to legitimate network traffic and two others failed intermittently during the attack, officials confirmed.

Service was restored after experts enacted defensive measures and the attack suddenly stopped.

“There was some degradation of service; however, nothing failed and providers were able to mitigate the attacks pretty quickly,” Fleischer said.

A spokesman for the Office of Homeland Security, Gordon Johndroe, disputed experts who characterized the attack as the most sophisticated and large-scale assault against these crucial computers in the history of the internet. He said the attack did not use any special techniques and was not particularly sophisticated.

“There were minor degradations, but no failures,” Johndroe said.

Computer experts who manage some of the affected computers, speaking on condition of anonymity, said the attack effectively shut down seven of the 13 computers by saturating their network connections and partially saturating the connections for two others. Although the servers continued operating, they were unable to respond to legitimate internet requests.

The 13 computers are spread geographically across the globe as a precaution against physical disasters and are operated by U.S. government agencies, universities, corporations, and private organizations.

“The public harm in this attack was low,” agreed Marc Zwillinger, a former Justice Department lawyer who investigated similar attacks against eCommerce web sites in 2000. “What it demonstrates is the potential for further harm.” The attack wasn’t more disruptive because many internet service providers and large corporations temporarily store, or “cache,” popular web directory information for better performance.

Although the internet theoretically can operate with only a single root server, its performance would slow if more than four root servers failed for any appreciable length of time.


National Infrastructure Protection Center

Nominum Inc.

Office of Homeland Security