It was considered the “largest ever” internet attack in 2002. This distributed denial of service attack hit seven of the 13 servers at the top of the internet’s domain name system hierarchy. Now, 20 years later, its origins remain mysterious, but its methods and size still make it stand out. It isn’t the largest by the numbers anymore, either, but it does show how far both attackers and defenders have progressed. Taking a look back, what can it tell us about cyberattacks today? 

Hitting 13 Top-Level Internet Domain Servers

According to The Register on October 21, 2002, at 5 p.m., nine of the 13 servers at the top of the internet’s domain name system hierarchy were attacked. The cybercriminals successfully brought seven servers offline and caused two others to go offline repeatedly during the hour-long attack. Because the attack was on all 13 servers at the same time instead of one after another, the Internet Systems Consortium that managed the servers did not have any warning. So, the attack caused more widespread outages.

During the hour-long attack, the attackers flooded servers with packets in an Internet Control Message Protocol ping flood. Instead of 8 Mbps of traffic, the attack sent more than 10 times the usual amount to each server.

The archived version of the Internet Systems Consortium report revealed:

  • Attack volume was about 50 to 100 Mbits/sec per root name server. That yielded a total attack volume of approximately 900 Mbits/sec
  • Attack traffic contained ICMP, TCP SYN, fragmented TCP and UDP
  • Attack source addresses were mostly randomized, chosen within netblocks that were mostly present in the routing table at the time of the attack.

Major Attack Did Not Affect Users

Cybersecurity researchers often measure attacks today by end-user issues and business disruptions. But in this attack, neither happened. Technically, the servers never crashed, but instead slowed the processing of traffic. It’s possible that there was a delay of a few seconds in some queries. However, in general, the slight lag did not result in error pages for users.

Plus, the host resources were successfully over-provisioning. So, the servers completed all user queries. Some root name servers were unable to answer some valid queries. Interestingly, the response of the root servers also varied based on the location of the user. Some servers remained available in metro areas. Root Server company VeriSign Inc. responded quickly and brought the servers back online. Their quick response also kept users from noticing.

What was most disturbing about these root server attacks is that the attacker clearly wanted to block or shut down the internet as a whole.

No One Claimed Responsibility for the Attack

As the days and weeks passed, no one claimed responsibility. Even 20 years later, the person or group responsible is still unknown. That’s pretty rare in today’s sophisticated cybersecurity world.

Phil Huggins, an expert with security consultancy firm @stake, said most web server traffic goes to secondary domain name servers instead of the 13 servers targeted in the attack. It would have taken four hours of constant attack to make a noticeable impact on general internet users.

“Either they didn’t know the time needed to knock out the root servers or they were up to something else,” said Huggins. “It may be that they were testing out their DDoS network.”

Huggins said that it was actually a relatively simple attack from a technical perspective, as a straight DDoS attack. However, Slater noted that the attacker had done their homework.

‘An Army of Drones’

People often ask if this type of attack could happen again. The most likely answer is no. Somewhat similar domain name service attacks have occurred, especially using redirection. After the 2002 attacks, the root server system was quickly upgraded with increased peering and transit connectivity as well as wide-area server mirroring. According to the Internet Systems Consortium, these changes prevent attacks from concentrating on network congestion points to take down the servers.

My favorite question to ask when researching is what we, as a cybersecurity community, learned from the attack. I found the best answer by Paul Vixie, chairman of the Internet Software Consortium, in the Register article. He said that the attack showed the importance of securing the end stations that forge the traffic.

“There’s an army of drones sitting out there on DSL lines…. There’s no security at the edge of the network,” said Vixie to The Register. “Anyone can send packets with pretty much any source address.”

The cybercriminals used a simple method and software found online for free to launch the attack. If they had continued the attack for several more hours, then it’s very possible that there would be no debate about whether it was the largest attack. The event would probably be more well-known, too. While the 2002 attack was the largest of its time, it wasn’t the most damaging thanks to the quick thinking of cybersecurity experts.

More from Risk Management

Did Brazil DSL Modem Attacks Change Device Security?

From 2011 to 2012, millions of Internet users in Brazil fell victim to a massive attack against vulnerable DSL modems. By configuring the modems remotely, attackers could redirect users to malicious domain name system (DNS) servers. Victims trying to visit popular websites (Google, Facebook) were instead directed to imposter sites. These rogue sites then installed malware on victims' computers. According to a report from Kaspersky Lab Expert Fabio Assolini citing statistics from Brazil's Computer Emergency Response Team, the attack ultimately…

How Do You Plan to Celebrate National Computer Security Day?

In October 2022, the world marked the 19th Cybersecurity Awareness Month. October might be over, but employers can still talk about awareness of digital threats. We all have another chance before then: National Computer Security Day. The History of National Computer Security Day The origins of National Computer Security Day trace back to 1988 and the Washington, D.C. chapter of the Association for Computing Machinery’s Special Interest Group on Security, Audit and Control. As noted by National Today, those in…

Worms of Wisdom: How WannaCry Shapes Cybersecurity Today

WannaCry wasn't a particularly complex or innovative ransomware attack. What made it unique, however, was its rapid spread. Using the EternalBlue exploit, malware could quickly move from device to device, leveraging a flaw in the Microsoft Windows Server Message Block (SMB) protocol. As a result, when the WannaCry "ransomworm" hit networks in 2017, it expanded to wreak havoc on high-profile systems worldwide. While the discovery of a "kill switch" in the code blunted the spread of the attack and newly…

Why Operational Technology Security Cannot Be Avoided

Operational technology (OT) includes any hardware and software that directly monitors and controls industrial equipment and all its assets, processes and events to detect or initiate a change. Yet despite occupying a critical role in a large number of essential industries, OT security is also uniquely vulnerable to attack. From power grids to nuclear plants, attacks on OT systems have caused devastating work interruptions and physical damage in industries across the globe. In fact, cyberattacks with OT targets have substantially…