Most Internet users didn't notice any effects from Monday's attack because it lasted only one hour and because the Internet's architecture was designed to tolerate such short-term disruptions, experts said.
The White House said it was unclear where the attack originated, who might be responsible or whether the attack could be considered cyber-terrorism.
"We don't know; we'll take a look to see if there are any signs of who it may or may not be," spokesman Ari Fleischer said. "I'm not aware there's anything that would lead anybody in that direction. History has shown that many of these attacks actually come from the hacker community. But that's why an investigation is under way."
The FBI's National Infrastructure Protection Center and agents from its computer-crime division were investigating, FBI spokesman Steven Berry said.
Civilian technical experts assisting with the investigation, speaking on condition of anonymity, said the FBI was reviewing electronic logs of computers used in the attack to determine the origin of those responsible.
"It's the nature of these things that they're never easy to untangle, and, yet sometimes, there are clues left behind," said Steve Crocker, chairman of an advisory committee on the security and stability of these servers for the Internet Corporation for Assigned Names and Numbers.
Another expert, Paul Mockapetris, the chief scientist at Nominum Inc., said those responsible appeared to use generic "ping flood" attack software that had been installed on computers across the globe using many different Internet providers. His company provides consulting advice to some of the organizations operating the servers.
"It was a fairly large attack, but it doesn't look to be an attack designed to do maximum damage," said Richard Probst, a vice president at Nominum. "Either it was a wake-up call or a publicity stunt or a probe to understand how the system works."
In "distributed denial of service" attacks, crackers traditionally seize control of third-party computers owned by universities, corporations and even home users and direct them to send floods of data at pre-selected targets.
The attack on Monday was notable because it crippled nine of the 13 servers around the globe that manage Internet traffic. Seven failed to respond to legitimate network traffic and two others failed intermittently during the attack, officials confirmed.
Service was restored after experts enacted defensive measures and the attack suddenly stopped.
"There was some degradation of service; however, nothing failed and providers were able to mitigate the attacks pretty quickly," Fleischer said.
A spokesman for Office of Homeland Security, Gordon Johndroe, disputed experts who characterized the attack as the most sophisticated and large-scale assault against these crucial computers in the history of the Internet. He said the attack did not use any special techniques and was not particularly sophisticated.
"There were minor degradations, but no failures," Johndroe said.
Computer experts, who manage some of the affected computers and spoke on condition of anonymity, said the attack effectively shut down seven of the 13 computers by saturating their network connections and partially saturating the connections for two others. Although the servers continued operating, they were unable to respond to legitimate Internet requests.
The 13 computers are spread geographically across the globe as a precaution against physical disasters and operated by U.S. government agencies, universities, corporations and private organizations.
"The public harm in this attack was low," agreed Marc Zwillinger, a former Justice Department lawyer who investigated similar attacks against e-commerce Web sites in 2000. "What it demonstrates is the potential for further harm."
Monday's attack wasn't more disruptive because many Internet providers and large corporations and organizations temporarily store, or "cache," popular Web directory information for better performance.
Although the Internet theoretically can operate with only a single root server, its performance would slow if more than four root servers failed for any appreciable length of time.
Copyright 2002. Associated Press. All rights reserved. This material may not be published, broadcast, rewritten, or redistributed.
