UPDATED 15:36 EDT / DECEMBER 10 2015

NEWS

Unknown attackers strike DNS root name servers with massive DDoS

On November 30 and December 1, 2015 unknown attackers unleashed two massive distributed denial of service (DDoS) attacks against many of the 13 DNS root name servers in what looked like an attempt to knock them offline. The reasons for this attack and the perpetrators are both still a mystery, as reported by International Business Times.

The Domain Name System (DNS) uses a series of root name servers distributed across the globe and run by a myriad of different responsible parties in order to provide extremely high uptime and protect it from being knocked offline. Furthermore, even if the root name servers are knocked offline, most IPS (even Google) run their own second tier name servers that cache responses for long periods of time meaning that the system just keeps on going.

According to the report filed by the root server operators on December 4, traffic being received by the attacked name servers reached approximately give million queries per second. This appears as a massive spike visible in the graphs of query volume over time (for example, see the A-root Query Volume graph below).

A-root query metrics from Verisign

A-root query metrics from Verisign.

For comparison, Verisign, Inc.’s A-root server rarely sees more than 10 million queries a day, during the attacks those numbers rose to exceed 50 million queries a day.

“The incident traffic saturated network connections near some DNS root name server instances,” the report notes. “This resulted in timeouts for valid, normal queries to some DNS root name servers from some locations.”

Overall, the system managed to weather the attack with what is described as “overall robustness in the face of large-scale traffic floods,” and there were very few anomalies detected or complaints from customers. Some legitimate traffic did appear to time out, but for the most part clients would have experienced barely perceptible delays.

The DNS root name servers are designed to take a lot of traffic

Every day, users of the Internet wash the network in queries asking for the IP addresses that domain names represent. Whenever someone tries to access “google.com”, and it doesn’t know the IP, a DNS server replies with something like “216.58.218.174” and a connection can be made.

There are 13 DNS root name servers each named after a letter, from A to M, each controlled by a different network provider or company (with the exception that A and J are both controlled by Verisign). This is an extremely durable setup that has prevented the network from going down during normal traffic or attacks.

This is not the first attack that the system has suffered either. During October 21, 2002 a DDoS campaign hit all 13 servers for one hour and on February 6, 2007 an attack was sustained for 24 hours.

Most previous attacks against the DNS root name servers simply buffeted them, as attackers could not manage enough traffic to disrupt the servers. This month’s attack actually succeeded in generating minor disruption, which shows that the strength and capability behind these attacks is expanding.

“It’s hard to see this and not recognize the malicious intent behind this attack,” says John Casaretto, SiliconANGLE Security Analyst. “One thing that has been happening in recent years is a shift to an international multi-stakeholder model for DNS and internet domain names. ICANN had their base DNS zone compromised  about one year ago to the day. The root DNS system has also been ceded from US control. Again, think about the target. I wouldn’t doubt it if these attacks were somehow related.”

While the intent of the attackers is a mystery, the capability wielded is not and it was impressive. Casaretto notes that hackers seek out and exploits flaws in systems and a massive DDoS attack does much in providing intelligence as to potential flaws in the DNS root server protection.

“They survived this round, but this illustrates the seriousness of what those systems hold,” Casaretto adds. “You basically have a perfect mix of high value target, high potential for human error, and maximum impact. Buckle up.”

Featured image credit: via Pixabay

A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy

THANK YOU