An unusual DDoS amplification attack was carried out 10 days ago against many of the Internet’s 13 root name servers, the authoritative servers used to resolve IP addresses.
The attacks happened on Nov. 30 and again on Dec. 1, and each time, massive volumes of traffic, peaking at five million queries per second, were fired at the servers. A note from the Internet Assigned Numbers Authority (IANA) said there was minimal impact to the Internet at large, though some traffic saturated network connections near some DNS root name server instances, the advisory said.
“There are no known reports of end-user visible error conditions during, and as a result of, this incident. Because the DNS protocol is designed to cope with partial reachability among a set of name servers, the impact was, to our knowledge, limited to potentially minor delays for some name lookups when a recursive name server needs to query a DNS root name server (e.g. a cache miss),” the advisory said “This would have manifested itself as a barely perceptible initial delay in some web browsers or other client programs (such as “ftp” or “ssh”).”
The amplified queries were sent to most of the DNS root name server letters, and the source addresses were “randomized and distributed,” IANA said.
“This event was notable for the fact that source addresses were widely and evenly distributed, while the query name was not. This incident, therefore, is different from typical DNS amplification attacks whereby DNS name servers (including the DNS root name servers) have been used as reflection points to overwhelm some third party,” the advisory said.
Many more traditional DNS amplification attacks take advantage of the availability of publicly accessible and open DNS servers, spoofing the source address with the target’s address so that responses overwhelm the source. In this case, DNS root name servers that use IP anycast were seeing traffic at significant volumes. Anycast is a one-to-many network routing.
“The DNS root name server system functioned as designed, demonstrating overall robustness in the face of large-scale traffic floods observed at numerous DNS root name servers,” the advisory said. “Due to the fact that IP source addresses can be easily spoofed, and because event traffic landed at large numbers of anycast sites, it is unrealistic to trace the incident traffic back to its source.”
The organization recommends the use of source address validation and BCP-38 to lessen the ability of attackers to use spoofed packets to their advantage.