When the Internet’s root name servers are in the line of fire of a DDoS attack, people start to sweat, and with good reason since they are the authoritative servers used to resolve IP addresses.
The most recent attacks against the root servers happened over a two-day period starting last Nov. 30, and impacted services on all but three of the root servers, with four of the 13 dropping offline at different points.
But according to a pair of researchers from VeriSign, keepers of two of the root servers, whoever was behind the attacks was not targeting the Internet’s core infrastructure. Instead, they are expected to say at a conference this week in Argentina, that two IP addresses in China were the real targets.
Matt Weinberg and Duane Wessels are scheduled to deliver a talk at DNS-OARC 24 in Buenos Aires where they will present their review of the malicious UDP traffic absorbed by the A- and J-Root servers under VeriSign’s control. In their slides, Weinberg and Wessels identify two domains, 336901[.]com and 916yy[.]com, as the real targets with attacks peaking near five million queries per second for each domain on the A and J root servers. Both domains are registered to individuals in China, according to Whois data. The researchers also speculate that the attacks could have originated from a botnet pushing the BillGates or WebTools malware, both of which are known to generate DNS attacks.
Most of the spoofed traffic was sent from close to 4,000 IP addresses, 200 of those accounting for 68 percent of traffic. Despite those modest numbers, the researchers’ slides say that 895 million different source IP addresses were recorded on the two root servers during the attacks; the first attack lasted for more than two hours on Nov. 30 against 336901[.]com and the second 58 minutes on Dec. 1 against 916yy[.]com.
The slides go on to note that the A-Root server successfully absorbed the bad traffic, distributing it among four large sites in New York, Los Angeles, Hong Kong and London. The J-Root server did suffer some packet loss at smaller regional sites because it has smaller network uplinks and fewer CPU resources.
The researchers also note that Response Rate Limiting was an effective mitigation in countering up to 60 percent of attack traffic. RRL is a feature in the DNS protocol that mitigates amplifications attacks where spoofed DNS queries are used to target victims in large-scale DDoS attacks.
In addition to RRL, the researchers said attack traffic was easily filterable and through filtering were able to drop response traffic for the attack queries, leaving normal traffic untouched. One of the limitations with this approach is that it’s a manual process.