Early last week, anomalous DDoS attacks have threatened the Internet root servers that received more than 5 million queries a second.
“The authoritative name servers that serve the DNS root zone, commonly known as the “root servers”, are a network of hundreds of servers in many countries around the world. They are configured in the DNS root zone as 13 named authorities, as follows.” reads the IANA website.
The Internet root servers are critical components of the global Internet infrastructure, they were targeted two times for an hour or more each. Multiple domain name system root servers were hit in the attacks, these systems are essential to associate a logical address to the IP address.
“On November 30, 2015 and December 1, 2015, over two separate intervals, several of the Internet Domain Name System’s root name servers received a high rate of queries. This report explains the nature and impact of the incident.” states an advisory published Friday “While it’s common for the root name servers to see anomalous traffic, including high query loads for varying periods of time, this event was large, noticeable via external monitoring systems, and fairly unique in nature, so this report is offered in the interests of transparency.”
The first DDoS attack occurred on Monday, November 30, and the Internet root servers were flooded for about two hours and 40 minutes. The second attack took place on December 1 and lasted an hour. The majority of the Internet root servers was hit in the cyber attacks which flooded the machines with billions of valid queries for two undisclosed domain names, one for each attack.
Despite a significant volume of traffic flooded the Internet Root servers, the Internet users did not suffer any disservice because root servers are involved in the address resolution only when a much larger network of intermediate DNS servers fail to do so.
Who it behind a so powerful attack?
At the rime I’m writing, there is no indication of a possible responsible, the unique certainly is a so powerful DDoS attack request a significant computing power and bandwidth.
The name servers targeted in the attack use IP Anycast, it is a network routing methodology in which datagrams from a single sender are routed to the topologically nearest node in a group of potential receivers, though it may be sent to several nodes, all identified by the same destination address.
The fact that attackers hit IP Anycast servers indicates that attackers coordinated resources geographically dispersed.
“This event was notable for the fact that source addresses were widely and evenly distributed, while the query name was not,” continues the advisory. “This incident, therefore, is different from typical DNS amplification attacks whereby DNS name servers (including the DNS root name servers) have been used as reflection points to overwhelm some third party.”
The experts speculate the involvement of a large botnet, likely composed of a huge number of IoT devices. Such kind of attacks could be prevented by implementing the BCP 38, the Internet Engineering Task Force standard for defeating IP address spoofing.
(Security Affairs – DDoS, Internet Root servers)