Root DNS servers DDoS’ed: was it a show-off?

DDoS attacks are a formidable (and somewhat regular) problem for businesses, but occasionally they appear to be a threat for the entirety of Web. On Nov. 30 and Dec. 1,

DDoS attacks are a formidable (and somewhat regular) problem for businesses, but occasionally they appear to be a threat for the entirety of Web. On Nov. 30 and Dec. 1, somebody launched a massive and unusual DDoS attack which hit the internet root servers responsible for resolving IP addresses. Apparently, it was a case of vandalism, or even borderline terrorism, but fortunately the impact of the attack upon the root servers was minimal, thanks to the DNS architecture.

In its advisory, the Internet Assigned Numbers Authority (IANA) said the effect was “limited to potentially minor delays for some name lookups when a recursive name server needs to query a DNS root name server (e.g. a cache miss)”.

Attackers used quite an unusual method of attacking. The amplified queries were sent to most of the DNS root name server letters, and the source addresses were “randomized and distributed,” IANA said. But, according to advisory, the source addresses were “widely and evenly distributed”, while the query name was not.

As Threatpost has it, many more traditional DNS amplification attacks take advantage of the availability of publicly accessible and open DNS servers, spoofing the source address with the target’s address so responses overwhelm the this address.

In this particular case, DNS root name servers which use IP anycast (a one-to-many network routing) were seeing traffic at significant volumes – The observed traffic volume was up to approximately 5 million queries per second, per DNS root name server letter receiving the traffic. Quite a lot, should we say. But, fortunately, not nearly enough to crash down the DNS.

The organization recommends the use of source address validation and BCP-38 to lessen the ability of attackers to use spoofed packets to their advantage.

The full advisory is available here.

It is a matter of speculation who could have launched this attack and why they did it. IANA said it’s unrealistic to identify the real source of the attack, due to the fact IP source addresses can be easily spoofed, and because event traffic landed at large numbers of anycast sites.

Yet another potent DDoS attack has recently hit the academic computer network known as Janet in a “targeted and sustained set of attacks,” according to the network’s operator Jisc.

The attack has reportedly left university students across the UK unable to submit work, which may serve as a hint on the reasons behind the attack (if not its origin).

But the first attack seems to make much less sense. We can only assume somebody was testing a novel type of attack – or just showing off. Anyway, an attack of this scope may be a mosquito bite for the World Wide Web’s root servers, but for a single company network it is like getting hit with a freight train.

Unless there are protective measures in place, such as Kaspersky DDoS Protection solution.

Kaspersky DDoS Protection fights attacks on two fronts: via DDoS intelligence and Kaspersky’s special defense infrastructure. The security intelligence team uses sophisticated methods to monitor the DDoS threat landscape to stay ahead of the criminals – to achieve the earliest possible detection of DDoS attacks.

In addition, Kaspersky Lab’s solution uses a combination of on-site & off-site technologies to protect your business.

The more detailed description of the solution is available at this link.