
Attack on DNS root servers - sajal83
http://root-servers.org/news/events-of-20151130.txt
======
robryk
I suspect that this might have been a botnet showing off to its potential
clients. This may explain withholding of the domain names queried (not to give
advertising to the botnet).

~~~
comboy
Well I'm pretty impressed.

    
    
        observed traffic volume due to this event was up to approximately 5
        million queries per second, per DNS root name server letter receiving
        the traffic.
    

i.e. over 50 million queries per second distributed evenly across IPv4

~~~
johansch
It was presumably done over UDP where it's trivial to fake source IP. What's
the minimum size of a valid UDP-based DNS request? Let's guesstimate 25 bytes.
Then 50M/s * 25 bytes = 1.25 GB/s. Or 10 Gbit/s.

Is that really so impressive these days?

~~~
comboy
Is it really that trivial to fake source IP? I think pretty much any ISP
wouldn't let such packets through (or am I missing something?), and you are
also easier to find then (well, if you are not careful that is).

~~~
__jal
If this was a botnot, any one ISP is only seeing a tiny fraction of the load.

Even if it were from a single source, it also isn't that hard to find an ISP
that doesn't care. (They cost slightly more, but if you're a bad actor,
presumably it is worth it.)

Edit:

"I think pretty much any ISP wouldn't let such packets through"

If you google "BCP38", you will find well over a decade of network operators
discussing specifically this topic and the reasons why ISPs (and other
networks) don't, not to mention all the fun the kvetching and meta-kvetching
that accompanies any technical discussion that's lasted so long.

~~~
cft
After you have been a target of ~50 Gbps NTP reflection attacks that nearly
destroyed our company, it's hard to be impartial in these discussions.

~~~
cmdrfred
50gbps? Who did you piss off, damn.

------
cft
_" Source Address Validation and BCP-38."_ ISPs should validate the source
address of UDP traffic from their end customers. This would end most UDP based
volumetric DDoS attacks.

~~~
sp332
It would help reflection attacks that direct e.g. DNS responses to the target.
It wouldn't help when the DNS servers themselves are the target.

~~~
cft
The OP says that IP addresses were "randomly distributed" over IPv4 space.
That's very unlikely for non-spoofed botnet addresses.

~~~
Dylan16807
The botnet would still be able to perform an attack of the same size. And with
many validation schemes it would still be able to randomize the last octet or
two, avoiding direct identification of compromised computers.

------
rmdoss
The beauty of DNS: No one was affected or noticed the problem. Resolvers just
tried another one if they didnt get a response from one of the root servers.

~~~
paulddraper
DNS would be a disaster if taken down. It's also impossible.

------
bluedino
So what were the domain names queried?

------
SixSigma
related ?

Day 2: UK research network Janet still being slapped by DDoS attack DNS
services appear to be targeted, switching may work

[http://www.theregister.co.uk/2015/12/08/uk_research_network_...](http://www.theregister.co.uk/2015/12/08/uk_research_network_janet_ddos/)

------
lucb1e
What made this unique now? Was it simply a high load?

~~~
paulmd
Typically what you see are "amplification attacks". That's where Alice wants
to DOS Bob, so she spoofs a request to Charlie that appears to come from Bob.
This results in a message from Charlie to Bob. The message from A->C is
crafted such that it results in a much larger return message from C->B (hence
"amplification"). That lets you create an attack that produces a multiple of
the bandwidth that you actually control. Then you have a bunch of machine spam
the message.

In that case, you see many messages from the same source address (meaning the
target under attack, i.e. Bob), but the data requested may vary. In this case,
the source addresses were uncorrelated, but they all wanted the exact same
address, so basically the opposite.

I can't say that I know what it is, but when you see massive spikes like that
it's usually a botnet of some kind (whether it's infected machines, injected
connections, or whatever method). Perhaps a bunch of bots resolving their next
C&C master?

~~~
Abundnce10
Do you have any links to resources on Botnets. It's an interesting topic that
I know very little about (e.g. How they work, how they come into existence,
how they're controlled/monitored, etc). It sounds like you know a decent
amount about them.

~~~
JoshTriplett
Book by one of my former professors: [http://www.amazon.com/Botnets-The-
Killer-Web-App/dp/15974913...](http://www.amazon.com/Botnets-The-Killer-Web-
App/dp/1597491357)

~~~
Abundnce10
Awesome, thanks!

------
Goopplesoft
Why is root-servers.org not https?

~~~
bpicolo
You transmit no secret information to it, and it none to you?

~~~
dschep
But how do I know the information it sends to me hasn't been MITM'd if it
isn't SSL'd?

~~~
cmdrfred
But if you don't have DNS how do you download the revocation list?

~~~
therein
How is a system with at least the ability to validate the origin but without
repudiation worse than a system with absolutely no security at all.

------
navadavuluri
Is there significance to NTP requests in relationship to DDOS?

~~~
tptacek
Yes; NTP is an amplification vector, which means you can spoof a small NTP
request and generate a large NTP response aimed at your target.

------
Ayaz
They don't mention otherwise but do we know if the attack has happened again
since 1 December?

------
ck2
China testing something new? Or maybe some scriptkiddie testing their new
botnet?

~~~
KG8
Why China of all of the 193 countries? What about Russia? US? Brazil? England?

~~~
bdamm
We've always been at war with Eastasia.

------
gawi
Donald Trump's failed attempt to shut down the Internet.

------
llasram
I bet the observed "random" source addresses are open recursive DNS servers.
For this kind of attack they provide essentially free traffic-washing for
whatever actual traffic-generation mechanism the attackers have.

~~~
majke
Nope.

The open recursive DNS servers, are real DNS servers, with caching and backoff
logic. If, say, there are 94k [1] open DNS resolvers in the wild, each will
ask you one DNS question for example.com, cache the answer and that's it.

The big volume for the "fixed domain" queries indicates proper BCP-38
spoofing.

[1] [http://public-dns.tk/](http://public-dns.tk/)

~~~
llasram
Unless the attacker controlled the domain TTL, maybe? But good point -- I was
thinking of a similar attack using random domains.

~~~
majke
Open recursors asking for random subdomains can generate bigger volume of
attack, but still, they are smart and will fall back if the server is
overwhelmed.

Even if you're assuming 100 qps from each of the 94k recursors, that's only
9.4M qps. And most of the recursors will notice lack of answer and will slow
down / stop the queries. In practice random subdomain attacks rarely generate
more than a million qps (YMMV, there are exceptions, technical nitpics, etc).

------
chei0aiV
what was the query string?

------
ajhurliman
Rooftops?

~~~
882542F3884314B
Root Server Operators = rootops

~~~
ajhurliman
Ah, I see. Thanks :)

