Hackers attack DNS, nobody notices

| Comments (1) | DNS
On Tuesday, some hackers mounted a pretty significant distributed denial of service attack on several of the root DNS servers (the ones who serve the records for the top level domains). You can see the attack pretty dramaticall in the following figure which shows unanswered queries for the past seven days on G:

According to this report the attackers managed to seriously degrade service on three of the roots:

WASHINGTON — Hackers briefly overwhelmed at least three of the 13 computers that help manage global computer traffic Tuesday in one of the most significant attacks against the Internet since 2002.

Experts said the unusually powerful attacks lasted as long as 12 hours but passed largely unnoticed by most computer users, a testament to the resiliency of the Internet. Behind the scenes, computer scientists worldwide raced to cope with enormous volumes of data that threatened to saturate some of the Internet's most vital pipelines.

A few points are worth mentioning here. First, there are actually significantly more than 13 servers because a substantial number of them are anycasted, meaning that you talk to a different server (with the same IP address) depending on where you are in the network. So, you need to DoS more than 13 machines in order to actually bring down all DNS service.

Second, despite losing a significant fraction of the root server capacity, most people didn't really notice. There are two main reasons for this. The first is that DNS uses a lot of caching. The roots only hand out the addresses of the servers for the TLDs (e.g., com, org, etc.) and resolving nameservers cache. Since most domain names are drawn from a relatively small number of TLDs, your resolving nameserver will have the TLD servers in cache and so doesn't need to get to the root. So, even if the roots were totally down, people would mostly continue to get service until their caches started to expire which takes hours to days. The second reason is that all the roots are interchangeable and the resolving servers will keep trying until one works, so the end result is really more a slowdown than a loss of service. This sort of slowdown gets lost in the ordinary net hiccups people experience and just tolerate.


The NPR report about this had someone talking about how "this was really an unprecedented level of attack.... well, ok, it happened once before"

A more interesting comment from that report suggested that this may have been a show of force from a DDoS extortion ring, so their goal was not so much to bring down the Internet as get into a newspaper.

Leave a comment