Unknown parties carried out a large-scale DDoS attack on the Internet’s DNS root servers, causing slight timeouts for four nodes, more exactly on the B, C, G, and H servers, RootOps reports.
There were two different attacks, one launched on November 30 that lasted 160 minutes (from 06:50 to 09:30 UTC), and a second, shorter one on December 1 that lasted only one hour (from 05:10 to 06:10 UTC).
RootOps, the DNS root server operators, are reporting that the attacks were valid DNS queries addressed towards one domain in the first attack, and to a different domain on the second day.
Each attack blasted up to five million queries per second per DNS root name server. RootOps has no hopes to catch the culprit, since IP source addresses can be easily spoofed, and the source IP addresses used in the DDoS attack were very well spread and randomized across the entire IPv4 address space.
The DDoS didn’t cause any serious damage, but a mere delay for some users making DNS queries via their browser, FTP, SSH, or other clients.
DNS protocol’s design saves the day
“The DNS root name server system functioned as designed, demonstrating overall robustness in the face of large-scale traffic floods observed at numerous DNS root name servers,” said the DNS root server operators, referring to the fallback system employed by DNS servers.
Because of the way DNS is constructed, on a mesh-like structure like the Internet itself, if one server does not respond, other servers intervene and provide a DNS query result.
The DNS root server operators did not speculate on the reasons this massive attack was carried out against their infrastructure but did say this was not the result of a reflected DDoS attack.
RootOps recommended that ISPs that don’t want to allow DDoS attacks that use IP address spoofing to be carried from their network should implement Source Address Validation and the BCP-38 specification.