C.5. Report on the DDoS Attack on the DNS Root Servers

Paul Vixie, Gerry Neeringer, and Mark Schleifer, who run three of the DNSroot servers, wrote a brief report on what they observed and were able to deduce about the DDoS attack on the DNS root servers. There are other reports available on details of particular DDoS attacks, but the nature of this attack makes it of more general interest.

As stated earlier, the attack occurred on October 21, 2002. It lasted for a little over an hour. Each root server was attacked with a volume of between 50 and 100 Mbps, with a total attack volume of something like 900 Mbps, which translates to around 1.8 Mpackets/sec. The attack traffic was a mixture of protocols, including ICMP, TCP SYNs, TCP fragments, and UDP. The attack was synchronized to attack all 13 DNS root servers, making it clear that it was completely intentional.

The attack used randomized IP spoofing, with some care taken to ensure that nonroutable addresses tended not to be chosen.

The authors indicate that some of the root name servers became unreachable from parts of the Internet due to congestion effects, either close to the servers or further upstream. None of the servers were overwhelmed in the sense that they could not answer all queries that were delivered to them, but some servers did not receive all queries that were sent to them, again due to congestion.

Some of the root servers were continuously reachable from virtually all monitoring locations for the entire duration of the attack. These servers achieved their immunity by overprovisioning their networks, so that the flood did not congest their pipes or any pipes in their vicinity.

No users reported any problems receiving DNS root service during the attack, which is not surprising. In the first place, most DNS requests rely on caching to avoid trips to these servers. Also, since some of the servers were available continuously from all locations, the system's design would reroute queries to those servers eventually, leading to a few seconds' delay, rather than failure.

One point the report makes is that the entire attack might have gone unnoticed, were it not for automatic monitoring tools that quickly made the increase in traffic obvious. This point suggests that if you are not already running some kind of network monitoring on your local network, you should start doing so. Otherwise, it may take you some time to determine that problems you are experiencing are due to DDoS attack, rather than some other failure or attack.

Finally, the authors and other authorities who run the DNS root servers took this attack to heart, even though it did not cripple their vital service. They have taken important measures to protect their systems against future attacks, including widespread mirroring of the content and ensuring that there is sufficient topological and geographic diversity in root server locations so that no attacks on a small set of network choke points can cripple the service. We should all take a lesson from their prudence and take similar proactive steps to protect our networks before they succumb to a DDoS attack.

This report can be found on line at http://d.root-servers.org/october21.txt.