[GTER] Ataque contra os root servers
rubensk at gmail.com
Sat Dec 12 19:48:43 -02 2015
Root Server Operators
December 4, 2015
Events of 2015-11-30
On November 30, 2015 and December 1, 2015, over two separate
intervals, several of the Internet Domain Name System's root name
servers received a high rate of queries. This report explains the
nature and impact of the incident.
While it's common for the root name servers to see anomalous traffic,
including high query loads for varying periods of time, this event
was large, noticeable via external monitoring systems, and fairly
unique in nature, so this report is offered in the interests of
1. Nature of Traffic
On November 30, 2015 at 06:50 UTC DNS root name servers began
receiving a high rate of queries. The queries were well-formed,
valid DNS messages for a single domain name. The elevated traffic
levels continued until approximately 09:30 UTC.
On December 1, 2015 at 05:10 UTC DNS root name servers again received
a similar rate of queries, this time for a different domain name.
The event traffic continued until 06:10 UTC.
Most, but not all, DNS root name server letters received this query
load. DNS root name servers that use IP anycast observed this
traffic at a significant number of anycast sites.
The source addresses of these particular queries appear to be
randomized and distributed throughout the IPv4 address space. The
observed traffic volume due to this event was up to approximately 5
million queries per second, per DNS root name server letter receiving
2. Impact of Traffic
The incident traffic saturated network connections near some DNS root
name server instances. This resulted in timeouts for valid, normal
queries to some DNS root name servers from some locations.
rootops [Page 1]
Events of 2015-11-30 December 2015
Several DNS root name servers were continuously reachable from
virtually all monitoring stations for the entire duration of the
There are no known reports of end-user visible error conditions
during, and as a result of, this incident. Because the DNS protocol
is designed to cope with partial reachability among a set of name
servers, the impact was, to our knowledge, limited to potentially
minor delays for some name lookups when a recursive name server needs
to query a DNS root name server (e.g. a cache miss). This would have
manifested itself as a barely perceptible initial delay in some web
browsers or other client programs (such as "ftp" or "ssh").
Visibility of this event came about as a result of health monitoring
by DNS root name server operators and other monitoring projects
around the Internet. Often these are in the form of "strip chart"
graphics showing response time variance of a periodic simple query
against some set of servers, including DNS root name servers. Such
test traffic may not be indicative of what happens to normal traffic
or user experience.
This event was notable for the fact that source addresses were widely
and evenly distributed, while the query name was not. This incident,
therefore, is different from typical DNS amplification attacks
whereby DNS name servers (including the DNS root name servers) have
been used as reflection points to overwhelm some third party.
The DNS root name server system functioned as designed, demonstrating
overall robustness in the face of large-scale traffic floods observed
at numerous DNS root name servers.
Due to the fact that IP source addresses can be easily spoofed, and
because event traffic landed at large numbers of anycast sites, it is
unrealistic to trace the incident traffic back to its source.
Source Address Validation and BCP-38 should be used wherever possible
to reduce the ability to abuse networks to transmit spoofed source
rootops [Page 2]
More information about the gter