[GTER] Ataque contra os root servers

Rubens Kuhl rubensk at gmail.com
Sat Dec 12 19:48:43 -02 2015


Root Server Operators
rootops http://root-servers.org
                                                        December 4, 2015

                          Events of 2015-11-30


   On November 30, 2015 and December 1, 2015, over two separate
   intervals, several of the Internet Domain Name System's root name
   servers received a high rate of queries.  This report explains the
   nature and impact of the incident.

   While it's common for the root name servers to see anomalous traffic,
   including high query loads for varying periods of time, this event
   was large, noticeable via external monitoring systems, and fairly
   unique in nature, so this report is offered in the interests of

1.  Nature of Traffic

   On November 30, 2015 at 06:50 UTC DNS root name servers began
   receiving a high rate of queries.  The queries were well-formed,
   valid DNS messages for a single domain name.  The elevated traffic
   levels continued until approximately 09:30 UTC.

   On December 1, 2015 at 05:10 UTC DNS root name servers again received
   a similar rate of queries, this time for a different domain name.
   The event traffic continued until 06:10 UTC.

   Most, but not all, DNS root name server letters received this query
   load.  DNS root name servers that use IP anycast observed this
   traffic at a significant number of anycast sites.

   The source addresses of these particular queries appear to be
   randomized and distributed throughout the IPv4 address space.  The
   observed traffic volume due to this event was up to approximately 5
   million queries per second, per DNS root name server letter receiving
   the traffic.

2.  Impact of Traffic

   The incident traffic saturated network connections near some DNS root
   name server instances.  This resulted in timeouts for valid, normal
   queries to some DNS root name servers from some locations.

rootops                                                         [Page 1]

                          Events of 2015-11-30             December 2015

   Several DNS root name servers were continuously reachable from
   virtually all monitoring stations for the entire duration of the

   There are no known reports of end-user visible error conditions
   during, and as a result of, this incident.  Because the DNS protocol
   is designed to cope with partial reachability among a set of name
   servers, the impact was, to our knowledge, limited to potentially
   minor delays for some name lookups when a recursive name server needs
   to query a DNS root name server (e.g. a cache miss).  This would have
   manifested itself as a barely perceptible initial delay in some web
   browsers or other client programs (such as "ftp" or "ssh").

   Visibility of this event came about as a result of health monitoring
   by DNS root name server operators and other monitoring projects
   around the Internet.  Often these are in the form of "strip chart"
   graphics showing response time variance of a periodic simple query
   against some set of servers, including DNS root name servers.  Such
   test traffic may not be indicative of what happens to normal traffic
   or user experience.

3.  Analysis

   This event was notable for the fact that source addresses were widely
   and evenly distributed, while the query name was not.  This incident,
   therefore, is different from typical DNS amplification attacks
   whereby DNS name servers (including the DNS root name servers) have
   been used as reflection points to overwhelm some third party.

   The DNS root name server system functioned as designed, demonstrating
   overall robustness in the face of large-scale traffic floods observed
   at numerous DNS root name servers.

   Due to the fact that IP source addresses can be easily spoofed, and
   because event traffic landed at large numbers of anycast sites, it is
   unrealistic to trace the incident traffic back to its source.

   Source Address Validation and BCP-38 should be used wherever possible
   to reduce the ability to abuse networks to transmit spoofed source

rootops                                                         [Page 2]

More information about the gter mailing list