[GTER] Ataque contra os root servers

Demétrio Costa Góis demetrio.gois at gmail.com
Mon Dec 14 09:19:43 -02 2015


Esse é o ataque que o Mcafee se refere?

http://seclists.org/nanog/2015/Dec/221

2015-12-12 18:48 GMT-03:00 Rubens Kuhl <rubensk at gmail.com>:

> http://root-servers.org/news/events-of-20151130.txt
>
> Root Server Operators
> rootops http://root-servers.org
>                                                         December 4, 2015
>
>
>                           Events of 2015-11-30
>
> Abstract
>
>    On November 30, 2015 and December 1, 2015, over two separate
>    intervals, several of the Internet Domain Name System's root name
>    servers received a high rate of queries.  This report explains the
>    nature and impact of the incident.
>
>    While it's common for the root name servers to see anomalous traffic,
>    including high query loads for varying periods of time, this event
>    was large, noticeable via external monitoring systems, and fairly
>    unique in nature, so this report is offered in the interests of
>    transparency.
>
>
> 1.  Nature of Traffic
>
>    On November 30, 2015 at 06:50 UTC DNS root name servers began
>    receiving a high rate of queries.  The queries were well-formed,
>    valid DNS messages for a single domain name.  The elevated traffic
>    levels continued until approximately 09:30 UTC.
>
>    On December 1, 2015 at 05:10 UTC DNS root name servers again received
>    a similar rate of queries, this time for a different domain name.
>    The event traffic continued until 06:10 UTC.
>
>    Most, but not all, DNS root name server letters received this query
>    load.  DNS root name servers that use IP anycast observed this
>    traffic at a significant number of anycast sites.
>
>    The source addresses of these particular queries appear to be
>    randomized and distributed throughout the IPv4 address space.  The
>    observed traffic volume due to this event was up to approximately 5
>    million queries per second, per DNS root name server letter receiving
>    the traffic.
>
>
> 2.  Impact of Traffic
>
>    The incident traffic saturated network connections near some DNS root
>    name server instances.  This resulted in timeouts for valid, normal
>    queries to some DNS root name servers from some locations.
>
>
>
>
> rootops                                                         [Page 1]
>
>                           Events of 2015-11-30             December 2015
>
>
>    Several DNS root name servers were continuously reachable from
>    virtually all monitoring stations for the entire duration of the
>    incident.
>
>    There are no known reports of end-user visible error conditions
>    during, and as a result of, this incident.  Because the DNS protocol
>    is designed to cope with partial reachability among a set of name
>    servers, the impact was, to our knowledge, limited to potentially
>    minor delays for some name lookups when a recursive name server needs
>    to query a DNS root name server (e.g. a cache miss).  This would have
>    manifested itself as a barely perceptible initial delay in some web
>    browsers or other client programs (such as "ftp" or "ssh").
>
>    Visibility of this event came about as a result of health monitoring
>    by DNS root name server operators and other monitoring projects
>    around the Internet.  Often these are in the form of "strip chart"
>    graphics showing response time variance of a periodic simple query
>    against some set of servers, including DNS root name servers.  Such
>    test traffic may not be indicative of what happens to normal traffic
>    or user experience.
>
>
> 3.  Analysis
>
>    This event was notable for the fact that source addresses were widely
>    and evenly distributed, while the query name was not.  This incident,
>    therefore, is different from typical DNS amplification attacks
>    whereby DNS name servers (including the DNS root name servers) have
>    been used as reflection points to overwhelm some third party.
>
>    The DNS root name server system functioned as designed, demonstrating
>    overall robustness in the face of large-scale traffic floods observed
>    at numerous DNS root name servers.
>
>    Due to the fact that IP source addresses can be easily spoofed, and
>    because event traffic landed at large numbers of anycast sites, it is
>    unrealistic to trace the incident traffic back to its source.
>
>    Source Address Validation and BCP-38 should be used wherever possible
>    to reduce the ability to abuse networks to transmit spoofed source
>    packets.
>
>
>
>
>
>
>
>
>
> rootops                                                         [Page 2]
> --
> gter list    https://eng.registro.br/mailman/listinfo/gter
>



-- 

Demétrio da Costa Góis
Graduando em Ciência da Computação - UEPB
Administração de redes e sistemas.



More information about the gter mailing list