[GTER] Ataque contra os root servers
Demétrio Costa Góis
demetrio.gois at gmail.com
Mon Dec 14 09:19:43 -02 2015
Esse é o ataque que o Mcafee se refere?
http://seclists.org/nanog/2015/Dec/221
2015-12-12 18:48 GMT-03:00 Rubens Kuhl <rubensk at gmail.com>:
> http://root-servers.org/news/events-of-20151130.txt
>
> Root Server Operators
> rootops http://root-servers.org
> December 4, 2015
>
>
> Events of 2015-11-30
>
> Abstract
>
> On November 30, 2015 and December 1, 2015, over two separate
> intervals, several of the Internet Domain Name System's root name
> servers received a high rate of queries. This report explains the
> nature and impact of the incident.
>
> While it's common for the root name servers to see anomalous traffic,
> including high query loads for varying periods of time, this event
> was large, noticeable via external monitoring systems, and fairly
> unique in nature, so this report is offered in the interests of
> transparency.
>
>
> 1. Nature of Traffic
>
> On November 30, 2015 at 06:50 UTC DNS root name servers began
> receiving a high rate of queries. The queries were well-formed,
> valid DNS messages for a single domain name. The elevated traffic
> levels continued until approximately 09:30 UTC.
>
> On December 1, 2015 at 05:10 UTC DNS root name servers again received
> a similar rate of queries, this time for a different domain name.
> The event traffic continued until 06:10 UTC.
>
> Most, but not all, DNS root name server letters received this query
> load. DNS root name servers that use IP anycast observed this
> traffic at a significant number of anycast sites.
>
> The source addresses of these particular queries appear to be
> randomized and distributed throughout the IPv4 address space. The
> observed traffic volume due to this event was up to approximately 5
> million queries per second, per DNS root name server letter receiving
> the traffic.
>
>
> 2. Impact of Traffic
>
> The incident traffic saturated network connections near some DNS root
> name server instances. This resulted in timeouts for valid, normal
> queries to some DNS root name servers from some locations.
>
>
>
>
> rootops [Page 1]
>
> Events of 2015-11-30 December 2015
>
>
> Several DNS root name servers were continuously reachable from
> virtually all monitoring stations for the entire duration of the
> incident.
>
> There are no known reports of end-user visible error conditions
> during, and as a result of, this incident. Because the DNS protocol
> is designed to cope with partial reachability among a set of name
> servers, the impact was, to our knowledge, limited to potentially
> minor delays for some name lookups when a recursive name server needs
> to query a DNS root name server (e.g. a cache miss). This would have
> manifested itself as a barely perceptible initial delay in some web
> browsers or other client programs (such as "ftp" or "ssh").
>
> Visibility of this event came about as a result of health monitoring
> by DNS root name server operators and other monitoring projects
> around the Internet. Often these are in the form of "strip chart"
> graphics showing response time variance of a periodic simple query
> against some set of servers, including DNS root name servers. Such
> test traffic may not be indicative of what happens to normal traffic
> or user experience.
>
>
> 3. Analysis
>
> This event was notable for the fact that source addresses were widely
> and evenly distributed, while the query name was not. This incident,
> therefore, is different from typical DNS amplification attacks
> whereby DNS name servers (including the DNS root name servers) have
> been used as reflection points to overwhelm some third party.
>
> The DNS root name server system functioned as designed, demonstrating
> overall robustness in the face of large-scale traffic floods observed
> at numerous DNS root name servers.
>
> Due to the fact that IP source addresses can be easily spoofed, and
> because event traffic landed at large numbers of anycast sites, it is
> unrealistic to trace the incident traffic back to its source.
>
> Source Address Validation and BCP-38 should be used wherever possible
> to reduce the ability to abuse networks to transmit spoofed source
> packets.
>
>
>
>
>
>
>
>
>
> rootops [Page 2]
> --
> gter list https://eng.registro.br/mailman/listinfo/gter
>
--
Demétrio da Costa Góis
Graduando em Ciência da Computação - UEPB
Administração de redes e sistemas.
More information about the gter
mailing list