Distributed denial-of-service attacks on root nameservers

Last updated

Distributed denial-of-service attacks on root nameservers are Internet events in which distributed denial-of-service attacks target one or more of the thirteen Domain Name System root nameserver clusters. The root nameservers are critical infrastructure components of the Internet, mapping domain names to IP addresses and other resource record (RR) data.

Contents

Attacks against the root nameservers could, in theory, impact operation of the entire global Domain Name System, and thus all Internet services that use the global DNS, rather than just specific websites. However, in practice, the root nameserver infrastructure is highly resilient and distributed, using both the inherent features of DNS (result caching, retries, and multiple servers for the same zone with fallback if one or more fail), and, in recent years, a combination of anycast and load balancer techniques used to implement most of the thirteen nominal individual root servers as globally distributed clusters of servers in multiple data centers.

In particular, the caching and redundancy features of DNS mean that it would require a sustained outage of all the major root servers for many days before any serious problems were created for most Internet users, and even then there are still numerous ways in which ISPs could set their systems up during that period to mitigate even a total loss of all root servers for an extended period of time: for example by installing their own copies of the global DNS root zone data on nameservers within their network, and redirecting traffic to the root server IP addresses to those servers. Nevertheless, DDoS attacks on the root zone are taken seriously as a risk by the operators of the root nameservers, and they continue to upgrade the capacity and DDoS mitigation capabilities of their infrastructure to resist any future attacks.

An effective attack against DNS might involve targeting top-level domain servers (such as those servicing the .com domain) instead of root name servers. Alternatively, a man-in-the-middle attack or DNS poisoning attack could be used, though they would be more difficult to carry out.

Attacks

October 21, 2002

On October 21, 2002 an attack lasting for approximately one hour was targeted at all 13 DNS root name servers. [1] The attackers sent many ICMP ping packets using a botnet to each of the servers. However, because the servers were protected by packet filters which were configured to block all incoming ICMP ping packets, they did not sustain much damage and there was little to no impact on Internet users. [2]

February 6, 2007

On February 6, 2007 an attack began at 10:00  UTC and lasted twenty-four hours. At least two of the root servers (G-ROOT and L-ROOT) reportedly "suffered badly" while two others (F-ROOT and M-ROOT) "experienced heavy traffic". The latter two servers largely mitigated the damage by distributing requests to other root server instances with anycast addressing. ICANN published a formal analysis shortly after the event. [3]

Due to a lack of detail, speculation about the incident proliferated in the press until details were released. [4]

November 30, 2015

During two intervals on November 30, 2015 and December 1, 2015, several of the root name servers received up to 5 million queries per second each, receiving valid queries for a single undisclosed domain name and then a different domain the next day. Source addresses were spread throughout IPv4 space, however these may have been spoofed. Some root server networks became saturated, resulting in timeouts, however redundancy among the root servers prevented downstream issues from occurring during this incident. [5] [6]

Threats

Operation Global Blackout 2012

On February 12, 2012, a statement [7] was posted on Pastebin cited to be from Anonymous, threatening an attack on the root servers on March 31, 2012. [8]

"To protest SOPA, Wallstreet, our irresponsible leaders and the beloved bankers who are starving the world for their own selfish needs out of sheer sadistic fun, On March 31, anonymous will shut the Internet down," reads the statement. "Remember, this is a protest, we are not trying to ‘kill' the Internet, we are only temporarily shutting it down where it hurts the most…It may only last one hour, maybe more, maybe even a few days. No matter what, it will be global. It will be known." [9]

Related Research Articles

The Domain Name System (DNS) is the hierarchical and distributed naming system used to identify computers reachable through the Internet or other Internet Protocol (IP) networks. The resource records contained in the DNS associate domain names with other forms of information. These are most commonly used to map human-friendly domain names to the numerical IP addresses computers need to locate services and devices using the underlying network protocols, but have been extended over time to perform many other functions as well. The Domain Name System has been an essential component of the functionality of the Internet since 1985.

A top-level domain (TLD) is one of the domains at the highest level in the hierarchical Domain Name System of the Internet after the root domain. The top-level domain names are installed in the root zone of the name space. For all domains in lower levels, it is the last part of the domain name, that is, the last non empty label of a fully qualified domain name. For example, in the domain name www.example.com, the top-level domain is com. Responsibility for management of most top-level domains is delegated to specific organizations by the ICANN, an Internet multi-stakeholder community, which operates the Internet Assigned Numbers Authority (IANA), and is in charge of maintaining the DNS root zone.

Time to live (TTL) or hop limit is a mechanism which limits the lifespan or lifetime of data in a computer or network. TTL may be implemented as a counter or timestamp attached to or embedded in the data. Once the prescribed event count or timespan has elapsed, data is discarded or revalidated. In computer networking, TTL prevents a data packet from circulating indefinitely. In computing applications, TTL is commonly used to improve the performance and manage the caching of data.

<span class="mw-page-title-main">Denial-of-service attack</span> Cyber attack disrupting service by overloading the provider of the service

In computing, a denial-of-service attack is a cyber-attack in which the perpetrator seeks to make a machine or network resource unavailable to its intended users by temporarily or indefinitely disrupting services of a host connected to a network. Denial of service is typically accomplished by flooding the targeted machine or resource with superfluous requests in an attempt to overload systems and prevent some or all legitimate requests from being fulfilled.

A domain name is a string that identifies a realm of administrative autonomy, authority or control within the Internet. Domain names are used in various networking contexts and for application-specific naming and addressing purposes. In general, a domain name identifies a network domain or an Internet Protocol (IP) resource, such as a personal computer used to access the Internet, or a server computer. Domain names are often used to identify services provided through the Internet, such as websites and email services. As of 2017, 330.6 million domain names had been registered.

<span class="mw-page-title-main">Internet Assigned Numbers Authority</span> Standards organization overseeing IP addresses

The Internet Assigned Numbers Authority (IANA) is a standards organization that oversees global IP address allocation, autonomous system number allocation, root zone management in the Domain Name System (DNS), media types, and other Internet Protocol-related symbols and Internet numbers.

A domain name registry is a database of all domain names and the associated registrant information in the top level domains of the Domain Name System (DNS) of the Internet that enables third party entities to request administrative control of a domain name. Most registries operate on the top-level and second-level of the DNS.

<span class="mw-page-title-main">Root name server</span> Name server for the DNS root zone

A root name server is a name server for the root zone of the Domain Name System (DNS) of the Internet. It directly answers requests for records in the root zone and answers other requests by returning a list of the authoritative name servers for the appropriate top-level domain (TLD). The root name servers are a critical part of the Internet infrastructure because they are the first step in resolving human-readable host names into IP addresses that are used in communication between Internet hosts.

The DNS root zone is the top-level DNS zone in the hierarchical namespace of the Domain Name System (DNS) of the Internet.

<span class="mw-page-title-main">Verisign</span> American Internet company

Verisign Inc. is an American company based in Reston, Virginia, United States that operates a diverse array of network infrastructure, including two of the Internet's thirteen root nameservers, the authoritative registry for the .com, .net, and .name generic top-level domains and the .cc and .tv country-code top-level domains, and the back-end systems for the .jobs, .gov, and .edu sponsored top-level domains.

The Internet uses the Domain Name System (DNS) to associate numeric computer IP addresses with human-readable names. The top level of the domain name hierarchy, the DNS root, contains the top-level domains that appear as the suffixes of all Internet domain names. The most widely used DNS root is administered by the Internet Corporation for Assigned Names and Numbers (ICANN). In addition, several organizations operate alternative DNS roots, often referred to as alt roots. These alternative domain name systems operate their own root name servers and commonly administer their own specific name spaces consisting of custom top-level domains.

<span class="mw-page-title-main">Anycast</span> Network addressing and routing methodology

Anycast is a network addressing and routing methodology in which a single destination IP address is shared by devices in multiple locations. Routers direct packets addressed to this destination to the location nearest the sender, using their normal decision-making algorithms, typically the lowest number of BGP network hops. Anycast routing is widely used by content delivery networks such as web and DNS hosts, to bring their content closer to end users.

<span class="mw-page-title-main">The Spamhaus Project</span> Organization targetting email spammers

The Spamhaus Project is an international organisation based in the Principality of Andorra, founded in 1998 by Steve Linford to track email spammers and spam-related activity. The name spamhaus, a pseudo-German expression, was coined by Linford to refer to an internet service provider, or other firm, which spams or knowingly provides service to spammers.

Internet Systems Consortium, Inc., also known as ISC, is a Delaware-registered, 501(c)(3) non-profit corporation that supports the infrastructure of the universal, self-organizing Internet by developing and maintaining core production-quality software, protocols, and operations. ISC has developed several key Internet technologies that enable the global Internet, including: BIND, ISC DHCP and Kea. Other software projects no longer in active development include OpenReg and ISC AFTR.

DNS spoofing, also referred to as DNS cache poisoning, is a form of computer security hacking in which corrupt Domain Name System data is introduced into the DNS resolver's cache, causing the name server to return an incorrect result record, e.g. an IP address. This results in traffic being diverted to the attacker's computer.

<span class="mw-page-title-main">Open Root Server Network</span>

Open Root Server Network (ORSN) was a network of Domain Name System root nameservers for the Internet. ORSN DNS root zone information was kept in synchronization with the "official" Domain Name System root nameservers coordinated by ICANN. The networks were 100% compatible, though ORSN was operated independently. The ORSN servers were primarily placed in Europe. ORSN is also used by public name servers, providing Domain Name System access freely for everyone, without any limitation until the project closed in May 2019. ORSN was primarily started to reduce the over-dependence of Internet users on the United States and Department of Commerce/IANA/ICANN/VeriSign, limit the control over the Internet that this gives, while ensuring that domain names remain unambiguous. It also helps avoid the technical possibility of global "Internet shutdown" by one party. They also expect their network to make domain name resolutions faster for everyone.

<span class="mw-page-title-main">Packet Clearing House</span> Organization maintaining the domain name system and internet exchange points

Packet Clearing House (PCH) is the international nonprofit organization responsible for providing operational support and security to critical internet infrastructure, including Internet exchange points and the core of the domain name system. The organization also works in the areas of cybersecurity coordination, regulatory policy and Internet governance.

In networking, a black hole refers to a place in the network where incoming or outgoing traffic is silently discarded, without informing the source that the data did not reach its intended recipient.

Prolexic Technologies was a US-based provider of security solutions for protecting web sites, data centers, and enterprise IP applications from Distributed Denial of Service (DDoS) attacks at the network, transport, and application layers. It operated a DDoS mitigation platform and a global network of traffic scrubbing centers. Real-time monitoring and mitigation services were provided from a 24/7 security operations control center (SOCC). Prolexic indicated its DDoS mitigation services make websites, data centers and enterprise IP applications harder to take down via DDoS attacks.

DNSimple is a managed domain name server service operated by Aetrion LLC d/b/a DNSimple, which offers DNS hosting, domain registration, and SSL certificates. DNSimple is also an ICANN-accredited domain registrar.

References

  1. Vixie, Paul; Gerry Sneeringer; Mark Schleifer (2002-11-24). "Events of 21-Oct-2002". Archived from the original on 2011-03-02. Retrieved 2008-07-11.
  2. Kurose, James F. (Feb 24, 2012). "2". Computer Networking: A Top-Down Approach (6th ed.). p. 143. ISBN   978-0132856201.
  3. "Factsheet – Root server attack on 6 February 2007" (PDF). ICANN. 2007-03-01. Retrieved 2013-09-23.
  4. Kristoff, John (2007-07-27). "Root DDoS Attack Analysis" (PDF). DNS-OARC. Retrieved 2009-09-09.
  5. "Events of 2015-11-30". 2015-12-04. Retrieved 2015-12-08.
  6. Moura, Giovane C.M.; de O. Schmidt, Ricardo; Heidemann, John; de Vries, Wouter; Müller, Moritz; Wei, Lan; Hesselman, Cristian (November 2016). "Anycast vs. DDoS: Evaluating the November 2015 Root DNS Event" (PDF). Proceedings of the ACM Internet Measurement Conference (IMC 2016). Santa Monica, CA, USA: ACM. doi:10.1145/2987443.2987446. ISBN   9781450345262.
  7. "Untitled". pastebin.com. 12 February 2012.
  8. "Untitled". pastebin.com. 2012-02-12. Retrieved 2012-02-19.
  9. Greenberg, Andy (2012-02-16). "Anonymous Plans To Take Down The Internet? We're Being Trolled". Forbes. Retrieved 2012-02-19.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.