Security Experts:

Connect with us

Hi, what are you looking for?


Security Infrastructure

Root DNS Servers Hit by Attack

Domain Name System (DNS) root name servers were hit last week by unusually high query rates, causing timeouts for some valid, normal queries.

Domain Name System (DNS) root name servers were hit last week by unusually high query rates, causing timeouts for some valid, normal queries.

There are a total of 13 root servers comprising hundreds of globally distributed authoritative name servers that serve the DNS root zone. Root name servers, a critical part of the Internet infrastructure, enable communications between hosts by translating host and domain names to IP addresses.

DNS information doesn’t change very often and since it’s cached by intermediate name servers and applications, the root servers don’t need to be queried every time a request is made.

An announcement posted last week on the official website for DNS root servers revealed that an unusually high rate of queries was detected on November 30 and December 1. A high rate of valid DNS messages for a single domain was recorded on November 30 for a period of roughly three hours. A high rate of queries targeting a different domain was observed on December 1 for a one-hour period.

The targeted domains have not been disclosed and tracking down the source of the attack is not an easy task since it appears to have been carried out over UDP, which permits source IP spoofing.

Root servers, identified using letters from A to M, are operated by 12 organizations, including Verisign, Internet Systems Consortium (ISC), ICANN, NASA, the US Army, the US Department of Defense, Cogent Communications, Netnod, RIPE NCC, WIDE Project, and a couple of universities in the U.S. Most of the 13 DNS root name servers were hit by roughly 5 million queries per second each.

Statistics provided by some of the root server operators help put this query rate into perspective. For example, root servers A and J, both operated by Verisign, get an average of roughly 3 billion IPv4 UDP requests per day. On November 30, more than 52 billion queries were detected on server A and over 22 billion on server J.

In the case of server C, managed by Cogent, roughly 10 billion IPv4 UDP queries were made on November 30, 3-4 times more than in the days prior and after the attack. The K server, operated by RIPE NCC, received nearly 600,000 queries per second, far more than the 50,000 queries per second seen on a regular day.

“The incident traffic saturated network connections near some DNS root name server instances. This resulted in timeouts for valid, normal queries to some DNS root name servers from some locations,” reads an advisory describing the incident. 

However, experts noted that end-users likely haven’t been seriously impacted by the high query volume, except for “barely perceptible” initial delays for some browsers and clients (e.g. FTP or SSH clients).

“This event was notable for the fact that source addresses were widely and evenly distributed, while the query name was not. This incident, therefore, is different from typical DNS amplification attacks whereby DNS name servers (including the DNS root name servers) have been used as reflection points to overwhelm some third party,” reads the advisory. “The DNS root name server system functioned as designed, demonstrating overall robustness in the face of large-scale traffic floods observed at numerous DNS root name servers.”

While it’s unclear who might be behind the attack, some have speculated that someone might have attempted to show off the capabilities of a DDoS botnet to potential clients.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Security Infrastructure

XDR's fully loaded value to threat detection, investigation and response will only be realized when it is viewed as an architecture


The White House announced on Wednesday that the Industrial Control Systems (ICS) Cybersecurity Initiative has been expanded to include the chemical sector.


Security orchestration, automation and response (SOAR) provider Swimlane on Monday announced the launch of a security automation solution ecosystem for operational technology (OT) environments.

Data Protection

Artificial intelligence is more artificial than intelligent.

Incident Response

Created and maintained by MITRE, MITRE D3FEND is a framework that provides a library of defensive cybersecurity countermeasures and technical components to help organizations...

Application Security

Mobile & Wireless

US authorities announced a ban Friday on the import or sale of communications equipment deemed "an unacceptable risk to national security" -- including gear...