Root DNS Servers Hit by Attack

Domain Name System (DNS) root name servers were hit last week by unusually high query rates, causing timeouts for some valid, normal queries.

There are a total of 13 root servers comprising hundreds of globally distributed authoritative name servers that serve the DNS root zone. Root name servers, a critical part of the Internet infrastructure, enable communications between hosts by translating host and domain names to IP addresses.

DNS information doesn’t change very often and since it’s cached by intermediate name servers and applications, the root servers don’t need to be queried every time a request is made.

An announcement posted last week on the official website for DNS root servers revealed that an unusually high rate of queries was detected on November 30 and December 1. A high rate of valid DNS messages for a single domain was recorded on November 30 for a period of roughly three hours. A high rate of queries targeting a different domain was observed on December 1 for a one-hour period.

The targeted domains have not been disclosed and tracking down the source of the attack is not an easy task since it appears to have been carried out over UDP, which permits source IP spoofing.

Root servers, identified using letters from A to M, are operated by 12 organizations, including Verisign, Internet Systems Consortium (ISC), ICANN, NASA, the US Army, the US Department of Defense, Cogent Communications, Netnod, RIPE NCC, WIDE Project, and a couple of universities in the U.S. Most of the 13 DNS root name servers were hit by roughly 5 million queries per second each.

Statistics provided by some of the root server operators help put this query rate into perspective. For example, root servers A and J, both operated by Verisign, get an average of roughly 3 billion IPv4 UDP requests per day. On November 30, more than 52 billion queries were detected on server A and over 22 billion on server J.

In the case of server C, managed by Cogent, roughly 10 billion IPv4 UDP queries were made on November 30, 3-4 times more than in the days prior and after the attack. The K server, operated by RIPE NCC, received nearly 600,000 queries per second, far more than the 50,000 queries per second seen on a regular day.

“The incident traffic saturated network connections near some DNS root name server instances. This resulted in timeouts for valid, normal queries to some DNS root name servers from some locations,” reads an advisory describing the incident. 

However, experts noted that end-users likely haven’t been seriously impacted by the high query volume, except for “barely perceptible” initial delays for some browsers and clients (e.g. FTP or SSH clients).

“This event was notable for the fact that source addresses were widely and evenly distributed, while the query name was not. This incident, therefore, is different from typical DNS amplification attacks whereby DNS name servers (including the DNS root name servers) have been used as reflection points to overwhelm some third party,” reads the advisory. “The DNS root name server system functioned as designed, demonstrating overall robustness in the face of large-scale traffic floods observed at numerous DNS root name servers.”

While it’s unclear who might be behind the attack, some have speculated that someone might have attempted to show off the capabilities of a DDoS botnet to potential clients.