A rare DDoS (distributed denial-of-service) attack has been registered on the Internet’s DNS root servers.
More particularly, four nodes – B, C, G, and H – have been affected by slight timeouts. Two different attacks have been carried out by an unknown cyber crime group, as reported by RootOps. The first attack took place on the 30th of November, and continued 160 minutes. A second, shorter attack has happened on the 1st of December, which lasted only 60 minutes.
The DDoS Attacks Explained
Experts are reporting that the attacks were authentic DNS queries, addressed at one domain during the first attack, and at another one during the second attack.
The two attacks caused about five million queries per second per DNS root name server. The bad news is RootOps will most likely be unable to discover the attackers. One reason is that IP source addresses are easily spoofed. Furthermore, the source IP addresses applied in these DDoS scenarios were spread in a skillful and arbitrary manner throughout the IPv4 address space.
This is how the attacks were discovered:
Visibility of this event came about as a result of health monitoring by DNS root name server operators and other monitoring projects around the Internet. Often these are in the form of “strip chart” graphics showing response time variance of a periodic simple query against some set of servers, including DNS root name servers. Such test traffic may not be indicative of what happens to normal traffic or user experience.
The good news is no severe damage was done. The two DDoS attacks mainly led to a delay for some users making DNS queries through their browsers, FTP (File Transfer Protocol), and SSH (Secure Shell).
Due to the intertwined DNS structure, when one server isn’t responsive, other servers interfere and supply a DNS query result.
How to reduce the risk of DDoS attacks?
This is the advice given by RootOps :
Source Address Validation and BCP-38 should be used wherever possible to reduce the ability to abuse networks to transmit spoofed source packets.