Root DNS Servers Experienced DDoS Attack with 5 Million Queries per Second

A report from Root [DNS] Server Operations or rootops published on December 4th, 2015 stated that the Internet Domain Name System’s root name servers received a high rate of DNS queries over two separate intervals. The incidents occurred on November 30, 2015 and December 1st, 2015. The queries were “well-formed, valid DNS messages for a single domain name”. On November 30th, the attack continued from 6:50 UTC to 9:30 UTC. On December 1st, the root name servers began receiving similar queries for a different domain name and from 5:10 UTC to 6:10 UTC.
The source addresses of these queries were evenly distributed and randomized to make make it difficult for investigators to track down each and every source. Root Server Operations reported that the observed volume of traffic went up to about 5 million queries per second, per root name server letter. Note that root name servers are distributed and distinguished using a standard “lettering” scheme. Currently, there are 13 root name servers specified, with names in the form, where letter ranges from A to M. High amount of traffic resulted in some saturation and affected most but not all of the 13 root name servers.
The report from rootops states:

This event was notable for the fact that source addresses were widely and evenly distributed, while the query name was not. This incident,therefore, is different from typical DNS amplification attacks whereby DNS name servers (including the DNS root name servers) have been used as reflection points to overwhelm some third party. The DNS root name server system functioned as designed, demonstrating overall robustness in the face of large-scale traffic floods observed at numerous DNS root name servers.

Unfortunately, the incident traffic will not be traced back to the sources for two reasons:

  • The IP sources addresses can be easily spoofed.
  • Event traffic that landed in large numbers was evenly distributed between a very large number of source addresses.

Root Server Operations teams suggests that “Source Address Validation and BCP-38 should be used wherever possible to reduce the ability to abuse networks to transmit spoofed source packets.” BCP-38 is a 10 year old proposal defined in RFC2827: Network Ingress Filtering: Defeating Denial of Service Attacks why employ IP Address Spoofing. The idea is very simple to understand and even simpler to implement. Basically, you implement an access control list on your firewall or other network edge devices allowing only your clients to send traffic outside of your network. So, if your local area network uses IP addressing scheme, an ACL will look something like this

permit ip any deny ip any any log