DNS Root Server Internet Attack
Thursday, February 8th, 2007 |
This was originally posted and written by DNSStuff.com (great site)
Here a quick post about what happened and why. More importantly what can we do to fix it and keep it from happening again.
DNSstuff RESPONSE IN THE NEWS:
http://www.darkreading.com/document.asp?doc_id=116685&WT.svl=news1_1
WHAT HAPPENED?
The attack was apparently aimed primarily at the true root servers, which are not nearly as frequently used as the .com parent servers. The .com parent servers handle the millions of .com domains. The root servers are still very important — knowing what DNS servers to contact to look up any DNS request — but when they receive a DNS request for a .com domain, they just give the DNS server a list of the .com parent servers, and say "You can use these any time you have a .com DNS query for the next 48 hours."
So a DNS server will normally only connect to the root servers once every
48 hours, whereas they will connect to the .com DNS servers much more frequently (in some cases, many times a second).
Most likely a coordinated attack using preprogrammed or controlled "bots"
installed on unsuspecting users computers. This software is typically installed via a download or spam receipt and then hides on the user’s computer waiting for instructions, or waits until a specific time, and then "attacks". These attacks could be as simple as sending many standard DNS lookups to certain servers. In the case of this attack, the servers which were targeted were F, G, I and M. If you refer to http://www.root-servers.org/, you can see the IP address information, as well as other data, for these servers. Further it appears that only G suffered a mentionable impact. Again an analogy for distributed denial-of-service (DDOS) is equivalent to 10,000 people trying to call your phone for a period of time. You can only deal with a certain number of calls during that time and the phone company can only deal with a certain number of calls as well, this would cause many of the callers to get the dreaded "all circuits are busy" and this is not happening because it is Mother’s Day - it is happening because some organized activity is taking place.
DID YOU KNOW?
Q: What is it that root name servers do exactly?
A: They are part of the Domain Name System (DNS), a worldwide distributed database that is used to translate worldwide unique domain names such as www.isoc.org to other identifiers. The DNS is an important part of the Internet because it is used by almost all Internet applications.
The root name servers publish the root zone file to other DNS servers and clients on the Internet. The root zone file describes where the authoritative servers for the DNS top-level domains (TLD) are located; in other words: which server one has to ask for names ending in one of 258 (December 2004) TLDs, such as ORG, NET, NL or AU.
For a detailed description of how the DNS works and the role of the root name servers see: http://www.isoc.org/briefings/016/index.shtml
Source: www.isoc.org
WHY DIDN’T YOU FEEL IT?
The chances that you experienced any DNS disruption are unlikely. Since DNS information is cached, most domain name resolution queries would be answerable based on cached information.
Most importantly, there are currently 13 root name servers. Yesterday’s attack involved only a handful of these servers. If one root name server is unable to respond, the system is designed such that the load is distributed among the remaining operational root servers. It is likely that Internet users did not notice any disruption at all.
Additionally, the mention of 13 root servers is a little bit misleading as there are actually 13 root server systems, each of which may be comprised of one or many DNS servers. So while one of the servers within a root system may be degraded others may or may not be. At this level, the DNS system demonstrates a high level of resiliency.
WHAT IS THE POTENTIAL IMPACT OF THIS
The impact of a well executed attack could be significant. Basically, an extensive, coordinated attack could make it difficult for computers to communicate with each other using domain names. IP addresses would still work, but how many people memorize the IP addresses of their favorite web sites? Not too many. So while an attack was ongoing users would see inability to reach web sites and email not being able to be delivered.
ARE WE IN DANGER OF MORE/BIGGER ATTACKS – ABSOLUTELY!
The root servers are quite well designed and are quite resilient and should be able to withstand most attacks as we have seen over recent years. However, a more significant risk exists to smaller sets of users - what if your domain’s authoritative server was attacked? This is one of the most significant areas of risk on the Internet today. It is not difficult to coordinate and execute an attack on specific DNS servers and render the domains they control effectively inoperative. There are many things which can be done to help mitigate these risks but the majority of domain holders are either unaware or unable to implement the necessary changes.
DO YOUR PART:
There is nothing that most IT administrators can do about cases like this happening at the root server level.
But, we need to be prepared in the event of more damaging attaches on DNS at the .com or .org level.
Based on an assumption that DNS client servers would only need to query the root name servers about once every 48 hours, the expected load on all the root servers is much less than it actually is in reality.
This is because there are many misconfigured or broken DNS clients, resulting in many ‘invalid’ (unnecessary) queries being made to the root servers, who must respond regardless. [Source: www.isoc.org]
DNSstuff has found in recent survey data that 70% of all DNS servers have one or more misconfigured settings.
You can do your part by being proactive and running a DNSreport
(www.dnsstuff.com) to check and resolve any issues with your DNS settings.
In addition, we suggest you monitor your domain with a DNSstuff DNSalert, so you will be notified when there are any changes to your DNS that may require your attention.
