Massive DDoS Attacks of Over 1 Million Queries Per Second Threaten Root Servers That Support The Global Internet

Today, we share a blog post from Looking Glass' Director of Product Management, Patrick Lynch, as he discusses distributed denial of service (DDoS) attacks on DNS root servers.
On Nov 30 and again on Dec. 1, massive DDoS attacks against several Internet based DNS root servers with volumes of over 1 million queries per second threatened the global Internet. There is speculation that the attack was initiated by ISIS (here). Not only is this a risk to the Internet as a whole, but also impacts the Internet Service Providers (ISPs) that are the unfortunate middle link in the attack and whom the majority of Internet access depends on. Although the target was the DNS root servers, the intermediate ISPs probably were more severely impacted by the sudden spike in the traffic load due to the relationship between DNS authoritative and recursive servers. Verisign provided additional information showing why the source IPs were spoofed, and the root servers' users group also published some information. Arstechnica also has a description of the event.
There are a number of actions that are available to an ISP that mitigate both the attacks on the DNS root servers, and on the ISP itself:
  • Ingress filtering by source IP address – Routers can enforce BCP38 that only allows traffic to originate with source IP addresses that are valid for that ISP. This will also prevent source and destination addresses from being the same.
  • If Ingress filtering is not practical, then having a DNS firewall will provide similar capabilities to ingress filtering as well as additional capabilities such as:
    • Only allow queries from allowed IP ranges
    • Rate limit queries by source IP or destination IP to prevent volumetric attacks
    • Rules that prevent DNS responses (as opposed to queries) going to the root servers
    • When an upstream DNS server is busy (as in a DDOS attack), automatically generate a server unavailable error and do not add to the DDOS attack
Securing DNS is challenging given the nature of the protocol and the fact that the DNS ports must be left open to ensure continuous delivery of DNS services to Internet attached devices.

via DDoS Attacks