Domain name root server suffered two large-scale attacks: 5 million attacks per second

Domain name root server suffered two large-scale attacks: 5 million attacks per second

In the early morning of January 1, December 11, Beijing time, the root servers of multiple domain name systems were attacked twice at the beginning of last week. Each attack lasted for an hour or two, these root servers receive up to 5 million query requests per second.

When a user enters a domain name in a browser, the root server is the final authoritative reference for determining which IP address to return.

The first attack occurred in November 30. The attack lasted for 2 hours and 40 minutes. The second occurs in the next day, lasting nearly one hour. Most of the 13 root servers that constitute the root zone of the Internet DNS (Domain Name Server) are under attack, but a few are not affected. Both attacks start and end on their own. They only contain billions of invalid query requests for two undisclosed domain names. Each attack involves one domain name. It is unclear whether the operator or its root cause behind these attacks.

Although the data loading volume is large enough to be detected by external systems that monitor the Internet root server, these two attacks have almost no impact on billions of internet end users, this is partly because the root server functions only when a large intermediate DNS server fails to provide IP address translation, and partly because hundreds of servers adopt a robust design.

"My conclusion is that these events almost never happen to common users '." Said Randall Vaughn, professor of information systems at Baylor University. "Either they didn't even notice it, or they didn't expect the root server to be under attack ."

Although it has almost no impact on end users, we should not underestimate these attacks, this is because sending 5 million queries per second to most root servers in an hour or more requires extremely large computing power and bandwidth. Keith Mitchell, president of Domain Name System Operations Analysis and Research Center, said, such a large query request can load up to 250 times the normal data volume of a root server. He pointed out that it should normally be between 20 thousand to 50 thousand times per second.

Even more worrying is that the Domain Name Server receives spam query requests using the IP Anycast routing method, which is also used when public IP addresses are allocated to servers in multiple scattered regions. These two attacks target the Anycast root server, which means that these attacks become a huge resource that is also geographically dispersed, rather than only from a few locations.

"These attack events are worth noting because the source addresses are widely and evenly distributed, while domain names are not queried ." According to an announcement released last Friday. "Therefore, these events are not common DNS amplification attacks because DNS domain servers (including DNS Root Domain servers) are used as reflection points to attack third parties ."

The most reasonable explanation for this attack is that a large number of infected computers or other networked devices constitute a large "botnet", which can explain how the attack happened, however, the cause of the attack cannot be explained. At the same time, this attack has once again aroused the call for various networks to implement the BCP 38 standard. This is an Internet Engineering Task Group (Internet Engineering Task Force standard) used to respond to IP address electronic fraud) standard. Many networks have implemented this standard, but some have not yet implemented this standard, making such attacks possible. (Tang Feng)